Linked by Thom Holwerda on Wed 4th Jan 2006 22:45 UTC
Windows The saga around the WMF flaw in Windows continues. "A cryptographically signed version of Microsoft's patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused 'a fast-track, pre-release version of the update' to be posted to a security community site and urged users to 'disregard' the premature update."
Thread beginning with comment 81969
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Too slow...
by Celerate on Thu 5th Jan 2006 05:44 UTC in reply to "RE[3]: Too slow..."
Celerate
Member since:
2005-06-29

"Because.. super-guru-coders work at RH and Novell and at MS we have a bunch of kids?"

So far you're the only one in this thread to have said that either directly or indirectly.

"Or could it be, because in "Linux world" it is acceptable that users/customers are, in fact, doing what is normally QA's job?"
That's a common myth actually.

Linux is not all developed by one entity, the software packaged by RH and the like are developed outside of the company. Red Hat simply packages and distributes that software with a price tag on it so they get a return for the work they did: taking different packages that would otherwise be separate, and bundling them together into a Linux distribution. Red Hat doesn't produce it's own patches for the software if there already is one, and the developers who contribute to open source software often write those patches first because they hear about it first and it's primarily their responsability. If someone, whether their customer or not, writes a patch first of their own volition it's hardly fair to claim that Red Hat is making it's customers roll out their own updates. I have heard of Linux distributors putting together their own patches before, but usually the people responsible for the vulnerable software get to it first or a patch is contributed. And even if Red Hat doesn't get to writing the patch first, they're still the ones that review the code before including it, package it, and take care of putting it up on a package repo so other's can get it.

Reply Parent Score: 4

RE[5]: Too slow...
by gonzo on Thu 5th Jan 2006 12:59 in reply to "RE[4]: Too slow..."
gonzo Member since:
2005-11-10

So far you're the only one in this thread to have said that either directly or indirectly.

Yeah, but someone else said that "RH or Novell" would provide patch much faster without any explanation.

and the developers who contribute to open source software often write those patches first because they hear about it first and it's primarily their responsability

We all know how well it works when Pat Slackware got sick. Define "developers who contribute to open source software"? Big companies don't like to deal with something not really defined.


And please, why did you skip this part:

Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.

You guys know better than him, too...

Reply Parent Score: 1

RE[6]: Too slow...
by Celerate on Thu 5th Jan 2006 23:38 in reply to "RE[5]: Too slow..."
Celerate Member since:
2005-06-29

"So far you're the only one in this thread to have said that either directly or indirectly.

Yeah, but someone else said that "RH or Novell" would provide patch much faster without any explanation. "


I can't see how saying "RH or Novell" would patch it faster translates into an insult on MS.

"We all know how well it works when Pat Slackware got sick."

Red Hat and Novell are companies, run by several people and capable of continuing should anything happen to one or more of them. Pat Volkerding (is that how you spell his last name) is one person, with a distribution which is more or less his own. So the comparisson isn't a good one.

Secondly when Pat Volkerding became ill few people knew what had actually happened to him at first, to many he simply seemed to have disappeared until news of the guy's illness had reached them. As I understand it no one took over for him because it wasn't important enough yet, and because there was still a good enough chance he might recover. Had he not survived I have no doubt someone else would have taken over the project, and no doubt now the guy has a backup plan should anything happen to him.

Thirdly just because no one is there to package an update doesn't mean there isn't one. It simply means that it's not packaged for that distribution yet so some independent person will probably package it and in the mean time sysadmins can install it manually which is what they are payed for. Heck, even most ordinary Linux users I know of know how to compile software from source, and if they don't they can get easy help from IRC, if you ask nice enough someone might even package it up for you so you never have to go near a console (depending on your distribution of course, but most now can do package management with a GUI).

"And please, why did you skip this part:

Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.

You guys know better than him, too..."


I don't think I disagree with that part, so why would I need to reply to it.

Reply Parent Score: 1

RE[5]: Too slow...
by gonzo on Thu 5th Jan 2006 13:07 in reply to "RE[4]: Too slow..."
gonzo Member since:
2005-11-10

"Or could it be, because in "Linux world" it is acceptable that users/customers are, in fact, doing what is normally QA's job?"

<i?That's a common myth actually.[/i]

Well let's see: so you say that users are not doing QA's job (my point of virew), RH is not doing it, Novell is not doing it..

Well, who is doing it then? Nobody?

Red Hat doesn't produce it's own patches for the software if there already is one

And if there isn't one? And my company pays for support to RH?

Righhht..

Reply Parent Score: 1

RE[6]: Too slow...
by Celerate on Thu 5th Jan 2006 23:53 in reply to "RE[5]: Too slow..."
Celerate Member since:
2005-06-29

""Or could it be, because in "Linux world" it is acceptable that users/customers are, in fact, doing what is normally QA's job?"

<i?That's a common myth actually.

Well let's see: so you say that users are not doing QA's job (my point of virew), RH is not doing it, Novell is not doing it..

Well, who is doing it then? Nobody?

Red Hat doesn't produce it's own patches for the software if there already is one

And if there isn't one? And my company pays for support to RH?

Righhht.."


Ok, lets try this again. Obviously you don't understand the relationship between OSS developers and Linux distributions.

Linux distributions are comprised of the Linux kernel and software, these are not written by Red Hat or Novell, athough the two companies do contribut code among other things. Other people maintain the programs they wrote that Red Hat and Novell in turn package for their distributions. Now if there is a problem, the people who actually wrote the software and continue to maintain it are usually the ones who also fix it if someone else doesn't willingly contribute a fix first, and it actually happens very fast with a patch usually released before 24 hours elapses. All Red Hat and Novell do is is package the patch and put it up on their servers so people can update. Now, if a patch isn't issued that is where things change, either Red Hat or Novell or some other distributiors will have their employees work on a patch and then they are packaged and uploaded to the servers usually very promptly.

Neither Red Hat or Novell leave thier customers or users to roll out thier own patches, if patches are contributed it's done by people who wanted to do it. Otherwise the distributors take care of making and packaging the patches themselves, and they do so very promptly.

Reply Parent Score: 1