Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement - make-3.77
  • From: cogNiTioN <cognition@xxxxxxxxxxx>
  • Date: Wed, 8 Mar 2000 21:28:11 +0000 (GMT)
  • Message-id: <Pine.LNX.4.10.10003082053560.8739-100000@xxxxxxxxxxxxxxxxx>
On Wed, 8 Mar 2000, Yasholomew Yashinski wrote:

> On Wed, 8 Mar 2000, Andreas Siegert wrote:
>
> > Could you please stop that useless discussion.
>
> Discussing security announcments is useless discussion? Are you saying
> that on behalf of SuSE?

One would assume so.

> > This is just a replay of what people where discussing on bugtraq when it was
> > still new. That's why the moderator of bugtraq kills those threads.

Some of us were not on bugtraq when it was new. Not all of us were using
linux, or even online then (bugtraq started '97 sometime?).

> > All Arguments of all sides are already known. You are not going to convince
> > anyone to change her/his view. You are just wasting bandwith.

This does seem to imply that SuSE will not change it's mind on this issue
(regardless of their users views)

Just because you seem to be aware of both sides of the discussion, it
isn't safe to assume everyone does.

> What were the results of the bugtraq thread? Exploits are posted there
> as they are discovered. Perhaps if someone (yourself?) would make a stand

Exploits are NOT posted to bugtraq as they are discovered, I've spoken the
Simple Nomad and will probably be mailing others, SN has told me that he
too waits for vendors to release a patch (or gives them sufficient time to
do so) before going public. It appears that it is common practice and,
thanks to this thread, I am begining to understand the reasoning behind
doing so. I still don't totally agree with it tho.

> on SuSE's take of the situation, the thread will be ended. In the meantime

I have spoken off list with Thomas from SuSE, and he was willing to answer
the questions I had about their policy (complete with a diagram!)
regarding bug fixes. If you're interested I could forward this to you.

> we'll have to debate our opinions which hopefully have some reflection on
> the opinions of SuSE, as the vendor.
> As Linux makes itself mainstream, large corporations have identified
> that, and will have to choose a vendor to use. I believe SuSE to be the
> best option currently, I just hope they can maintain that standpoint for
> me. I would like to present a vendor to my employer that releases bleeding
> edge exploits.
> Calling a client's issues "useless" is hardly a professional way to
> react. I would recommend satisfying the customers needs, and not making
> fun of their issues.

In defense of SuSE, this issue has been discussed under this thread for
quite a while, and seems to be dying out, very little new ground is being
covered. I think what was ment was that the _continuation_ of this
discussion is useless. Perhaps on this list it is. Perhaps not. I for one
am interested in continued research into this, to see what is happening,
and why.

Perhaps it might be a good point to refer those interested to your list,
and have the discussion continued there?

I'm not saying that this wasn't a good place to bring the topic up, but
that perhaps it has gone it's distance here.

I agree with you that SuSE would be foolish not to listen to the views of
it's userbase (customers or otherwise), as I believe the GmbH (or similar)
means they are a commercial entity and thus reliant upon it's users. They
also can't fail to be aware that there are hundreds of other distributions
that would be perfectly willing to listen to the views of it's users
(Indy for example ;).

/cog


< Previous Next >
List Navigation