[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

John H. Robinson, IV wrote:

> Scott James Remnant set us up the following:
> > Stephen Frost wrote:
> > 
> > > So, which would you prefer, for there to be a package ready when you
> > > find out, or for there to not be one?
> > > 
> > From a user point of view, the latter.  I'd rather pull a service down
> > because of an exploit, and wait for a package than to not know about an
> > exploit for one of my systems.
*snip pointless stuff*

> proof of concept: (if you don't remember details, google can help)
> one vendor (redhat) took a lot of heat by doing exactly that: they
> accidentaly released a vulnerability notification early. a lot of people
> were very unhappy by it. could you imagine the backlash that debian
> would get, if debian did that as _a_ _matter_ _of_ _policy_?
Could you imagine what your reply would have been if you'd read the next
couple of paragraphs of my e-mail?

I *know* this.

I disagree with t=1, t=1 should be "researcher releases PUBLIC advisory"
in my opinion.

Scott James Remnant     Have you ever, ever felt like this?  Had strange
http://netsplit.com/      things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: