Glen Overby (email@example.com)
13 Nov 88 22:39:22 GMT
In article <firstname.lastname@example.org.PITTSBURGH.EDU> email@example.com (Sean McLinden) writes:
>It is clear from Rick Adams' comments that 'not wanting to tip anyone off'
>is no excuse. Even binary-only sites can be protected fairly rapidly if
>the appropriate channels are used.
This sort of thing has been a pretty big issue lately, so I thought I'd chip
in a few comments. If information about bugs (or, should I say,
"misfeatures") in Unix (or really any OS) should not be publicly disclosed to
protect those who either do not or can not repair them, then HOW should
such "classified" information be distributed to those who want/need it, and
can and will fix the holes?
Not but a few weeks ago there was a "discussion" on one of the news.* groups
about the Security mailing list (there are two of them, but thats irrevalent
here) which is restricted to "trusted" people (those who are "root" on a
"major machine" -- whatever that means). Now, if information about security
bugs is too risky for distribution among that elite group of "system gods",
then should that information be exchanged over network mail systems at all?
(e.g. to (e.g. to 4bsd-bugs@ucbvax).
I think all of this sort of information should be distributed at least over
the private security forum; Vendor releases just aren't frequent enough to
fix these problems in a timely manner.
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT