[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200307200525.h6K5PKrB002062@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: GUNINSKI THE SELF-PROMOTER
On Sat, 19 Jul 2003 22:43:36 EDT, "mattmurphy@...rr.com" <mattmurphy@...rr.com> said:
> point. You whine about two weeks to produce a patch from MS, and then you
> wait for an open source project to patch a bug for almost a month, they
> don't even start, and you still praise their project. That's hypocrisy
> Georgi, no matter what you call it.
How about we factor in the budgets allocated to each of:
security@...rosoft.com
vim-security@...rever.it.lives
This is something that often gets overlooked in calls for liability for
software vendors - the fact that it's *really* difficult to write the laws such
that large commercial vendors have to take notice, but not make it
prohibitively risky to release open-source freeware. There's nothing at all
"hypocritical" in holding a large vendor to a higher standard than a private
project - one can reasonably expect that Microsoft can find the resources to
have a security bug looked at within 24 hours. On the other hand, a lot of
open source software is maintained by just one or two people. Expecting 24
hour responses there means that if you release open source software, you're
agreeing to never get sick, to never take a 4-day weekend to see a brother or
sister get married, or any of those other pesky things that interrupt when
you're busy having a life....
I'll just add in parenthetically that I've never seen a vim exploit that was
potentially able to remote-root exploit 95% of the computers in the world. One
needs to factor the severity into the expectations of response time. ;)
Now as to whether the 'vim' crew met whatever lower standard we should require
of them - *THAT* is a different can of worms I'm not going to open. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030720/5e343c9c/attachment.bin
Powered by blists - more mailing lists