Re: DSA-134-1

[Tim Nicholas <tim@nicholas.net.nz>]

Hi,
One would have to point out that though they haven't released
anything specific yet, they say that they will, and there are real
reasons for not telling the world without providing sufficient
warning to get systems at least partially protected. Sure that might
be in some ways inconsistent with their stated policy but if they do
release all the information next week (as I think they have said
they will) then (probably) they have gone about it in as good a way
as they could really be expected to. 
As I understand it, the normal way for vendors to do this would have
been to wait until next week before saying anything at all. Probably
that would have been a clearer course of action as we wouldn't know
about it until a fix was available. No nervous week of waiting, but
also an extra week with a 'known' and presumably very serious
security whole in all our systems. 
I don't like either of those options, but I'm inclined to think that
being given an opportunity to do preemptive damage control is a Good
Thing. 


On the other hand I agree with you entirely about Theo. He is my only
problem with the OpenBSD project.

Tim

On Tue, Jun 25, 2002 at 12:40:44PM +0200, Robert van der Meulen wrote:
> 
> Quoting Paul Haesler (debian@phaesler.org):
> > Doesn't OpenBSD have a full-disclosure policy anyway?
> 
> It has 'listen to theo or fuck off' disclosure policy, which basically means
> you have to do what theo says, and no matter what you do, you'll end up with
> problems and bitching, and disclosure is only done when it doesn't affect
> openbsd (or the '5 years without..' line on openbsd.org).
> 
> Greets,
> 	Robert
> 

-- 
Tim Nicholas                          ||                      Cilix
Email: tim@nicholas.net.nz            ||       Dunedin, New Zealand
http://tim.nicholas.net.nz/           ||  Cell/SMS: +64 21 113 0399


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org