Re: full disclosure, or not?

To: debian security <debian-security@lists.debian.org>
Subject: Re: full disclosure, or not?
From: Horst Pflugstaedt <Pfaedt@uni-duisburg.de>
Date: Sat, 26 Jun 2004 21:55:01 +0200
Message-id: <[🔎] 20040626195501.GA6416@home>
Mail-followup-to: Horst Pflugstaedt <Pfaedt@Uni-Duisburg.de>, debian security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 20040626123902.GA4616@cirrus.madduck.net>
References: <[🔎] 20040626123902.GA4616@cirrus.madduck.net>

On Sat, Jun 26, 2004 at 02:39:02PM +0200, martin f krafft wrote:
> anything from its users. If a root exploit is out there, users want
> to know about it. Keeping it a secret is childish.

what would be the alternative?
The security team would have to annonce "there's a possible security
flaw in package XY, we're on it, but it may take some more days to fix
it"

What's the worth of such announcements? Users (You'd) know about a bug, but
still could not do anything about it. After all, I'd strongly object
to my web-host/ISP/Sys-Admin/... switching off
apache/php/ssh/name-whatever-tool-you-really-need because they have heard of
an yet unfixed security-problem. 

> 
> So what is the official procedure of the security team?

I guess it's "work as hard ass posible to fix it as soon as possible
and then release a fix on d.s.o".

good night
Horst.

Reply to:

Follow-Ups:
- Re: full disclosure, or not?
  - From: martin f krafft <madduck@debian.org>
- Re: full disclosure, or not?
  - From: riedel@trigital.net (Sven Riedel)

References:
- full disclosure, or not?
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Why not push to stable?
Next by Date: Re: webmin and GLSA 200406-12
Previous by thread: Re: full disclosure, or not?
Next by thread: Re: full disclosure, or not?
Index(es):
- Date
- Thread