Greetings,. Am Donnerstag, 19. Februar 2004 14:22 schrieben Sie: > Jan Lühr wrote: > > Well, of course you might have quite good reasons for doing so, but for > > me, this is quite a good reason for changing the distri or os. > > But to what? Currently, you have two choices: delayed, limited > disclosure and no disclosure at all.
Please don't take may yesterdays escapades serious, as I posted, I was quite stupid in a rude and I apologies for that. > No vendor currently offers what once was called "full disclosure", even > in a delayed fashion. > > > Hiding unfixed holes is one thing (and I appreciate that partly) but > > hiding already fixed packages is quite astonishing and you cannot tell me > > you need more than two weeks to test a simple correction. > > There's an implicit contract among GNU/Linux distributors: you wait with > disclosure until most parties are ready. Red Hat rushed ahead several > times and the company still has early access to information. Debian > would risk to get expelled from the vendor-sec community if it did the > same, on a more regular scale, I suppose. > > > This is exactly the same policy M$ have - but the point is, you could > > at least inform your users. > > Nobody does this, and it could upset users unnecessarily. There are > many pitfalls to avoid in this area. Theo de Raadt's notorious > disclosure of that OpenSSH bug should serve as a warning to others. I agree. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
