PGP 8.0 released today

Olaf Gellert
Thu Dec 5 10:37:01 2002


> And when you find a bug you have to report it to them only, and are only
> allowed to publish it openly 30 days after you report it to them. So since
> you are officially (unofficially you change it yourself of course when you
> know how, AND when they release the complete source) not allowed to
> distribute any changed versions they want 30 days security by obscurity. :-(

Well, this seems to become the industry standard as microsoft
suggested. Even ISS seems to stick to the 30 days, as presented
in their new policy for publishing information about security
holes. I think, 30 days is quite a long time, but there HAS
to be some time for the developers to fix the bug before
anyone tries to develop exploits. Just think of the last
security hole in apache, when ISS published their report
just after the apache developers were informed (so they
had 2 hours to fix the hole). This is bad style... And
not only a pgp-issue.

Cheers, Olaf


Olaf Gellert                                            _ - __o                                    _- _`\<,_                       - (_)/ (_)
Most people would sooner die than think; in fact, they do so.
        -- Bertrand Russell