Hi, On 2/20/07, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote:
yes, I can see a few folks doing this. But I believe most folks still get the updated binaries from their distribution source. for example, RedHat will apply the actual patch and rebuild for their distro, others will do the same.
Let RedHat get the patch and build whatever they want, whenever they want: that doesn't mean we have to do a binary release, much less wait for a stable one. Especially since they're going from source anyways. I also wasn't talking about "most folks" (though by the way, it's a long way from "I believe" to concrete data showing what "most folks" do). I was talking about those who are security-conscious and care about these vulnerabilities, many of which are highly theoretical in nature. Those people, in my experience, are considerably more savvy than our average user.
you assume that companies know how to "patch" a release, build etc. some do, some don't. Some that do, still prefer to get a binary.
See above.
really, I was under the impression that most bodies that report a security issue, will not publish until you OK them to do so.
Definitely not. At most, they will give you a courtesy period after which they'll go ahead and publish, no matter whether you've had a release or not. When I did my research thesis on this topic, mining http://www.securityfocus.com/vulnerabilities for metadata, the majority of security issues announced to the public did not have a fix available, even in source code, much less a binary version, when the vulnerability was published. One can easily confirm this by checking out the entries on SecurityFocus.com or CVE and similar lists and correlating them to release dates in software packages that include a fix.
For example, the security problem in the JDK, was reported over a year before Sun actually released the fix. First when Sun had a JDK version available, was the vulnerability released. We're not talking weeks in this particular case, rather months.
A very unusual exception.
And I would assume that most reporting bodies follow the same practices. Am I wrong?
Definitely. I spent a few months researching this very process ;) Also remember, what I said is not that we can't do binary releases for security issues. It's perfectly fine to do these releases. All I'm saying is: - It shouldn't be mandated that we have a *stable* binary release before the vulnerability is announced, - The issue is likely to become public before a stable release is available - People who really care about security will apply the patch from source Yoav --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
