Re: GnuPG efail - researcher discussion failure


David A. Wheeler
 

Luis R. Rodriguez:
As you may know there is tons of media coverage over efail:

https://efail.de/
...
What could be done, from a community, or even CII perspective, to avoid further
cross channel miscommunication mishaps between security researchers and
our broad set of FOSS projects in the community?
I don't know what can be done, but it's definitely a worthy topic, because
media circuses and miscommunication are happening a lot. Unfortunately,
for many the economics encourage it. The researchers get quick (valuable) notoriety,
and the media get good clickbait (and many in the media don't
understand the issues anyway).

Cc'ing two folks which I believe are not subscribed. Perhaps this is Off topic,
but, not sure where *else* could such a topic be discussed in a proactive
manner.
That's a fair "scope of mailing list" question.

If we can somehow turn this into some kind of "best practice" kind of thing,
this is definitely on-topic for this mailing list. I don't know if we can,
but the discussion on *trying* to do so is definitely on-topic.
I don't know of any "generic CII" mailing list, but since many of us are involved in
the CII generally, and it's closely related, I think it's okay for now.

An alternative (and much larger) forum is the oss-security mailing list.

--- David A. Wheeler

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.