also sprach martin f krafft <madduck@debian.org> [2004.06.26.1452 +0200]: > Note that I am not trying to nitpick or troll or flame. But I cannot > find a rationale for this approach, so I am sceptical. I hope my > questions are perceived well and yield a fruitful discussion. In fact, I have searched the archives, and either google (as well as the debian list search) is censoring my information, or it's not my day. None of the following search terms return anything related to the topic from the last year. - disclosure bugs security - disclosure problems security - bugs security public - problems security public - full disclosure I can find http://www.debian.org/Lists-Archives/debian-devel-9908/msg01933.html and it seems to be just exactly what is going on. But there is no rationale. So please point me in the right direction. Specifically, I find it a good idea not to release details immediately, but publish general information about the extent of the security problems, so that administrators can take appropriate action. Later, when the fix is available, details can be disclosed. However, this does not seem to be the current practice. If I look at the recent DSAs, they all announce the availability of fixed packages. What about the time between discovery and fix? Does Debian hide information from its users during that time? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature