[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

[Mauro Carvalho Chehab]

Em Sat, 8 Sep 2018 15:33:22 -0700
Andy Lutomirski <luto at kernel.org> escreveu:

> On Sat, Sep 8, 2018 at 2:24 PM, James Bottomley
> <James.Bottomley at hansenpartnership.com> wrote:
> > On Sat, 2018-09-08 at 12:49 -0700, Linus Torvalds wrote:  
> >> On Sat, Sep 8, 2018, 08:54 James Bottomley <  
> >> James.Bottomley at hansenpartnership.com> wrote:  
> >>  
> >> >
> >> > OK, let me make it more specific: there exists no individual
> >> > contributing to open source in a leadership capacity for whom a
> >> > signable NDA cannot be crafted.
> >> >  
> >>
> >> No.
> >>
> >> I don't sign NDA's. I just don't do it.
> >>
> >> It's that simple.  
> >
> > But that's you're choice; it's not because legally you can't.
> >  
> >> It's actually worked pretty well. It started because I worked for a
> >> direct competitor to Intel, and couldn't sign an NDA for the really
> >> old f0 0f lockup issue.
> >>
> >> Not having an NDA back then turned out to be a good thing, because it
> >> made it a non-issue when leaks happened. So I started the policy that
> >> I never want to be in the position that I had to worry legally about
> >> being in the position of being under an NDA and knowing things
> >> outside of the leaks.
> >>
> >> Instead, I've had a gentleman's agreement with companies - nothing
> >> legally binding, but over the years people have come to realize that
> >> the leaks don't come from me.
> >>
> >> So I don't do NDA's. Maybe some Linux Foundation NDA agreement
> >> technically covers me, but at least with the Intel cases, Intel is
> >> actually aware of my non-NDA situation and is fine with it.  
> >
> > I'm fine with all of this as an argument.  If we believe that signing
> > NDAs would eventually lead to worse disasters because agreeing to them
> > now means corporations never change and never take our views into
> > account, then we should have the debate and make the decision for sound
> > policy reasons not because there's some spurious legal bar.
> >  
> 
> My NDA is through my company.  I would *love* to cancel it and set up
> a replacement arrangement through LF or a similar entity, or to just
> not replace it at all.  My company is not equipped for the kind of
> wrangling that would have helped during Meltdown and a couple of other
> situations, whereas anything reasonable set up for the purpose would
> work much better.

I guess this is the situation of most of all. My contract has a
NDA covering my work, so I'm legally bound to whatever NDA my
employer has to some other companies. I'm almost certain that 
none of those were designed to cover Open Source. 

So, I'm pretty sure that, if I had to deal with an embargoed
security issue that would require an NDA to get access to details,
I would need to spend a lot of time and effort talking with the
legal department to explain the needs and discuss about a set of
clauses that would work for both sides(with won't be trivial, 
as they usually don't usually deal with open source).

There's also a language barrier: some lawyers expect NDAs to be
under the Country's official language, in order for it to have
legal value on that Country.

All that process can take weeks to happen, as that would likely
envolve discussions between several parties. During that period of
time, I won't likely be able to access the data relevant to solve
the embargoed issue.

So, as much as I would prefer to live in a world that would 
work without any NDAs (and on a first world Country), reality 
takes place. Having something prepared in forehand would
significantly improve the process.

Granted, it is unlikely that I would have to deal with those issues
with the stuff I currently handle, as usually most serious security
threats are not at drivers, but I suspect that others would have 
to deal with similar issues.

Thanks,
Mauro