Xref: utzoo comp.protocols.tcp-ip:5347 comp.unix.wizards:12406
Path: utzoo!attcan!uunet!husc6!bloom-beacon!bu-cs!purdue!decwrl!labrea!glacier!jbn
From: jbn@glacier.STANFORD.EDU (John B. Nagle)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Re: Security mailing list
Keywords: bug reality
Message-ID: <17841@glacier.STANFORD.EDU>
Date: 14 Nov 88 17:03:43 GMT
References: <1698@cadre.dsl.PITTSBURGH.EDU> <2060@spdcc.COM> <1240@ucsd.EDU> <8388@nlm-mcs.arpa> <44444@beno.seismo.CSS.GOV> <1727@c <1776@ndsuvax.UUCP>
Reply-To: jbn@glacier.UUCP (John B. Nagle)
Organization: Stanford University
Lines: 16


      I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay.  Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all.  This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
problems.
      General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.

      Why 60 days?  A monthly update service would be enough to keep systems
operating with the latest security fixes.  30 days would require biweekly
updates to stay current, which is a bit frequent.  Much longer than 60 days,
and the pressure would be off on fixing holes.

					John Nagle