Re: DSA 438 - bad server time, bad kernel version or information delayed?

[Jan Lühr <jluehr@gmx.net>]

Greeting,.

Am Donnerstag, 19. Februar 2004 15:12 schrieb Florian Weimer:
> Jan Lühr wrote:
> > > You don't.  Tough luck, of course, but that's the price for running
> > > affordable, off-the-shelf software (free or proprietary).
> >
> > well, this might be a reason for using computers in situations we use 'em
> > today.
>
> Probably yes.  If the costs for software production were one or two
> magnitudes higher because only error rates in the range of one error per
> 10 KSLOCS were tolerated by the market, it's unlikely that anybody would
> use free software for its technical merits. 8-)
>
> > I'm just feeling like a helpless person, threadening by a serious
> > disease, who is going to be informened about it, when a cure exists.
> > Trust me, that doesn't feel right.
>
> Large institutions tend to react quite irrational if they are confronted
> with possibly far-reaching defects.  It doesn't matter if a fix is
> available, it's often very expensive to deploy.  The security
> announcement alone can cause significant costs and service disruption.

Well. what about providing binary only package if they are ready.
No debug symbols, no changelog.
Just put a tested fix on the Server, do a quick post like local root exploit 
fixed, CVE id is ... and nothing more.
Thus debian users are able to protect themself and the blackhats would have to 
scan the whole binary in order to speculate for the course.
When the other's have done theirs - release the detailed information.
This might be affordable.

Keep smiling
yanosz