[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

> > So users can flame all distributions for not having a fix available for
> > a know vulnerability? And especially Debian, because as previously said,
> > with 11 architectures, it will come out dead last?
> > 
> > I'd be very pissed if that would be how things work, as I do not want to
> > let every bugtraq reader try the published exploit BEFORE there is a fix
> > available.
> > 
> So in other words, you'd rather they all had their machines vulnerable
> to potential hackers for a period of time?

Well, if the exploit is not published, far less people know about it
(in the best case, only the researcher). If it gets published,
thousands of people will know about it. Call me idealist, but I
believe that the folks who publish vulnerabilities on bugtraq will not
try to crack my system. On the other hand, the readers of that list
might try, especially if the KNOW that there is a good chance I don't
have a fixed package.

If vendors are notified before the bug hits the public, I WILL have a
fixed package, and crackers will less likely try to crack my box,
since they are aware of the fact that vendors got notified, and I
probably have a fixed package already.

For a period of time, my machine will be vulnerable anyway. The
question is: how many people will have the chance to take advantage of
this? If it gets published before the fix, many people will have the
chance. If after, far less. Consider this.

> As a user, I'd rather know about the exploit at t=1, so I can decide
> whether to shut down that service or not until my software provider of
> choice have provided updated software.

I'd rather see a fix before the whole wide world notices that my
servers can be compromised. Like if I leave my door wide open, and
notice it at the way toward the office, I'd first phone the
neighbours, and not tell everyone who happens to come by.

Attachment: pgpmxqqDnJ6d6.pgp
Description: PGP signature

Reply to: