[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

Dave Hansen dave at sr71.net
Mon Sep 10 22:59:26 UTC 2018


On 09/08/2018 12:49 PM, Linus Torvalds wrote:
> So I don't do NDA's. Maybe some Linux Foundation NDA agreement
> technically covers me, but at least with the Intel cases, Intel is
> actually aware of my non-NDA situation and is fine with it.

My *personal* observation on the NDAs:

Companies don't actually care about the NDA being an NDA per se.  They
really only want to feel like they are in control of the information.
They get that warm and fuzzy feeling from NDAs for normal
company-to-company interactions, which makes NDAs the go-to tool when
these security things pop up.

We (the community) are slowly showing the NDA-loving folks that <gasp>
they are not the _only_ tool available.  But, it's going to take time to
change the mindset.

I *do* wish that companies like Intel who are actively doing these
non-NDA things would find some way to share their methods.  Maybe the LF
can help here by providing a semi-anonymous way for folks to share what
has worked.  Or, maybe folks like Intel need to just to it ourselves.



More information about the Ksummit-discuss mailing list