Date: Tue, 15 Sep 2009 16:32:27 -0700 (PDT) From: James Phillips <anti_spam256@yahoo.ca> To: freebsd-questions@freebsd.org Subject: Re: freebsd-questions Digest, Vol 276, Issue 5 Message-ID: <397697.56713.qm@web65504.mail.ac4.yahoo.com> In-Reply-To: <20090915192353.08EFB1065696@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>
> Message: 15
> Date: Tue, 15 Sep 2009 14:13:17 -0400
> From: Jerry <gesbbb@yahoo.com>
> Subject: Re: reporter on deadline seeks comment about
> reported
> security bug in FreeBSD
> To: freebsd-questions@freebsd.org
> Message-ID: <20090915141317.7a41b042@scorpio.seibercom.net>
> Content-Type: text/plain; charset=US-ASCII
>
> On Tue, 15 Sep 2009 13:18:29 -0400
> Bill Moran <wmoran@potentialtech.com>
> wrote:
>
<SNIP!>
>
> The fact is, that you do in fact notify me. Keeping
> important security
> information secret benefits no one, except for possibly
> those
> responsible for the problem to begin with who do not want
> the
> knowledge of the problem to become public. A multitude of
> software,
> such as Mozilla, publish known security holes in their
> software.
> The ramifications of allowing a user to actively use a
> piece of
> software when a known bug/exploit/etc. exists within it is
> grossly
> negligent.
>
The important question is: known by whom?
Every reviewer brings their own bias and experience. The code has not been "proven correct," so there is not reason to assume that a Black-hat will find the same bug/exploit. If there are more than about 3 unknown exploits, they are more likely to find a different one.
IMO, Mozilla is a bad example. I've been bitten by (non-security) bugs going back to 1.5 or earlier. Disclosure: I still prefer Lynx.
<SNIP!>
>
__________________________________________________________________
The new Internet Explorer® 8 - Faster, safer, easier. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397697.56713.qm>