lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200307200525.h6K5PKrB002062@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: GUNINSKI THE SELF-PROMOTER 

On Sat, 19 Jul 2003 22:43:36 EDT, "mattmurphy@...rr.com" <mattmurphy@...rr.com>  said:
> point.  You whine about two weeks to produce a patch from MS, and then you
> wait for an open source project to patch a bug for almost a month, they
> don't even start, and you still praise their project.  That's hypocrisy
> Georgi, no matter what you call it.

How about we factor in the budgets allocated to each of:

security@...rosoft.com
vim-security@...rever.it.lives

This is something that often gets overlooked in calls for liability for
software vendors - the fact that it's *really* difficult to write the laws such
that large commercial vendors have to take notice, but not make it
prohibitively risky to release open-source freeware.  There's nothing at all
"hypocritical" in holding a large vendor to a higher standard than a private
project - one can reasonably expect that Microsoft can find the resources to
have a security bug looked at within 24 hours.  On  the other hand, a lot of
open source software is maintained by just one or two people.  Expecting 24
hour responses there means that if you release open source software, you're
agreeing to never get sick, to never take a 4-day weekend to see a brother or
sister get married, or any of those other pesky things that interrupt when
you're busy having a life....

I'll just add in parenthetically that I've never seen a vim exploit that was
potentially able to remote-root exploit 95% of the computers in the world. One
needs to factor the severity into the expectations of response time. ;)

Now as to whether the 'vim' crew met whatever lower standard we should require
of them - *THAT* is a different can of worms I'm not going to open. :)




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030720/5e343c9c/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ