Henning Makholm wrote: > As a random data point, take DSA-1116 (a buffer overrun with no known > exploit, in a quite popular piece of desktop software), where I happen > to have a timeline: > > July 1 - reported privately to security team, with patch > July 6 - bug goes public through upstream's BTS, Debian bug filed > July 7 - upstream releases fixed version > July 7 - fixed in NMU to unstable > July 13 - bug reaches front of security team's attention queue. > DSA and update to sarge prepared, but is stalled by some > buildd problem on a minor architecture. > July 18 - fix propagates from unstable to testing > July 21 - fixed in sarge, DSA released
You know that's not actually that bad. Significantly better than before the security team. Way better than Microsoft! > It is not my point to criticize the security team; I have no reason to > think they are not doing an absolutely fantastic job within the > externally-imposed constraints of volunteer work, unstable supplies of > free time in which to do the work, donated autobuilder machines spread > around the world and run by a different set of volunteers, and so on > and so forth. > > But it is also clear that a business which makes it a strategic > priority to compete on the timeliness of security updates *could* well > provide some real value over our stable and testing suites here, even > - as in this case - when we have a 5-day head start. Whether the > company in question *is* actually such a business or it is just making > empty promises, can of course not be discerned just by reading their > ad. -- Nathanael Nerode <[EMAIL PROTECTED]> Bush admitted to violating FISA and said he was proud of it. So why isn't he in prison yet?... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
