On Sep 23, 2008, at 9:35 AM, Christof Wollenhaupt wrote:
>> What about saying something like that, instead of just leaving it
>> looking
>> like a cop-out?
>
> Finding the right level of detail is always difficult, especially in a
> knowledge base article. Not everyone is interested in several pages of
> explanations and historical excerpts that lead to the decision. Look
> at the
> security announcements from debian:
>
> http://www.debian.org/security/2008/dsa-1642
>
> Tell me, what exactly was the problem? They don't say this, all they
> say is:
> "There was a problem. Here's a fix". Not a single word what attack was
> possible, how long the bug was in there, what they do to prevent the
> problem
> from happening ever again, why they introduced it into the product,
> nothing.
> How is that different from the KB article?
Because they said it *was* a problem. They didn't try to weasel out
of it by claiming it was "by design".
Perhaps the vulnerability existed because someone made a choice for
increased efficiency, and didn't foresee potential future
consequences, as you explained in the report writer bug. Does that
justify them claiming it was "by design"?
>> But I do expect honesty
>
> What is not honest in the article? It's a design decision, that's
> what it is
> and that's what they say.
It's not honest, even though it is accurate. The two are not
equivalent. You can make a design decision that results in a bug.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/[EMAIL PROTECTED]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
