Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Computerworld op/ed on vulnerability patch cycle

From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Wed, 14 Apr 2004 17:36:45 +0100

Alexander Antonov wrote:

I believe the issue of automatic updates was already discussed on other security-related lists.


Yes, I agree, but that's not what I was commenting on specifically.  
Certainly, we've seen automatic patches for a few years now.  (And for 
many systems, e.g., desktop users, I believe that they're a good thing, 
in general.)


The column, however, advocates _slowing down_ the patch and distribution 
process so that all (subscribed) users of the product get the patch and 
install it more-or-less simultaneously.  In my view, that doesn't do 
much, if anything, to make matters better.  If anything, it punishes 
those that promptly install (after appropriate testing, no doubt) 
patches because it forces them to wait for the stragglers to catch up.


That said, I certainly agree with the column's notion that the current 
patching process that most product vendors use is not meeting our needs.


Cheers,

Ken van Wyk
http://www.KRvW.com
Previous By Date Next
Previous By Thread Next

Current thread: