D. J. Bernstein -> bugtraq@xxxxxxxxxxxxxxxxx @ 18 Dec 2004 04:25:11 -0000: >> In each case, Professor Bernstein notified the author of the >> vulnerable package on Dec 15 via e-mail. This mail hit Bugtraq on the >> 16th, giving one day for vendors to provide fixes. DJB> Actually, I sent all of these notifications to the public DJB> securesoftware mailing list (http://securesoftware.list.cr.yp.to) DJB> at the same time that I sent them to the authors. It certainly DJB> wasn't my intention to give the authors an extra day of DJB> self-delusion. Was it your intention not to give _users_ of their programs an extra time of not being _widely_ attacked? While you certainly cannot offer them alternative software for their tasks - of your own programs only ezmlm with third-party patches is more than proof of concept. We need software that does the work, not only one that demonstrates that the work can be done in principle. -- Artem Chuprina RFC2822: <ran{}ran.pp.ru> Jabber: ran@xxxxxxxxxxxxxxxx
