Debian attacker may have used new exploit

John Macdonald jmm-TU2q2He6PgRlD5gtYiU6kEEOCMrvLtNR at
Wed Dec 3 13:24:38 UTC 2003

On Wed, Dec 03, 2003 at 05:22:56AM -0500, JoeHill wrote:
> On Wed, 3 Dec 2003 00:22:29 -0500
> Chris Keelan <rufmetal-MwcKTmeKVNQ at> wrote:
> > Ask yourself: if this were a certain proprietary company, would this
> > news leak out so quickly, and would said organization publish a detailed
> > post-mortem as soon as one is available?
> There's no "if". Microsoft actually got seriously pissed recently when news of
> *seven* new vulnerabilities, two of them critical, was released to the general
> public rather than being privately and secretly notified themselves.

That's a different matter and worthy of everyone being
pissed.  Anyone finding a new vulnerability should
notify the owner of the code and give them some time
to find a cure before making a public announcement.
For an open source project, the original notification
will be partially public, but you still should not
try to make the news widely public until there has
been adequate time to find a fix and distribute it.
(Proprietary source products often require a longer
period of time for that process to be carried out.)
After the period of time is up, then announcing
the vulnerability is fine (and if the code owner
has wasted the time and not arranged a fix to be
distributed widely enough, it rightly looks bad
on them).
The Toronto Linux Users Group.      Meetings:
TLUG requests: Linux topics, No HTML, wrap text below 80 columns

More information about the Legacy mailing list