Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
> On Sun, 2003-03-23 at 20:33, Florian Weimer wrote:
>> Well, this is a problem which will be fixed over time. Amorphous
>> distributions such as Debian will no longer be notified first, and
>
> Why would anyone do that.
Read the IIS rationale for not contacting Apache.
For a different perspective, ask some folks who are involved in the
current IIS issue. There are many reasons nowadays to restrict
information to non-citizens.
I'm not saying that this is reasonable, but there will always be
people unable to make a rational, informed decision, and if things get
irrational, those without the big pockets tend to lose.
Anyway, the current way security issues are handled will last a year,
maybe two. I'm not sure in which direction it will evolve, either far
more anarchistic (unlikely), or completely regulated (very likely, I
smell a lot of money down that road).
> Debian is a bunch of amateurs true, but they happen to be a bunch of
> extremely professional amateurs when it comes to security.
I'm not in a position to judge this because the process is too closed.
But in general, they seem to do a good job, I agree.
> If you get it wrong stuff leaks, take a look at the latest CERT fiasco
I don't think things were different if the issues were revealed in a
coordinated manner in June or July. You can't really fix it anyway
and my Kerberos guru tells me that the community has known for ages
that Kerberos 4 was broken at the protocol level. Nobody was bothered
enough to write it down, though.
And CERT/CC deliberately leaks stuff to unrelated parties, you know.
This time, you just don't have to pay for it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Mar 23 2003 - 22:00:45 EST