[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns with Open/OS Corporate Linux ads?

Henning Makholm wrote:

> As a random data point, take DSA-1116 (a buffer overrun with no known
> exploit, in a quite popular piece of desktop software), where I happen
> to have a timeline:
> July 1 - reported privately to security team, with patch
> July 6 - bug goes public through upstream's BTS, Debian bug filed
> July 7 - upstream releases fixed version
> July 7 - fixed in NMU to unstable
> July 13 - bug reaches front of security team's attention queue.
>           DSA and update to sarge prepared, but is stalled by some
>           buildd problem on a minor architecture.
> July 18 - fix propagates from unstable to testing
> July 21 - fixed in sarge, DSA released

You know that's not actually that bad.  Significantly better than before the 
security team.  Way better than Microsoft!

> It is not my point to criticize the security team; I have no reason to
> think they are not doing an absolutely fantastic job within the
> externally-imposed constraints of volunteer work, unstable supplies of
> free time in which to do the work, donated autobuilder machines spread
> around the world and run by a different set of volunteers, and so on
> and so forth.
> But it is also clear that a business which makes it a strategic
> priority to compete on the timeliness of security updates *could* well
> provide some real value over our stable and testing suites here, even
> - as in this case - when we have a 5-day head start.  Whether the
> company in question *is* actually such a business or it is just making
> empty promises, can of course not be discerned just by reading their
> ad.

Nathanael Nerode  <neroden@fastmail.fm>

Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...

Reply to: