On Fri, Oct 19, 2012 at 11:19:40AM -0700, d3fault wrote: > Mathematical Truth: > > It is better: > To be vulnerable and know it (so you can shut down your machine or > unplug dat ethernet cable).
most secure == always off. But that is probably not practical. But then again security is not a state but a process. ;) > Than: > To be vulnerable and not know it (especially when there's a growing > number of others that do). If you take a look here[1] it takes about a year until active exploitation is discovered and exploitation increases after disclosure. So this "growing number of others" is mostly void in your argumentation. Exploitation happens after the public disclosure and before people are ready to apply the patches. You will not change that right now responsible disclosure is in place. What you can help with is improving the process. E.g. if somebody imports 3rdpart software into Qt, he should be responsible for updating this code in time, there should probably also be a new release of Qt with the last stable + the 3rdpart security fix. http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development