Hi there,
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
You should probably read this paragraph again. We _WILL_ post details about security-related fixes in update packages that we offer, it's just what we owe to the people who report the bugs. The fact that some information gets delayed for the sake of coordination has absoultely NOTHING to do with it.
Bravo, bravo.
This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge.
Generally, the experience in the past has proven that full disclosure is the best way to deal with security holes. This will not change, and it did NOT change this time either. It is not the first time that vendors and security professionals have coordinated not to go public with a hole unless everybody has the fixes, or at least has known of them for a certain time. This is a _regular_ procedure. On the other hand, it's "fire when ready" if a bug is known to the public already. If people want to have these details communicated to the public at the same time as the vendor knows about this, then our section 3) of the announcements is useless. We want people to report security bugs to the security contact address, and we want to have the bugs fixed before it gets known to the public, just because we have some kind of responsibility to the people who pay bucks for a box. We communicate these bugs to the rest of the distributing vendors and to the authors, where necessary. You could do that all on your own, but I guess that it might be easier for you and the rest of the world if you just apply an rpm command, don't you think? This time, the bug has only been known to the Linux vendors and some few sec specialists, because it was reported to and fixed by SuSE people (Andi Kleen). SuSE security benefits from the close and direct communication between the vendors, as much as the others benefit from the communication with us. If we had published details about the hole in our announcement on October 26th, people would have eaten SuSE alive. Fact is now that some few people start complaining now that a bug has been fixed that hasn't been known earlier in the public. It's not a privilege that the bugs get reported to us. It's work. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -