-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Chuck Young hath spake thusly: > To me this would mean letting the developers know first and then > telling the user community immediately afterwards, as you never > really know if they you are the only one who knows about a new > vulnerability at a given point in time, and some developers simply > will not fix software unless poop is publicly smeared on them. > Perhaps this way everyone is treated equally (more or less). This is precisely why many people advocate not bothering to notify the vendors first. Personally, in *principle* I advocate notifying the vendor, and waiting at least a week to let them produce a fix before announcing it publically. However, in practice, I've been on Bugtraq too long to think this actually accomplishes anything, in most cases. In a few cases, mostly with free software like Apache, the "vendor" is very concientious and produces a fix immediately. In many, many cases the vendor is notified, and months go by without even the hint of a fix. The majority seem to do nothing until they are embarrased publicly, and some *still* do nothing even after that point. Also, for every scrupulous security outfit who waits, there is another who will not. Finally, whether any of us like it or not, market forces do impact security outfits, and there is a pressure to be the first to disclose a bug. This is how security companies gain notariety, which impacts their ability to bring in customers. This is unfortunate, but it's a fact. So, when you add up all the factors, I have a very difficult time finding fault with those who choose not to wait to disclose. I do agree with your final thoughts though; the apache team is truely awesome. And technology can't keep people from screwing up, or worse yet, intentionally doing harm. Now I'll take this opportunity to repeat my favorite periodic PSM: Please, please, please! When replying to posts on the list, take a moment to trim your replies. No one needs you to quote a whole message that's already appeared on the list. We're all already subscribed; we've already seen the message. If we /did/ miss it, there are list archives for us to refer to. Please limit quoting to a reasonable minimum to provide context, for the purpose of promoting clarity and understanding. The rest is just a waste of our time and bandwidth. Clarity is improved when you quote that to which you are referring immediately before your comments on it. Some clients, especially Microsoft Outlook, default to a braindead form of quoting which makes this difficult. You can configure Outlook to behave more reasonably, such as to be more friendly and compatible with non-Microsoft mail clients, by following the directions here: http://www.lemis.com/email/fixing-outlook.html Thanks - -- Derek Martin ddm@pizzashack.org - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9Fg8BdjdlQoHP510RAnFsAJ9qWOkUR+VjUHZh1gOXPFE5iVyqLACeM5HX xzrVU4MIkHDy1mPUPmZGz7A= =Ieoq -----END PGP SIGNATURE-----