On Tue, 07 Mar 2000, you wrote:
So I tell you that you should use qmail because the latest sendmail is crackable. Is this true, or am I just spreading FUD? An exploit allows admins to try it on their systems. I don't care if it is a FUD or not. I only react to those mails originating from SuSE or the real vendors of the programs. These are of course the parties that need the exploits to verify the bug, and then send the _official_ security issues.
No. What was the average RedHat response time? 10 days or something? From publication of bug, to patch.. (Microsoft was 14 or 16 days or something). I don't want to wait 10 days for that information. I want to read it when the bug is discovered. I want to be able to shut down the daemon, and/or patch it within 24 hours of the publication.
If you find a bug, let the authors know first. If this does not work, then stop using their product, maybe make your own.
So, when I find the bug, I should send a notice to the author, and say nothing to the thousands of users of the product? Letting them live with a vulnerable server? No way. They have the right to know.
And if the time taken by this process is an issue, think if you are really the first to know about the bug anyway?
You cannot know that for sure.
If you find out that doorlocks can be picked, you should not go out and nail posters around telling _how_ it can be done, but you should inform the makers of the locks and the shops that sell them, which take contact with the customers. Or so I think I would do.
Yes I should. I should tell it to everyone, so that people change their locks ASAP.
No, because 'this kind of public' seems to be backstabbing you. Why not ask first and fire the shotguns later?
Its got nothing, NOTHING to do with backstabbing. Its got everything to do with *informing the public*. If it feels like backstabbing to the programmer, bad for him. Thats his problem. I don't want thousands of users of the program to be vulnerable, just to protect the programmers back. -- "Rune Kristian Viken" <arcade@kvinesdal.com> / arcade@irc (EFnet/IRCnet) Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)