On 8/9/06, Jason Huggins <[EMAIL PROTECTED]> wrote: > I can see how a policy like that is "tricky"... What's to keep an evil > blackhat from subscribing to the very same list so he he knows when to > get busy cracking sites using the same information?
I've been watching people go round and round about this in various places today, and I have to say that I can respect the Rails team's policy of not releasing full details of the vulnerability until after their users have had a little time to patch. Full disclosure still happens, but it's slightly safer for end users this way. A couple other open-source projects I've used/been involved with have followed a similar policy of "update ASAP, and we'll release details once people have had time to patch", and it's caused no harm that I've seen. And as much as some people I've talked to have been wailing and gnashing teeth about Rails being into Mac OS X 10.5 while Django isn't, well, I don't envy somebody who gets shipped as part of a major operating system when it comes time to issue security updates :) -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
