On conscription, copyright assignment, and CVEs

[Sergey Bugaev]

Hello everyone.

I'm likely getting conscripted for military service some time soon.
When exactly, I don't yet know, but it could happen any day now.

What does it have to do with the Hurd? Well, it most likely means I
will be offline (and so, unable to contribute or to read and respond
to any messages) for a whole year; so I want to take care of some
unfinished matters.

My FSF copyright assignment is still unfinished, and I'm starting to
doubt it will ever be. I haven't received a reply from the FSF person
I was communicating with for the last two months. As I've stated
previously, it's partly my own fault that the process is taking so
long, for I have also been very slow to respond to them (in one case).
But no matter whose fault it is, it looks like the process will
require some more back-and-forth iterations/roundtrips, which are
unlikely to happen fast enough to complete before I get conscripted.

Recently, several people have asked me what's up with getting official
CVEs for those Hurd vulnerabilities I've written about previously.
Truth is, I don't really know how this works!

Back in May, Amos Jeffries has kindly offered to help me with the CVE
process; but we got stuck at exchanging GPG keys, and I haven't heard
from him since June. I don't know if Amos is still interested, or if I
should seek help elsewhere;

but in any case, it's been two months since the fixes have been
published. Everybody should have had plenty of time to upgrade. It's
also been possible for any attackers to infer what the vulnerabilities
were from the patches, which are publicly accessible (if not in the
main Hurd tree). I think it would make sense now for me to just
publish the details of what the vulnerabilities were. It should be an
interesting read for everyone, and it would hopefully help with the
CVE process somewhat (assuming someone would be interested in it,
perhaps they even would be able to complete the process in my
absence?). And also I expect to forget the details in a year's time (I
must have already forgotten some!), so I better do it now rather than
afterwards.

So, if anybody knows of a reason I shall not do this, speak now or
forever hold your peace! :)

Sergey