From owner-freebsd-security  Fri May 17 19:29:25 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id TAA12256
          for security-outgoing; Fri, 17 May 1996 19:29:25 -0700 (PDT)
Received: from time.cdrom.com (time.cdrom.com [204.216.27.226])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA12249;
          Fri, 17 May 1996 19:29:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with SMTP id TAA08771; Fri, 17 May 1996 19:28:58 -0700 (PDT)
To: kduling@natasha.scccc.com (Kevin J. Duling)
cc: owner-freebsd-security@freefall.freebsd.org (Glen Foster),
        coredump@nervosa.com, freebsd-security@freebsd.org
Subject: Re: very bad 
In-reply-to: Your message of "Fri, 17 May 1996 10:16:36 MDT."
             <199605171616.KAA15759@natasha.scccc.com> 
Date: Fri, 17 May 1996 19:28:57 -0700
Message-ID: <8769.832386537@time.cdrom.com>
From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> If you don't announce the bugs, then the crackers learn them while the
> admins are left in ignorance.  You're not going to find a forum where
> you know you're only telling "the right people" about the problem.

I don't disagree in principle, but I still think that a slavish
adherance to either a "don't tell anything" or "tell everyone"
philosophy is a mistake, and each situation should be handled on a
case by case basis.  In some cases you're informing the populace of a
very important piece of information and in others you're simply
handling the baby a blasting cap to play with.

					Jordan