Scott Long wrote: > Yar Tikhiy wrote: >> [snip] >> It's a good news! But what about explaining the code to the public? >> >> - Mr. Developer, why does it take an ugly hack to make the device work? >> - Can't tell ya, I'm under NDA. > > I think you have to respect that John and Stephan were doing the right > thing with this. This was no different than a security fix that gets > committed before the vulnerability is disclosed. No one seems to get > upset that the security team operates this way.
I can only think of one recent case where a security fix was applied without the vulnerability details becoming public within a matter of minutes (i.e., as soon as we could get the advisory signed and uploaded), and that was due to a desire to avoid upstaging my BSDCan talk about hyperthreading (and in that case, all the details became available about 16 hours after patches were committed). That said, I think we have to respect the fact that NDAs, while not ideal, provide limited access to information which would otherwise be entirely unavailable; and in such circumstances I think Yar's suggested response of "Can't tell ya, I'm under NDA" would be perfectly acceptable. Colin Percival _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"