Stephen J. Turnbull wrote: > > 5. Security patches are asynchronous, like earthquakes, they happen > when they happen.
Very bad analogy. Hurricanes would be better. There is plenty of potential for user-base warning before a patch is to be released. > If the patch comes out on Friday at 4:45, I would cancel that dinner > date with my daughter. Wouldn't you? What difference would notice > on Tuesday that a patch is expected sometime on Friday make to that > decision, anyway? Your daughter would presumably rather know on Tuesday that her Friday dinner with dad is canceled. That way she could make other plans, etc. Change "daughter" to "wife" and ask yourself how long your wife would remain if you kept canceling Friday dinner at the last minute. Now look at it from a business standpoint and try and convince my customers that they should expect their service to be down at any point in time to do unplanned system upgrades. > In sum, I just don't see what benefit there is to the process you > outline relative to current policy. The information doesn't make > anyone more secure No one is advocating that more info means more security. More info just means that users aren't the only ones in the dark. If the hack is out and the developers are working on it, who is left to inform... THE USERS OF THE PRODUCT. Why leave us in the dark? > (unless they're willing to shut down their systems from announcement > that "we're worried" until a workaround or fix is available) That is an option that I reserve the right to make the decision on. Don't remove my capability to make that decision by hiding the info. > communication with users will slow production of the fix but won't > reduce the variance on when it gets released, and it's a > non-negligible burden on the developers. I don't believe that one bit, certainly not in the scenario that I described. -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp