← Back to context

Comment by ajross

7 months ago

I'm confused. They're saying that the original patch was incomplete and that they believe they've re-broken it, but that they aren't publishing the updated attack because the report is embargoed (presumably to update the fix).

What is the security policy you'd like to see here? If the researchers were to publish the updated attack before mitigation then that WOULD be a zero day!

3 comments

ajross

Reply
cookiengineer  6 months ago

The embargo refers to Google's update policy since a couple months ago, which means that for three months, updates are on-hold and only shared with "selected vendors" and not the public.

Essentially the dumping strategy of open source that Apple has been doing for years.

Read the LineageOS blog article for more details on why stripping history and publishing only a tarball might be seen as the most stupid development practice ever.

[1] https://news.ycombinator.com/item?id=45158523

  • ajross  6 months ago

    Yeah, that's not the sense of "embargo" used in the text you quoted. I think you're arguing about something else. AOSP not getting prompt security patches is indeed a problem, but it's not relevant here. Per the article there is no fix for the updated attack.

    • cookiengineer  6 months ago

      > Yeah, that's not the sense of "embargo" used in the text you quoted. I think you're arguing about something else. AOSP not getting prompt security patches is indeed a problem, but it's not relevant here. Per the article there is no fix for the updated attack.

      I'm not sure you are aware that the embargo references an NDA that you have to sign in order to get the updated sources/patches before the 3-months delay until it is released to the public.

      Then guess what an NDA has to do with the condition of "being allowed" or "not being allowed" to publicly disclose a security bug that you've found.

      [1] https://android.googlesource.com/platform/docs/source.androi...