Hi there,
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
You should probably read this paragraph again. We _WILL_ post details about security-related fixes in update packages that we offer, it's just what we owe to the people who report the bugs. The fact that some information gets delayed for the sake of coordination has absoultely NOTHING to do with it.
Bravo, bravo.
This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge.
Generally, the experience in the past has proven that full disclosure is
the best way to deal with security holes.
This will not change, and it did NOT change this time either.
It is not the first time that vendors and security professionals have
coordinated not to go public with a hole unless everybody has the fixes,
or at least has known of them for a certain time. This is a _regular_
procedure. On the other hand, it's "fire when ready" if a bug is known to
the public already.
If people want to have these details communicated to the public at the
same time as the vendor knows about this, then our section 3) of the
announcements is useless. We want people to report security bugs to the
security contact address, and we want to have the bugs fixed before it
gets known to the public, just because we have some kind of responsibility
to the people who pay bucks for a box. We communicate these bugs to the
rest of the distributing vendors and to the authors, where necessary. You
could do that all on your own, but I guess that it might be easier for you
and the rest of the world if you just apply an rpm command, don't you
think?
This time, the bug has only been known to the Linux vendors and some few
sec specialists, because it was reported to and fixed by SuSE people (Andi
Kleen). SuSE security benefits from the close and direct communication
between the vendors, as much as the others benefit from the communication
with us. If we had published details about the hole in our announcement on
October 26th, people would have eaten SuSE alive.
Fact is now that some few people start complaining now that a bug has been
fixed that hasn't been known earlier in the public. It's not a privilege
that the bugs get reported to us. It's work.
Roman.
--
- -
| Roman Drahtmüller