also sprach Julian Gilbey <J.D.Gilbey@qmul.ac.uk> [2002.01.17.0120 +0100]:
> I would prefer this than to have some other distro release an
> announcement to the big wide world which says "There's a root
> compromise in package foo we've just discovered, here's how you do it
> and here's how to fix it", then for us to take 4 days to implement the
> patch, leaving everyone's machines vulnerable during this period.
sure it's preferable to do it that way, but it's not the right approach.
who says that the information on the exploit is kept private and not
abused?
as a system administrator, i'd much rather know about everything! if the
security patch isn't available right then, then i simply disabled the
service until then. period.
> The delays are usually short, about 2-3 weeks or so, and as long as
> the compromise is kept very quiet for that limited period while a
> patch is developed, everyone is usually better off for it.
not true. kept very quiet doesn't exclude someone else finding it.
-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"no, 'eureka' is greek for 'this bath is too hot.'"
                                                            -- dr. who
Attachment:
pgpWSMJBUTDeQ.pgp
Description: PGP signature