Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Am Di den 27. Mai 2008 um 1:09 schrieb Colin Watson:
> On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote:
> > The rollout of information and updates was appalling - even adding in
> > the material from Ubuntu the information was piecemeal and inadequate
> > to properly secure systems within the limited time before crackers
> > might be expected to have exploits.
>
> I think part of the problem here was that the coordinated release date
> for the advisory was simply too soon after the relevant parties were
> notified.
Ehem, is it your idea of security to make it secret (like Microsoft do
often)? It is never ever a good idea to make security issues secret or
protracting it.
And in this special case it was easy to fix the problem very fast when
the advisory cames out.
> but I think an extra day or two on the embargo period would very
> likely have produced a better result.
It is never a good idea to set a embargo period for a security issue.
This is more valid for the scope of this big security problem!
All together I must say it was very professional and fast how the debian
security team and other had done the treatment of the problem. Don't
lower them by arguing with snakeoil about that the reaction was to fast!
It can never be fast enough.
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSDtLlZ+OKpjRpO3lAQKUHwgAsn8xq1NcThqpNQTB1NmKMeJN0+sSav5u
qlxSoYEXue2XJQtSxM01e3IY6DGTnb/1nUrKcaeaCtoWWMvaX6hMsix9ojTucVVp
kbazrllUbzE+xXKpfX4f9nghNN6x+/svsoRCGZiK/nA87B+o2HoFAK0HZ1NcOKal
c8z2cGwCgcVQvldVr6sH0Kc652+dZY0PMaDhT/0ermgiOD6Nv8yQmjXSH1DVnFUW
mElrGqBOKQPQh1FU+X4XV2NZ+WsSlW9DLDL83JWHDH7w0qddwaLdgOOQBNWlq9lr
+9noAzp7NhoLdRV3zdPUD6OxwRuCGPi+lm8w0DDqXQnjfylgKpaDYw==
=9ZuH
-----END PGP SIGNATURE-----
Reply to: