On Sat, 3 Nov 2001, Peter Nixon wrote:
On Sat, 03 Nov 2001 21:23:55 +0900 Keith Hopkins
wrote: Greetings to those at linuxsecurity.com,
In regards to http://www.linuxsecurity.com/advisories/suse_advisory-1680.html, there is a note that read.... <<QUOTE>> The information about this problem was withheld from the public in coordination with other Linux vendors/distributors in order to give the distributors enough time to update their kernel packages. We find that this coordination is beneficial for the community, while we regret that the bug could not be fixed in time before the other distributor's kernel updates. <<ENDQUOTE>>
How dare you. I consider this to be a great disservice to the Linux community. Linux is not about the vendors/distributors. They are not the only ones out there with interests in security problems being fixed. By withholding information, you take away untold number of eyes that could be looking at the problem. Some of those eyes may even be better equipped to handle the problems than the vendors/distributors themselves, and can do so in a more timely fashion. You have produced an unnecessary window of opportunity for malicious attacks against unprotected systems.
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major organisations. SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date.
<snip ad hominem attack>
Feel free to speak again when you have something productive to offer </flame>
He did offer something productive. You flamed him for it. Linux security is NOT based on ""commercial manufacturers" -- Microsoft's security is. Linux is not secure because bugs are hidden, ever. It is secure because when bugs become publicly known, there are hundreds of times more people who want to fix them than there are who want to develop exploits. While I agree that the choice of whether and how to reveal a bug is up to the person or people discovering it, every day it went unfixed because of you withholding information was another opportunity for a crack to be developed. When you held it back, maybe a few dozen people were working on it. Had you released it, a few hundred would have tried to exploit it -- which overwhelms the puny effort that distribution builders or any commercial providers can make -- but a few *thousand* would have tried to fix it first, which overwhelms the efforts of the crackers. Linux security is because of the community, not the distribution packagers. That is why it is better than commercial products, and only as long as it continues that way will it remain better than commercial products. Bear