> > Karl Strickland wrote: > > Bela> This is ridiculous. You'd decline to install a security patch because > Bela> you think not enough hackers know about the hole? > > Karl> One important point is, if you dont know what the hole is, you cant be > Karl> sure its fixed. Some people are more reluctant to take these things > Karl> on trust, after seeing what happened with Sun's binmail patches. > > If the reader believes that the holes originally exist as stated and > that SCO has made a good faith effort to fix them, it is sensible to > install the fixes even if it eventually turns out that a narrower hole > remains. What if it turns out that they open an even bigger hole? Im thinking of binmail. > It's analogous to a terminal cancer patient being told that he > can try a promising but untested new drug -- except in this case it's > cured all the lab rats, so the doctor has very high hopes for the drug. You imply your patches go out without any testing :-) > I suppose some readers could think the whole thing was an elaborate > collaborative hoax between 8LGM and SCO to *introduce* Trojan horses... > I can't help anyone who is that paranoid. Is that *I* as in Bela or *I* as in SCO? (No disclaimer in this one). In the end vendors will do whatever they have to do to stay in business. As users become more educated on security-issues, they may decide that they'd rather have vendors who take security seriously, fix bugs quickly and are more open about the whole process. When these paranoid people decide to vote with their chequebooks, maybe SCO, Sun, SGI, DEC and everyone else will be a little more willing to help. ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk |