On Wed, 12 Mar 2003, Chuck Yerkes wrote: > I'm not sure if slackware can count as a vendor.
The distribution is sold and there are outfits offering commercial support. > The issue is this was a highly sensitive problem and the person > notified had to be 1) trusted and 2) under NDA. Deeply under > NDA until it was revealed. Uh, says who? As a direct result of the sendmail shenanigans, plus CERT's recent statements regarding who does and doesn't get heads-up prior to dosclosure, I was expecting that people would start simply announcing vulnerabilities to bugtraq and other full disclosure lists without bothering to give the usual 7 day lead time. I'd say the Qpopper announcement is just the start of it. Having people threatened with jailtime using the Homeland security act should they disclose a security vulnerability is just plain over the top. Expect to see the announcements start coming from countries where it would be quite hard for the USA to trace the senders. > As for exploits, I'm aware of a couple anti-stack smashing kernel > patches that Linux ignores regularly. I'm aware of them. There are reasons for not including them as standard - they break on various architectures as currently distributed. > I expect that from Sun, but > open source projects are able to be agile enough to actually work > on security. I just wish Linus would. Linus is just the coordinator these days (and in the development trees he's farmed that off to Alan, Rik and Marcelo). It takes someone to write the code and then at least 4-5 more people to audit it before it's declared ready for inclusion in the experimental kernels... AB
