Security mailing list

John B. Nagle jbn at glacier.STANFORD.EDU
Tue Nov 15 03:03:43 AEST 1988


      I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay.  Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all.  This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
problems.
      General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.

      Why 60 days?  A monthly update service would be enough to keep systems
operating with the latest security fixes.  30 days would require biweekly
updates to stay current, which is a bit frequent.  Much longer than 60 days,
and the pressure would be off on fixing holes.

					John Nagle



More information about the Comp.unix.wizards mailing list