Re: In reply to comments about new policy

[reh () wam umd edu (Richard Huddleston)]

        I know I shouldn't say anything, but...

Me, either, but someone besides Pat is going to have to say it or Gene will
consider the well to have already been poisoned. 
        
        I had a frustrating exchange with Karl right before they released that
        set of alerts.  We (SCO), having been informed 8LGM of their intentions
        to post, were frantically working on getting together a patch set.  8LGM
        refused to delay their disclosure to allow us to have a fix ready.

Aside from it not being much of a disclosure: 

I would like to formally consider these comments as some of the evidence 
that Gene Spafford would like to see, regarding the benefits of a measured
and responsible, but eventually full, disclosure.  In fact, it appears that
only the threat of exposure finally goaded SCO (who we might easily regard
as a typical vendor, I think) into action: 
        
        I haven't yet figured out where I stand in the disclosure debate.  I
        don't know if I'll ever develop a firm opinion.  But I find it extremely
        rude on the part of 8LGM to tell us about bugs, then refuse to give us
        time to fix them.

According to your comments below, however, it seems like SCO had plenty of
time--if SCO had taken the matter seriously.  The management technique is
called 'selective procrastination' (don't do anything that requires use of
a resource until you absolutely positively have to). 

In all fairness, however, some of the comments that followed (which I decided
not to include, in the interest of brevity) are clearly evidence that the
threat of disclosure rushes bad patches to market.  But all in all, I think
the apparently quite candid comments demonstrate how a vendor will sit on
its ass until absolutely forced to do something.  As long as the holes are
a secret, with any break-ins reported to the great Black Hole that is CERT,
we can probably take SCO's lack of pro-active handling of bugs as typical. 
        
        I'm not trying to make excuses for SCO: 8LGM did tell us about these
        bugs quite a while ago (though in inconsistent fashion).  We were
        slacking; we'd had more than enough time to produce fixes.  We didn't
        really start working on it until they said they were going to post the
        advisories.  (That is, we'd checked fixes into future sources, but
        hadn't gone back to create binaries that would be compatible with our
        shipping products).  We started working in earnest on a set of fixes

        [....] 

Richard 

--
Richard Huddleston      <>  Switch off the mind and let the heart decide 
University of Maryland  <>  who you were meant to be 
CMSC/ANTH               <>  flick to remote and let the body glide 
                        <>  There is no enemy!            (Thomas Dolby)