Bugtraq mailing list archives
Re: In reply to comments about new policy
From: reh () wam umd edu (Richard Huddleston)
Date: Wed, 30 Nov 1994 22:57:17 -0500
I know I shouldn't say anything, but... Me, either, but someone besides Pat is going to have to say it or Gene will consider the well to have already been poisoned. I had a frustrating exchange with Karl right before they released that set of alerts. We (SCO), having been informed 8LGM of their intentions to post, were frantically working on getting together a patch set. 8LGM refused to delay their disclosure to allow us to have a fix ready. Aside from it not being much of a disclosure: I would like to formally consider these comments as some of the evidence that Gene Spafford would like to see, regarding the benefits of a measured and responsible, but eventually full, disclosure. In fact, it appears that only the threat of exposure finally goaded SCO (who we might easily regard as a typical vendor, I think) into action: I haven't yet figured out where I stand in the disclosure debate. I don't know if I'll ever develop a firm opinion. But I find it extremely rude on the part of 8LGM to tell us about bugs, then refuse to give us time to fix them. According to your comments below, however, it seems like SCO had plenty of time--if SCO had taken the matter seriously. The management technique is called 'selective procrastination' (don't do anything that requires use of a resource until you absolutely positively have to). In all fairness, however, some of the comments that followed (which I decided not to include, in the interest of brevity) are clearly evidence that the threat of disclosure rushes bad patches to market. But all in all, I think the apparently quite candid comments demonstrate how a vendor will sit on its ass until absolutely forced to do something. As long as the holes are a secret, with any break-ins reported to the great Black Hole that is CERT, we can probably take SCO's lack of pro-active handling of bugs as typical. I'm not trying to make excuses for SCO: 8LGM did tell us about these bugs quite a while ago (though in inconsistent fashion). We were slacking; we'd had more than enough time to produce fixes. We didn't really start working on it until they said they were going to post the advisories. (That is, we'd checked fixes into future sources, but hadn't gone back to create binaries that would be compatible with our shipping products). We started working in earnest on a set of fixes [....] Richard -- Richard Huddleston <> Switch off the mind and let the heart decide University of Maryland <> who you were meant to be CMSC/ANTH <> flick to remote and let the body glide <> There is no enemy! (Thomas Dolby)
Current thread:
- Re: In reply to comments about new policy Jas (Nov 29)
- <Possible follow-ups>
- Re: In reply to comments about new policy Richard Huddleston (Nov 30)
- Re: In reply to comments about new policy rick () msc cornell edu (Dec 01)