| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: measl at mfn.org (J.A. Terranson) Subject: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a good idea anymore... On Sat, 12 Mar 2005, joe wrote: > I didn't see Tamas' original note but this program isn't an early patch > release program. It is a program for beta testing patches just like the > other beta's MS and other companies do. It is simply locked down > considerably more due to the possible issues surrounding it. The patches > could definitely change prior to actual public launch. Nevertheless, you and I both know that this program will be used as an early patch release program, and will in fact serve as such once the soon-to-be-released patches are finalized on these preliminary machines. > As such, the patches aren't intended to be loaded on production equipment HahahahAHAHAHahahhaAAhhAahahaha!!!! Microsoft? Not intended for production machines??? ROFL! > and in fact it is explicitely stated to not load it in production if I > recall corrrectly. The intent is for external customer test labbing to find > the most egregious issues and functionality breaks they may cause so it > doesn't impact the user community at large. The folks brought into the beta > are the ones most likely to test the patches on a wide variety of scenarios. As someone who has seen this program from the inside, I am here to tell you you are WRONG. That' spelled W-R-O-N-G, just in case you were not sure. These programs MAY have as input large "shops" which can help test, but it also includes "priority" customers (Govt, the critical 8 in infrastructure, etc.), most of whom will *never* provide any feedback data to the patch supplier. > Unlike many of the other betas, you have an actual testing and feedback > requirement and have to agree to that requirement before being allowed in. Then we are talking about different programs. There ARE early release programs, and this reads as one. > I > previously was a consultant at a large company that was asked if they wanted > to be in this program and we declined because we couldn't handle the > additional workload that it required as a participant. We just didn't have > the resources available. OK, lets assume that this is a different program. I stand by my assertion that an early patch release program that caters solely to government and the critical 8 is good public policy (and currently implemented). > Here is a link that maybe makes the test nature a little more clear > > http://www.internetnews.com/security/article.php/3489586 -- Yours, J.A. Terranson sysadmin@....org 0xBD4A95BF "Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses." http://www.tshirthell.com/
Powered by blists - more mailing lists