Stephen Frost wrote: > * Scott James Remnant (scott@netsplit.com) wrote: > > If there's a potential exploit for a server, I want to know about it as > > soon as the developers do so I can shut down that server until they come > > up with a fixed version. > > > > Just because there isn't a fixed version yet, does not mean that there > > isn't a fairly knowledgeable hacker who's managed to exploit it. > > The options go like this: > a) Get notification early of the problem, get time to fix it and ready a > new package. > b) Don't get notification until it's made public and have to scramble to > get a fix in ASAP because the problem is public. > Aye I'm aware of the problem :( 'tis why I just mailed debian-devel my 2p, rather than Cc'ing Florian directly. > It's pretty simple really. You're going to find out at the same time > either way, it's just that in the first case there will be a package > ready when you find out and in the second case there won't be and you'll > have to wait for one. > > So, which would you prefer, for there to be a package ready when you > find out, or for there to not be one? > >From a user point of view, the latter. I'd rather pull a service down because of an exploit, and wait for a package than to not know about an exploit for one of my systems. >From a debian developer point of view, the former. I'd rather we knew about the exploit as early as everyone else so we had the same time to fix the problem. So I guess I disagree with their policy, preferring our official one. But I agree we probably have to abide by their wish to not officially disclose the problem in order to correctly serve our users. Scott -- Scott James Remnant Have you ever, ever felt like this? Had strange http://netsplit.com/ things happen? Are you going round the twist?
Attachment:
signature.asc
Description: This is a digitally signed message part