[292] in bugtraq
Re: In reply to comments about new policy
daemon@ATHENA.MIT.EDU (Richard Huddleston)
Fri Dec 2 02:07:13 1994
From: Richard Huddleston <reh@wam.umd.edu>
Date: Wed, 30 Nov 1994 22:57:17 -0500
To: belal@sco.COM, bugtraq@fc.net
I know I shouldn't say anything, but...
Me, either, but someone besides Pat is going to have to say it or Gene will
consider the well to have already been poisoned.
I had a frustrating exchange with Karl right before they released that
set of alerts. We (SCO), having been informed 8LGM of their intentions
to post, were frantically working on getting together a patch set. 8LGM
refused to delay their disclosure to allow us to have a fix ready.
Aside from it not being much of a disclosure:
I would like to formally consider these comments as some of the evidence
that Gene Spafford would like to see, regarding the benefits of a measured
and responsible, but eventually full, disclosure. In fact, it appears that
only the threat of exposure finally goaded SCO (who we might easily regard
as a typical vendor, I think) into action:
I haven't yet figured out where I stand in the disclosure debate. I
don't know if I'll ever develop a firm opinion. But I find it extremely
rude on the part of 8LGM to tell us about bugs, then refuse to give us
time to fix them.
According to your comments below, however, it seems like SCO had plenty of
time--if SCO had taken the matter seriously. The management technique is
called 'selective procrastination' (don't do anything that requires use of
a resource until you absolutely positively have to).
In all fairness, however, some of the comments that followed (which I decided
not to include, in the interest of brevity) are clearly evidence that the
threat of disclosure rushes bad patches to market. But all in all, I think
the apparently quite candid comments demonstrate how a vendor will sit on
its ass until absolutely forced to do something. As long as the holes are
a secret, with any break-ins reported to the great Black Hole that is CERT,
we can probably take SCO's lack of pro-active handling of bugs as typical.
I'm not trying to make excuses for SCO: 8LGM did tell us about these
bugs quite a while ago (though in inconsistent fashion). We were
slacking; we'd had more than enough time to produce fixes. We didn't
really start working on it until they said they were going to post the
advisories. (That is, we'd checked fixes into future sources, but
hadn't gone back to create binaries that would be compatible with our
shipping products). We started working in earnest on a set of fixes
[....]
Richard
--
Richard Huddleston <> Switch off the mind and let the heart decide
University of Maryland <> who you were meant to be
CMSC/ANTH <> flick to remote and let the body glide
<> There is no enemy! (Thomas Dolby)