Re: DSA 438 - bad server time, bad kernel version or information delayed?
Greetings,.
Am Donnerstag, 19. Februar 2004 14:22 schrieben Sie:
> Jan Lühr wrote:
> > Well, of course you might have quite good reasons for doing so, but for
> > me, this is quite a good reason for changing the distri or os.
>
> But to what? Currently, you have two choices: delayed, limited
> disclosure and no disclosure at all.
Please don't take may yesterdays escapades serious, as I posted, I was quite
stupid in a rude and I apologies for that.
> No vendor currently offers what once was called "full disclosure", even
> in a delayed fashion.
>
> > Hiding unfixed holes is one thing (and I appreciate that partly) but
> > hiding already fixed packages is quite astonishing and you cannot tell me
> > you need more than two weeks to test a simple correction.
>
> There's an implicit contract among GNU/Linux distributors: you wait with
> disclosure until most parties are ready. Red Hat rushed ahead several
> times and the company still has early access to information. Debian
> would risk to get expelled from the vendor-sec community if it did the
> same, on a more regular scale, I suppose.
>
> > This is exactly the same policy M$ have - but the point is, you could
> > at least inform your users.
>
> Nobody does this, and it could upset users unnecessarily. There are
> many pitfalls to avoid in this area. Theo de Raadt's notorious
> disclosure of that OpenSSH bug should serve as a warning to others.
I agree.
Keep smiling
yanosz
Reply to: