Sven Hoexter wrote:
On Wed, Feb 18, 2004 at 07:54:45PM +0100, Jan Lühr wrote:After the last OpenSSH exploit, I thought that this kind of intransparency is limited to OpenBSD, but to what f*** h*** is OpenSource software driving to? Tranparency is the most important aspect of secure OpenSource Software. (Anyway, imho it's the one and only argument for OpenSource software beeing morre secure then other.)What's going on here?It's called "responsible disclosure" - think about it what you want :) Like everything in life it has its pros and cons :-/ Sven
It may be better to set a deadline for the disclosure, instead of a coordinated disclosure.
OTOH, it may also help to coordinate the actual release, and not just the announcement, so that fixed packages are not available to the public until everyone makes the announcement. This way the time window of fixed package to announcement gets smaller (only when the mirrors are up to date), and a clever hax0r cannot monitor changes in important packages (ssh, kernel, apache), and dig for unannounced fixes.
What do you guys say? José PS Please reply to the list