On Wed, 8 Mar 2000, Yasholomew Yashinski wrote:
On Wed, 8 Mar 2000, Andreas Siegert wrote:
Could you please stop that useless discussion.
Discussing security announcments is useless discussion? Are you saying that on behalf of SuSE?
One would assume so.
This is just a replay of what people where discussing on bugtraq when it was still new. That's why the moderator of bugtraq kills those threads.
Some of us were not on bugtraq when it was new. Not all of us were using linux, or even online then (bugtraq started '97 sometime?).
All Arguments of all sides are already known. You are not going to convince anyone to change her/his view. You are just wasting bandwith.
This does seem to imply that SuSE will not change it's mind on this issue (regardless of their users views) Just because you seem to be aware of both sides of the discussion, it isn't safe to assume everyone does.
What were the results of the bugtraq thread? Exploits are posted there as they are discovered. Perhaps if someone (yourself?) would make a stand
Exploits are NOT posted to bugtraq as they are discovered, I've spoken the Simple Nomad and will probably be mailing others, SN has told me that he too waits for vendors to release a patch (or gives them sufficient time to do so) before going public. It appears that it is common practice and, thanks to this thread, I am begining to understand the reasoning behind doing so. I still don't totally agree with it tho.
on SuSE's take of the situation, the thread will be ended. In the meantime
I have spoken off list with Thomas from SuSE, and he was willing to answer the questions I had about their policy (complete with a diagram!) regarding bug fixes. If you're interested I could forward this to you.
we'll have to debate our opinions which hopefully have some reflection on the opinions of SuSE, as the vendor. As Linux makes itself mainstream, large corporations have identified that, and will have to choose a vendor to use. I believe SuSE to be the best option currently, I just hope they can maintain that standpoint for me. I would like to present a vendor to my employer that releases bleeding edge exploits. Calling a client's issues "useless" is hardly a professional way to react. I would recommend satisfying the customers needs, and not making fun of their issues.
In defense of SuSE, this issue has been discussed under this thread for quite a while, and seems to be dying out, very little new ground is being covered. I think what was ment was that the _continuation_ of this discussion is useless. Perhaps on this list it is. Perhaps not. I for one am interested in continued research into this, to see what is happening, and why. Perhaps it might be a good point to refer those interested to your list, and have the discussion continued there? I'm not saying that this wasn't a good place to bring the topic up, but that perhaps it has gone it's distance here. I agree with you that SuSE would be foolish not to listen to the views of it's userbase (customers or otherwise), as I believe the GmbH (or similar) means they are a commercial entity and thus reliant upon it's users. They also can't fail to be aware that there are hundreds of other distributions that would be perfectly willing to listen to the views of it's users (Indy for example ;). /cog