On Wed, Oct 29, 2003 at 06:18:40PM +0100, Steve Clement wrote: | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | All this issue depends on how suspicious you are really. | | One could say that @stake waited till Panther 10.3 came out to release | the Security alert and therefore push the sales of the new system. Or | you could argue that it was an unlucky coincidence that with the new | release there were quite a few security bugs apearing. @Stake is being pretty up front that they are moving far away from full-disclosure. Weld has been up-front and vocal about this shift and the reasons for it. It seems fairly clear that DaveG reported these issues to Apple (along with many others over the past while), and for this subset of the DaveG issues, Apple said "these are complex to fix, we'll get to them in the next major release." Which is roughly where we were 10 years ago in some ways: Vendors got bug reports, and as much time as they wanted to fix the issues. If there's independent rediscovery of issues (and I think for some of these, that's likely), then customers are SOL as the issues are exploited. On the plus side, 10 years ago, vendors might have said "fixed security issues," without enumeration or acknowledgment. So that's improved. I think that announcing a set of security issues, and saying "the fix is to upgrade your entire OS" is not a great disclosure strategy. If that's @Stake's new plan, I would give the new OS 30-90 days before making the announcements. But I believe that the general risk of independent discovery of issues is substantial enough that this sort of long delay from discovery to fix is a poor practice, and one that we as an industry had been moving away from. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume