[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues
Andy Lutomirski
luto at amacapital.net
Sun Sep 9 19:19:00 UTC 2018
> On Sep 9, 2018, at 11:56 AM, Theodore Y. Ts'o <tytso at mit.edu> wrote:
>
>> On Sun, Sep 09, 2018 at 11:17:20AM -0700, Andy Lutomirski wrote:
>>
>> What I want is the opposite of an NDA. I want a gentlemen’s
>> agreement plus an explicit statement that the relevant people *may*
>> talk about the issue among themselves despite any NDAs that might
>> already exist. And that they may release patches when the embargo is
>> up. And that the embargo has an end date, and that the developers
>> may decline an extension.
>
> So what you're talking about is some kind of "Memo of Understanding"
> that has no talk about "if this leaks it will Intel will suffer
> millons and billons and zillons of dollars and Intel well sue you
> until your assets are a smoking crater in the ground"?
Yes
>
> If there are no consequences to violating the Gentleman's agreement
> (other than not being included the next time *when* another CPU
> vulnerability comes up), then nothing really needs to be signed, since
> it has no legal impact.
Here I disagree. The consequence to *Intel* for signing needs to be clear. If I’m included, and Intel thinks I leaked it or their attorneys get overzealous and complain that I talked to someone at SUSE or whatever or that I *gasp* published a patch on the day the embargo ended and they sue *me* for zillions under my preexisting, then I want to point to this agreement and say “no, and by suing me you are in breach of this contract”.
>
> I'd certainly support such a thing, but in my view it's really no
> different from Linus's #2:
>
> 2. Force industry to adopt new norms that actually work well with open
> source.
> If the MOU with no teeth is enough to save the lawyer's face, that
> would be great.
>
That too.
More information about the Ksummit-discuss
mailing list