Re: Qpop CERT advisory?

[R E Wolff BitWizard nl (Rogier Wolff)]

Edward Siewick wrote:
> > What I can't believe is how long CERT advisories take to come out these
> > days. If I would have waited until I got this one before I patched the one
> > box I had that was affected I would have been hacked about 3 times.
> 
> I have to wonder about the CERT announcement timing policy.  Anybody know
> how they decide when to announce?  At the least, there's a delay of days
> while the vendors are contacted with respect to patches and such.  Usually,
> Sun has its act together; SCO is "looking into it" or "working on patches"
> or some other sort of vague comment.

CERT gives vendors some time to come with a fix. By Linux standards
that's WAY too long. It is measured in weeks, if not months. 

If someone finds a bug, and posts it to linux-security, we try to do
the same: Keep the lid on it for the vendors to find a fix. However
this time, the time will be measured in days (at most "till after the
weekend"). This does not happen if the bug has been published through
other means already. Then the message goes out ASAP. 

This way, people who don't have the skills or time to find a fix
themselves are in a fair race with the bad guys to get the patch
installed. Otherwise the bad guys would get a head start.

				Roger. 

-- 
Actor asks a collegue: "To what do you owe your success in acting?"
Answer: "Honesty. Once you've learned how to fake that, you've got it made."
-------- Custom Linux device drivers for sale! Call for a quote. ----------
Email: R E Wolff BitWizard nl || Tel: +31-15-2137555 || FAX: +31-15-2138217