On Mon, 24 Jan 2005 10:37:48 -0500 Keith P Hassen <[EMAIL PROTECTED]> wrote: | > You could argue that we shouldn't be involved in anything like this, | > simply on principle. However, given the choice between giving our | > users secure systems, or not knowing about security bugs *at all* | > for anything up to several months after RedHat and Debian do, the | > decision was made to keep certain bugs locked for a while if this | > was necessary for us to see the bug information. | | IMO, you have to decide on what is considered more important for the | users and where gentoo's ideals lie. If engaging with vendorsec is | _worth_ the irritation, then recognize that there is going to be a | backlash from some members of the community. I believe that ideals | (or approximations thereof) are only attainable if you try to | implement them.
Those members of the community can go and take it up with VendorSec. Most of our users would prefer to get security fixes immediately, rather than several months in the future, even if it means having to wait a while for the fix information to become public. This is the first time anyone's suggested that we leave people with insecure systems rather than agree to keep bugs restricted for a while in order to get access to vulnerability data sooner. Hopefully VendorSec will end up reducing their restriction periods. I'd suggest asking them to try to keep the waiting time down rather than trying to get rid of limited access bugs altogether, it might get you further. -- Ciaran McCreesh : Gentoo Developer (Vim, Fluxbox, shell tools) Mail : ciaranm at gentoo.org Web : http://dev.gentoo.org/~ciaranm
pgpgdOrhYTiJW.pgp
Description: PGP signature
