* Scott James Remnant (scott@netsplit.com) wrote: > If there's a potential exploit for a server, I want to know about it as > soon as the developers do so I can shut down that server until they come > up with a fixed version. > > Just because there isn't a fixed version yet, does not mean that there > isn't a fairly knowledgeable hacker who's managed to exploit it. The options go like this: a) Get notification early of the problem, get time to fix it and ready a new package. b) Don't get notification until it's made public and have to scramble to get a fix in ASAP because the problem is public. It's pretty simple really. You're going to find out at the same time either way, it's just that in the first case there will be a package ready when you find out and in the second case there won't be and you'll have to wait for one. So, which would you prefer, for there to be a package ready when you find out, or for there to not be one? Stephen
Attachment:
pgpTIc2epy_JX.pgp
Description: PGP signature