> >Gene Spafford writes: > > [...deleted...] > > I'm also not trying to reopen the debate about full vs. partial vs. no > > disclosure. I'd like to see some hard evidence for things, though, > > and *not* debate. Even my experience has been anecdotal (but I > > believe that it is more representative of the true user community than > > these lists are). Statements to the effect that "policy X produces > > patches faster than policy Y" should be backed up by testable data. > > Otherwise, they fall in the category of faith healing, diet aids, and > > sightings of Elvis -- the observer may believe it is true, but there > > is no controlled way to demonstrate it to skeptical observers in a > > general setting. > >Stating the obvious here, but we seem to be in the experiment now. > >With 8lgm in the past, going with full disclosure. One needs >to recall how quickly sun/ibm came up with patches for published >holes. Change that in: "how quickly Sun came with not-working patches" Note too that the patch that finally fixed the /var/spool/mail race conditions appeared months after the last 8lgm advisory. Casper