Re: [Full-Disclosure] Silent Fixes (was GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution)

[Anders B Jansson <hdw@kallisti.se>]

Leif Sawyer wrote:
> gabriel rosenkoetter writes:
>
> > [... blah blah ...] Hell, do we expect Linux or NetBSD
> > [ to tell us about every buffer overflow they fix? ]
>
> Yes, every freaking buffer overflow they fix is discussed.
> In fact, nearly every change made to the kernel is discussed
> at some point.  And it's all documented as to whom the person
> was what inserted the code in the first place, and who fixed it.
>
> Responsible?  Check.
> Open?  Check.
> The way it _should_ be?  Check.
>
> Caveat: I don't subscribe to any BSD lists, but I can infer that
>  they have a similar process in place.
It's on the lists, and here http://openbsd.org/plus.html

Just as it should, gives me as admin the data, and pointers to more 
data, I _need_ to decide when I should roll a new updated release.

_My_ systems, _my_ decision when and what to patch.

Son of Caveat: I don't how other *BSDs do it, but I'd be highly amazed 
if they didn't do it more or less the same way.
// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html