Re: Security mailing list


John B. Nagle (glacier!jbn@labrea.stanford.edu)
14 Nov 88 17:03:43 GMT


      I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay. Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all. This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
problems.
      General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.

      Why 60 days? A monthly update service would be enough to keep systems
operating with the latest security fixes. 30 days would require biweekly
updates to stay current, which is a bit frequent. Much longer than 60 days,
and the pressure would be off on fixing holes.

                                        John Nagle



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT