Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: In reply to comments about new policy

From: belal () sco COM (Bela Lubkin)
Date: Wed, 30 Nov 1994 18:24:56 -0800

I know I shouldn't say anything, but...

I had a frustrating exchange with Karl right before they released that
set of alerts.  We (SCO), having been informed 8LGM of their intentions
to post, were frantically working on getting together a patch set.  8LGM
refused to delay their disclosure to allow us to have a fix ready.

I haven't yet figured out where I stand in the disclosure debate.  I
don't know if I'll ever develop a firm opinion.  But I find it extremely
rude on the part of 8LGM to tell us about bugs, then refuse to give us
time to fix them.

I'm not trying to make excuses for SCO: 8LGM did tell us about these
bugs quite a while ago (though in inconsistent fashion).  We were
slacking; we'd had more than enough time to produce fixes.  We didn't
really start working on it until they said they were going to post the
advisories.  (That is, we'd checked fixes into future sources, but
hadn't gone back to create binaries that would be compatible with our
shipping products).  We started working in earnest on a set of fixes
when they told us they were going to post the advisories.  My complaint
is that after we told them this, they refused to delay the advisories
long enough for us to deliver those fixes.  (They have now been
delivered, in haste and poorly packaged).

I don't speak for SCO; this stuff isn't even my job.  I'm a strong
advocate of security and have been asking the company to produce
security fixes for a while now.  What 8LGM is doing helps me a lot:
makes it impossible for management to ignore the problem.  But they also
cause a lot of trouble and grief by being too inflexible.

Neil> Certain vendors feel under no pressure to provide
Neil> fixes at all, and have expected us to 'keep quiet'.  

Are you referring to SCO?  At no time have I been speaking for SCO in
any official sense.  All my communications with 8LGM have been at my own
initiative.  When I was trying to get you to "keep quiet", I was only
trying to buy a little time -- which is exactly what I told you.


Bela<
Previous By Date Next
Previous By Thread Next

Current thread: