Brad Knowles wrote: > > Some blackhats will already know, but there will be others that don't > -- and who would never know until the first official announcement > goes out. > > No matter what, that first official announcement increases the > exposure of the security weakness. That is an unescapable universal > truth.
'Universal truth'? I sincerely doubt that. You seem to be back on that security through obscurity approach again. ;-) By the time the first official announcements are released usually everybody knows something of the issue. Take Microsoft and Redhat for good examples. I see them release stuff all time for things I've seen mentioned elsewhere. Microsoft tells me every week what patches they are working on and what I can expect in the future. I don't get vulnerability specifics, but I do get arena specifics. A good example of this was the recent WMF vulnerability. Prior to releasing a patch MS advised customers how to protect their systems from the exploit and gave estimates on when they hoped to have a patch release. This was widely discussed on /., I would be surprised if you missed it. Again I will remind you that I am NOT asking for Mailman developers to release details, just early info on the updates/patches. SANS/Mitre/etc already fill us in on the vulnerabilities, what I want from Mark/Tokio/Brandon is some feedback that they are aware and addressing the situation and not sitting around waiting for X, Y, or Z, before they can move forward. This isn't oversight, it's just reasonable feedback. The whole reason for me waxing so passionately on this thread is the earlier suggestion that Diana shouldn't have even emailed mailman-users, but rather mailman-security and kept it quiet thereafter (this after it was already released over at securityfocus.com). >> OK, that's fair. But do you think they need to hold off entirely >> up until the point they have a patch pushed to *.dl.sf.net? > > It depends on the nature of the weakness in question, and the > circumstances under which the patch was developed. I would say that > waiting a longer period may be appropriate in some circumstances, > and undesirable in others. Fair enough. >> Listen, nobody expects Tokio to be perfect. If people hadn't >> started making some noise most of us wouldn't know there is a >> pending patch. > > Actually, you're wrong. There is no patch. There is an upgrade, Patch, smatch. You are mincing words to try and make your point (which is getting suspiciously close to mine). Again, all I'm asking for is some pre-patch, pre-upgrade info on what to expect. Nothing more, nothing specific, no hard dates or time limits. If this is too "secret" to put out on mailman-users, then lets create a vetted mailman-alerts list and at least let those that want to be informed get updates. -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp