Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/ I think so, too. The particular bug, that has been found is not really severe, as far as I understood it (you have to guess a 24bit syncookie). I don't think that there was anything that spoke against full disclosure. What SuSE did was _maybe_ good from commercial side, but absolutely not from free and open source side. This makes me a bit sad :(
I'm sad, too. Some bug gets known by person X at a time A. X reports the bug to person Y, a kernel developer, at time B. Y has a fix at time C and communicates it to the distributors of the software. At time C, often in coordination with X and Y, the bug propagates through the security channels, along with the fix. If you cannot live with the fact that the time differences between A, B and C are non-zero, then you should begin programming your own operating system. And, more important, you should better not disclose the sources to anybody, because they might report some security bug. This is how it works, and it has proven to be successful over the last 6 years. So where is the problem?
Markus
Roman.
--
- -
| Roman Drahtmüller