undefined | Better HN

0 pointsjunon2y ago0 comments

That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.

0 comments

justinclift2y ago

That kind of approach leads to the party which broke ranks this time, not being included in confidential things in future.

Along the lines of "they've proven they can't be trusted", kind of thing.

junonOP2y ago

I don't agree they broke ranks. The 6am date was for the curl project itself.

justinclift2y ago

Probably depends on whether Red Hat was party to privileged info as part of a co-ordinated release for this. Personally, I have no idea.

1 more reply

samueloph2y ago

RedHat is one of the subscribers of the mailing list where the CVE details were sent under embargo, so yes, they were bound to that and broke the embargo 13 hours earlier than the lift date.

j / k navigate · click thread line to collapse

0 comments

justinclift2y ago

That kind of approach leads to the party which broke ranks this time, not being included in confidential things in future.

Along the lines of "they've proven they can't be trusted", kind of thing.

junonOP2y ago

I don't agree they broke ranks. The 6am date was for the curl project itself.

justinclift2y ago

Probably depends on whether Red Hat was party to privileged info as part of a co-ordinated release for this. Personally, I have no idea.

1 more reply

samueloph2y ago

RedHat is one of the subscribers of the mailing list where the CVE details were sent under embargo, so yes, they were bound to that and broke the embargo 13 hours earlier than the lift date.

j / k navigate · click thread line to collapse