[231] in bugtraq
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Paul Howell)
Mon Nov 28 16:46:12 1994
To: spaf@cs.purdue.edu (Gene Spafford)
Cc: "Jonathan M. Bresler" <jmb@kryten.Atinc.COM>,
Dave Brookshire <david@irc.umbc.edu>,
"[8LGM] Security Team" <8lgm@bagpuss.demon.co.uk>, bugtraq@fc.net
In-Reply-To: Your message of Mon, 28 Nov 1994 10:46:29 -0500.
Date: Mon, 28 Nov 1994 13:32:52 -0500
From: Paul Howell <grue@engin.umich.edu>
Gene Spafford writes:
> [...deleted...]
> I'm also not trying to reopen the debate about full vs. partial vs. no
> disclosure. I'd like to see some hard evidence for things, though,
> and *not* debate. Even my experience has been anecdotal (but I
> believe that it is more representative of the true user community than
> these lists are). Statements to the effect that "policy X produces
> patches faster than policy Y" should be backed up by testable data.
> Otherwise, they fall in the category of faith healing, diet aids, and
> sightings of Elvis -- the observer may believe it is true, but there
> is no controlled way to demonstrate it to skeptical observers in a
> general setting.
Stating the obvious here, but we seem to be in the experiment now.
With 8lgm in the past, going with full disclosure. One needs
to recall how quickly sun/ibm came up with patches for published
holes.
Start the clock, then compare and contrast with how quickly the
latest flaws are fixed.
< Paul
