Jan Lühr wrote: > Well, of course you might have quite good reasons for doing so, but for me, > this is quite a good reason for changing the distri or os.
But to what? Currently, you have two choices: delayed, limited disclosure and no disclosure at all. No vendor currently offers what once was called "full disclosure", even in a delayed fashion. > Hiding unfixed holes is one thing (and I appreciate that partly) but hiding > already fixed packages is quite astonishing and you cannot tell me you need > more than two weeks to test a simple correction. There's an implicit contract among GNU/Linux distributors: you wait with disclosure until most parties are ready. Red Hat rushed ahead several times and the company still has early access to information. Debian would risk to get expelled from the vendor-sec community if it did the same, on a more regular scale, I suppose. > This is exactly the same policy M$ have - but the point is, you could > at least inform your users. Nobody does this, and it could upset users unnecessarily. There are many pitfalls to avoid in this area. Theo de Raadt's notorious disclosure of that OpenSSH bug should serve as a warning to others. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
