Re: DSA 438 - bad server time, bad kernel version or information delayed?

[Florian Weimer <fw@deneb.enyo.de>]

Jan Lühr wrote:

> Well, of course you might have quite good reasons for doing so, but for me, 
> this is quite a good reason for changing the distri or os.

But to what?  Currently, you have two choices: delayed, limited
disclosure and no disclosure at all.

No vendor currently offers what once was called "full disclosure", even
in a delayed fashion.

> Hiding unfixed holes is one thing (and I appreciate that partly) but hiding 
> already fixed packages is quite astonishing and you cannot tell me you need 
> more than two weeks to test a simple correction.

There's an implicit contract among GNU/Linux distributors: you wait with
disclosure until most parties are ready.  Red Hat rushed ahead several
times and the company still has early access to information.  Debian
would risk to get expelled from the vendor-sec community if it did the
same, on a more regular scale, I suppose.

> This is exactly the same policy M$ have - but the point is, you could
> at least inform your users.

Nobody does this, and it could upset users unnecessarily.  There are
many pitfalls to avoid in this area.  Theo de Raadt's notorious
disclosure of that OpenSSH bug should serve as a warning to others.