Holger Freyther freyther at gmx.net
Wed Oct 9 00:21:23 BST 2002

On Wednesday 09 October 2002 00:14, Neil Stevens wrote:
> On Tuesday October 08, 2002 03:12, Martijn Klingens wrote:
> > On Tuesday 08 October 2002 23:44, Neil Stevens wrote:
> > > So is it KDE's policy not to warn users when the problem is found, but
> > > only to let people know that their systems are vulnerable when the fix
> > > is released?
> >
> > I was already warned about the kghostview problem by a SuSE security
> > announcement as 'pending vulnerability'. The KPF one is new for me too.
> >
> > Either way I think it's better not to mention the bug to the general
> > public before the fix is there. This is common practice for _ANY_
> > software package, regardless of vendor. Apache does this, PHP does this,
> > Microsoft does this. I can't think of a common package that does not,
> > actually, unless there's a pressing reason to do so (e.g. an exploit is
> > already out in the wild).
> Then users should be warned that some KDE developers will knowingly and
> willfully withhold information.
> > As soon as the bug is known exploits will appear. Better have the patch
> > ready too at the same time if there's no known exploit yet.
> >
> > Did you notice that most security mailing lists don't publicly announce
> > problems before a patch is available either to give vendors the time to
> > fix the bug first? Only if it takes too long or if the problem is urgent
> > they tend not to adhere to this rule of thumb.
> I don't care what everyone else does.  In this context, I only care what
> KDE does.
nice......... I'm lacking words... (i18n_rev("Mir fehlen echt die Worte") )

Holger 'zecke' Freyther
Project OPIE- the Open Palmtop Integrated Environment
http://opie.handhelds.org | http://www.opie.info (german)
IRC: irc.freenode.net #opie #opie.de

More information about the kde-core-devel mailing list