GnuPG efail - researcher discussion failure


Luis R. Rodriguez <mcgrof@...>
 

As you may know there is tons of media coverage over efail:

https://efail.de/

The GnuPG team response seems to indicate that the researchers really
didn't properly engage or tune their message to avoid such hype over
such issues:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060318.html

The tone should therefore have been more about tons of MUAs needing fixing. But
everything else seems hype.

Since CII started in part as a response to Heartbleed, and the badge program is
IMHO a success story considering the number of projects which have been shaping
up to meet the requirements, it has me thinking that despite the badge program
something is still missing here.

What could be done, from a community, or even CII perspective, to avoid further
cross channel miscommunication mishaps between security researchers and our broad
set of FOSS projects in the community?

Cc'ing two folks which I believe are not subscribed. Perhaps this is Off topic,
but, not sure where *else* could such a topic be discussed in a proactive
manner.

Luis

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.