lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 09 Jul 2012 08:47:41 -0400
From: valdis.kletnieks@...edu
To: "Stefan Kanthak" <stefan.kanthak@...go.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: How much time is appropriate for fixing a bug?

On Sun, 08 Jul 2012 14:07:52 +0200, "Stefan Kanthak" said:
> The "industry" will (typically) not fix any error if the cost for fixing
> exceeds the loss (or revenue) that this fix creates, including the vendors
> gain/loss of reputation, gain/loss of stock value, loss of money in court
> cases or due to compensations, loss of (future) sales due to (dis-)satisfied
> customers, ...

Court cases? *Really*?  When was the last time you saw a court case about
defective COTS software?  You see the occasional squabble regarding bespoke
one-off developments, but your average shrink-wrapped EULA does a pretty good
job of absolving the vendor from all blame, no matter how egregious the error.
Oftentimes, they even manage to waive responsibility for the common-law
concepts of "merchantability" or "fitness for intended use".

> Joe Average can't tell the difference between a program which is designed,
> developed, built and maintained according to the state of the art, and some
> piece of crap that is not.

That's OK.  Those of us who do this for a living are *also* often hard-pressed
to find any notable difference between "state of the art" and "piece of crap",
as they're about as close as the two level of a hyperfine transition of a cesium
atom.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ