John H. Robinson, IV wrote: > Scott James Remnant set us up the following: > > Stephen Frost wrote: > > > > > So, which would you prefer, for there to be a package ready when you > > > find out, or for there to not be one? > > > > > From a user point of view, the latter. I'd rather pull a service down > > because of an exploit, and wait for a package than to not know about an > > exploit for one of my systems. > *snip pointless stuff* > proof of concept: (if you don't remember details, google can help) > one vendor (redhat) took a lot of heat by doing exactly that: they > accidentaly released a vulnerability notification early. a lot of people > were very unhappy by it. could you imagine the backlash that debian > would get, if debian did that as _a_ _matter_ _of_ _policy_? > Could you imagine what your reply would have been if you'd read the next couple of paragraphs of my e-mail? I *know* this. I disagree with t=1, t=1 should be "researcher releases PUBLIC advisory" in my opinion. Scott -- Scott James Remnant Have you ever, ever felt like this? Had strange http://netsplit.com/ things happen? Are you going round the twist?
Attachment:
signature.asc
Description: This is a digitally signed message part