Bugtraq: Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

[casper () fwi uva nl (Casper Dik)]

> Gene Spafford writes:
> > [...deleted...]
> > I'm also not trying to reopen the debate about full vs. partial vs. no
> > disclosure.  I'd like to see some hard evidence for things, though,
> > and *not* debate.  Even my experience has been anecdotal (but I
> > believe that it is more representative of the true user community than
> > these lists are).  Statements to the effect that "policy X produces
> > patches faster than policy Y" should be backed up by testable data.
> > Otherwise, they fall in the category of faith healing, diet aids, and
> > sightings of Elvis -- the observer may believe it is true, but there
> > is no controlled way to demonstrate it to skeptical observers in a
> > general setting.
> Stating the obvious here, but we seem to be in the experiment now.
>
> With 8lgm in the past, going with full disclosure.  One needs
> to recall how quickly sun/ibm came up with patches for published
> holes.
Change that in: "how quickly Sun came with not-working patches"
Note too that the patch that finally fixed the /var/spool/mail
race conditions appeared months after the last 8lgm advisory.


Casper