On Mon, 24 Jan 2005 12:16:32 -0500 Keith P Hassen <[EMAIL PROTECTED]> wrote: | The problem is that vendorsec is a political entity first and a | security entity second. Signing up with vendorsec is a tacit | endorsement of their policies; the short-sighted response is that | this makes security fixes more timely for your product, but there is | a cost to not having an | open security-reporting policy. There is definitely a balance to be | achieved here, but my point is that if you fundamentally disagree with | vendorsec's policy about disclosure, then alternatives should be | considered--even if that means a cost to the _short-term_ capacity of | Gentoo to provide security updates. | | This might seem ridiculous to you, but I think that the spirit of the | open-source community is what is at stake in this regard.
Sure. We could also rip out all non-Free software from the tree if we wanted to. But then, if Debian aren't being anal about VendorSec then we're in no position to do so either. -- Ciaran McCreesh : Gentoo Developer (Vim, Fluxbox, shell tools) Mail : ciaranm at gentoo.org Web : http://dev.gentoo.org/~ciaranm
pgpMlop90jW3f.pgp
Description: PGP signature
