[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 02/12/2021 03:24, Michael Everitt wrote: > On 01/12/2021 16:26, Sebastian wrote: >> Dear Dom, >> >>>> Looks like this has been fixed since Debian 10 'Oldstable' Buster, so >>>> I shouldn't imagine anyone on this mailing list is affected :) >>> To be honest, I think it's a valid post to make, it could be some >>> people are still on older versions of Debian. One of my servers is >>> on the latest, sure. >> I think you are unique on this list with your penchant for >> millennium-edition software, but I'll take your point! :D >> >> The Debian security team can surely be afforded some praise here. They >> recently published their 5000th security advisory (in openjdk, for >> those interested), and the bugs are nearly always fixed in a matter of >> days. >> >> Best wishes, >> >> Sebastian >> > My experience of computer 'security' teams (Gentoo specifically) is that any > discussion of a security issue is usually embargoed until there is a fix available. > And once that fix is pushed live, then the security announcement follows. In some > cases, this can delay exposure of a vulnerability, but you can see why generally, > this is better practice than the reverse (hopefully!) ... > > veremitz/Michael. > > Fully concur with embargo until fixed, to avoid easy misuse of fault, not just in software. However in hardware e.g. engines / oil rigs full publicity of a fault should be made immediately to save lives. Think suppression of cold altering elastomers which caused the Challenger disaster. -- regards Eion MacDonald -- The Mailing List for the Devon & Cornwall LUG https://mailman.dcglug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq