[221] in bugtraq
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Gene Spafford)
Mon Nov 28 03:29:23 1994
To: Dave Brookshire <david@irc.umbc.edu>
Cc: "[8LGM] Security Team" <8lgm@bagpuss.demon.co.uk>, bugtraq@fc.net
In-Reply-To: Message from Dave Brookshire <david@irc.umbc.edu> of
"Sun, 27 Nov 1994 23:55:39"
<Pine.SGI.3.90.941127235027.7257B-100000@manray.irc.umbc.edu>
Date: Mon, 28 Nov 1994 02:20:39 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
> I think that the biggest pro of full disclosure, is that it get's people
> off their butts and gets a good solution or patch that much faster.
I have yet to see evidence of this. Based on my conversations with personnel
at various computer companies, the only thing full disclosure seems to do is
(sometimes) encourage them to release bug fixes without quite as much testing.
This sometimes leads to patches that don't completely fix the problem. That
is not a "good solution."
If anyone can provide me with verifiable evidence that full disclosure results
in faster production of patches of good quality, I would be very interested in
seeing it. Otherwise, it's just wishful thinking.
--spaf
