> > So users can flame all distributions for not having a fix available for > > a know vulnerability? And especially Debian, because as previously said, > > with 11 architectures, it will come out dead last? > > > > I'd be very pissed if that would be how things work, as I do not want to > > let every bugtraq reader try the published exploit BEFORE there is a fix > > available. > > > So in other words, you'd rather they all had their machines vulnerable > to potential hackers for a period of time? Well, if the exploit is not published, far less people know about it (in the best case, only the researcher). If it gets published, thousands of people will know about it. Call me idealist, but I believe that the folks who publish vulnerabilities on bugtraq will not try to crack my system. On the other hand, the readers of that list might try, especially if the KNOW that there is a good chance I don't have a fixed package. If vendors are notified before the bug hits the public, I WILL have a fixed package, and crackers will less likely try to crack my box, since they are aware of the fact that vendors got notified, and I probably have a fixed package already. For a period of time, my machine will be vulnerable anyway. The question is: how many people will have the chance to take advantage of this? If it gets published before the fix, many people will have the chance. If after, far less. Consider this. > As a user, I'd rather know about the exploit at t=1, so I can decide > whether to shut down that service or not until my software provider of > choice have provided updated software. I'd rather see a fix before the whole wide world notices that my servers can be compromised. Like if I leave my door wide open, and notice it at the way toward the office, I'd first phone the neighbours, and not tell everyone who happens to come by.
Attachment:
pgpmxqqDnJ6d6.pgp
Description: PGP signature