OpenJDK Governing Board Minutes: 2015/3/5
The OpenJDK Governing Board met via conference call on Thursday, 5 March 2015 at 16:00 UTC with the following agenda:
- Vulnerability Group (NDA/License)
- Any other business
Five Board members were present: Georges Saab, John Duimovich, Andrew Haley, Doug Lea, and Mark Reinhold.
The intent of these minutes is to capture the conversational flow of the Board's discussion and also to record decisions. If you are interested only in the latter then search for the word "AGREED" throughout the text.
1. Vulnerability Group (NDA/License)
Georges started the discussion about the latest draft legal document by noting that he was aware that John had brought up a few points in e-mail, Andrew had comments, and Doug was interested in understanding any concerns. John wanted to review the section describing the concurrent release of a solution and its public announcement; his concerns were around what constitutes a "vulnerability fix". Various example scenarios were explored, including the following:
An actual solution which is included in a standard code refresh, perhaps a few weeks prior to the announcement
Any change in the code which coincidentally addresses the vulnerability, e.g., the addition of a new feature
Any change which coincidentally modifies code near the vulnerability, but does not address it
An entirely new piece of software containing portions of the source code, but not the portion containing the vulnerability
A work-around which prevents the exploit by modifying a server configuration
Andrew reminded everybody that if a member of the Vulnerability Group releases a fix prior to the announcement then it would likely lead to a scramble by the other members also to release a fix, possibly before full testing has been done. Georges noted that a worst-case scenario is that only a partial fix is provided. John was concerned that simultaneous solution and public announcement could result in longer exposure to a vulnerability that is strictly necessary.
Andrew observed that the simultaneous fix/announcement scenario was applicable to theoretical exploits, not zero-day attacks. Georges agreed and indicated that the document's intent was to avoid inadvertent public disclosure and suggested that the wording may need to be clarified. Andrew expected that if any Vulnerability Group member needs to release something quickly, the Group would have to be notified so that other members could react as necessary.
Discussion then moved to whether informing the Group of a vulnerability made it impossible for a member to provide a solution without Group consultation. Andrew believed that if knowledge is acquired through Group membership, then there is a responsibility to keep it confidential until the Group decides that it should be disclosed. Georges added that there should be no disincentive to be a member of the Group.
The Board briefly considered potential outcomes if a member were to release a fix prior to consultation with the Group. One possibility is that the Group accepts the reasons for the member's actions. Another possibility is that the action is considered a breach of trust, resulting in termination of membership.
Conversation turned toward a concern that some organizations may have existing customer agreements which require that knowledge of a vulnerability be disclosed to that customer. It is believed that trust is not transitive; hence, someone subject to such agreements may not be able to join the Group.
After additional discussion, John agreed to suggest updates to the document to address the concerns raised in the meeting.
At this point the Board adjourned.