Re: Concerns with Open/OS Corporate Linux ads?
Henning Makholm wrote:
> As a random data point, take DSA-1116 (a buffer overrun with no known
> exploit, in a quite popular piece of desktop software), where I happen
> to have a timeline:
> July 1 - reported privately to security team, with patch
> July 6 - bug goes public through upstream's BTS, Debian bug filed
> July 7 - upstream releases fixed version
> July 7 - fixed in NMU to unstable
> July 13 - bug reaches front of security team's attention queue.
> DSA and update to sarge prepared, but is stalled by some
> buildd problem on a minor architecture.
> July 18 - fix propagates from unstable to testing
> July 21 - fixed in sarge, DSA released
You know that's not actually that bad. Significantly better than before the
security team. Way better than Microsoft!
> It is not my point to criticize the security team; I have no reason to
> think they are not doing an absolutely fantastic job within the
> externally-imposed constraints of volunteer work, unstable supplies of
> free time in which to do the work, donated autobuilder machines spread
> around the world and run by a different set of volunteers, and so on
> and so forth.
> But it is also clear that a business which makes it a strategic
> priority to compete on the timeliness of security updates *could* well
> provide some real value over our stable and testing suites here, even
> - as in this case - when we have a 5-day head start. Whether the
> company in question *is* actually such a business or it is just making
> empty promises, can of course not be discerned just by reading their
Nathanael Nerode <firstname.lastname@example.org>
Bush admitted to violating FISA and said he was proud of it.
So why isn't he in prison yet?...