November is officially renamed as "tick off Dave Jones"...
Bruno Wolff III
bruno at wolff.to
Thu Nov 2 10:55:16 UTC 2006
On Wed, Nov 01, 2006 at 23:30:01 -0500,
Jesse Keating <jkeating at redhat.com> wrote:
> On Wednesday 01 November 2006 23:23, Peter Gordon wrote:
> > I, for one, think that this is a great idea. Finding and fixing bugs in
> > something as critical as the kernel (especially the filesystem code as I
> > understand their page) is a definite plus.
>
> Finding the bugs is great, however reporting security flaws to vendor-sec and
> allowing vendors to coordinate in releasing the right fix at the same time is
> better for the end users and community. Just dumping a new vulnerability a
> day to public space is just creating chaos. Vendors will scramble to fix the
> flaw, different patches will be used, updates will be rushed out, etc...
Not everyone aggrees with that stance. There is another view that letting
everyone know at once let's sysadmins do mitigation sooner than if they
waited for the vendors to simultaneously release updates.
However sitting on bugs (so as to release one a day) without notifying
vendors or the public is a not nice thing to do.
More information about the fedora-test-list
mailing list