www/info

[Martijn Klingens]

On Tuesday 08 October 2002 23:44, Neil Stevens wrote:
> So is it KDE's policy not to warn users when the problem is found, but only
> to let people know that their systems are vulnerable when the fix is
> released?

I was already warned about the kghostview problem by a SuSE security 
announcement as 'pending vulnerability'. The KPF one is new for me too.

Either way I think it's better not to mention the bug to the general public 
before the fix is there. This is common practice for _ANY_ software package, 
regardless of vendor. Apache does this, PHP does this, Microsoft does this. I 
can't think of a common package that does not, actually, unless there's a 
pressing reason to do so (e.g. an exploit is already out in the wild).

As soon as the bug is known exploits will appear. Better have the patch ready 
too at the same time if there's no known exploit yet.

Did you notice that most security mailing lists don't publicly announce 
problems before a patch is available either to give vendors the time to fix 
the bug first? Only if it takes too long or if the problem is urgent they 
tend not to adhere to this rule of thumb.
-- 
Martijn