www/info

Neil Stevens neil at qualityassistant.com
Tue Oct 8 23:14:19 BST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday October 08, 2002 03:12, Martijn Klingens wrote:
> On Tuesday 08 October 2002 23:44, Neil Stevens wrote:
> > So is it KDE's policy not to warn users when the problem is found, but
> > only to let people know that their systems are vulnerable when the fix
> > is released?
>
> I was already warned about the kghostview problem by a SuSE security
> announcement as 'pending vulnerability'. The KPF one is new for me too.
>
> Either way I think it's better not to mention the bug to the general
> public before the fix is there. This is common practice for _ANY_
> software package, regardless of vendor. Apache does this, PHP does this,
> Microsoft does this. I can't think of a common package that does not,
> actually, unless there's a pressing reason to do so (e.g. an exploit is
> already out in the wild).

Then users should be warned that some KDE developers will knowingly and 
willfully withhold information.

> As soon as the bug is known exploits will appear. Better have the patch
> ready too at the same time if there's no known exploit yet.
>
> Did you notice that most security mailing lists don't publicly announce
> problems before a patch is available either to give vendors the time to
> fix the bug first? Only if it takes too long or if the problem is urgent
> they tend not to adhere to this rule of thumb.

I don't care what everyone else does.  In this context, I only care what 
KDE does.

- -- 
Neil Stevens - neil at qualityassistant.com
"The nearest I can make it out, 'Love your Enemies' means, 'Hate your
Friends'." - Benjamin Franklin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9o1i8f7mnligQOmERAv5kAJ9Ka3ay1R8rUn6gvuEhNwivDkjKsQCfYtpy
tYLt6Nbetq3bY4mZRS0jIR0=
=lE3y
-----END PGP SIGNATURE-----





More information about the kde-core-devel mailing list