I've read through just about every single post regarding ISS and the Apache
bug, their advisory release, their defense, and the response of others throughout
the community regarding this issue.
I am not embarassed to say that I do not agree with ISS's defense. From an
ethical standpoint, I would interpret their handling of the release to be wrong
and a direct contradiction to some of the basic principles and standards under
which IT professionals conduct themselves. This incident had a negative impact
on many people (including the Apache develpment team) along with those of us
who are responsible for Apache systems. In the five years, I've been working
with Linux, I don't recall another incident being handled so poorly.
There are a lot of talented people working with open-source including the
end-users who use these products and I find it rather "dark" to single them
out by saying, "virtual organizations [??] do not have an ability to enforce
strict confidentiality." There is little to be gained by such a statement.
-- Patrick
"Opinions expressed are only mine."
