[260] in bugtraq
Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Nov 29 23:42:08 1994
To: Paul Howell <grue@engin.umich.edu>
Cc: bugtraq@fc.net
In-Reply-To: Your message of "Mon, 28 Nov 1994 13:32:52 EST."
<199411281832.NAA16036@cyclorama.engin.umich.edu>
Date: Tue, 29 Nov 1994 10:17:47 +0100
From: Casper Dik <casper@fwi.uva.nl>
>
>Gene Spafford writes:
> > [...deleted...]
> > I'm also not trying to reopen the debate about full vs. partial vs. no
> > disclosure. I'd like to see some hard evidence for things, though,
> > and *not* debate. Even my experience has been anecdotal (but I
> > believe that it is more representative of the true user community than
> > these lists are). Statements to the effect that "policy X produces
> > patches faster than policy Y" should be backed up by testable data.
> > Otherwise, they fall in the category of faith healing, diet aids, and
> > sightings of Elvis -- the observer may believe it is true, but there
> > is no controlled way to demonstrate it to skeptical observers in a
> > general setting.
>
>Stating the obvious here, but we seem to be in the experiment now.
>
>With 8lgm in the past, going with full disclosure. One needs
>to recall how quickly sun/ibm came up with patches for published
>holes.
Change that in: "how quickly Sun came with not-working patches"
Note too that the patch that finally fixed the /var/spool/mail
race conditions appeared months after the last 8lgm advisory.
Casper