The world does not always, and often does not, appreciate those that do it favors.
Consider sshd and privelege separation. As we are in the time when vendors and developers need to assist in making privelege separation work for all, many critics and nay-sayers are suggesting alternate agendas for the lack of disclosure on the bug that can be kept at bay through privelege separation.
Let us see this for what it is. The reality we face is:
- bug is discovered
- choice made to delay full disclosure so everyone has an opportunity to be safe
- announcement of privelege separation as a safe and recommended upgrade
- time delay to allow for security upgrades
- full disclosure of the bug, the alert are safe
There are those who are calling for this scenario:
- bug is discovered
- full disclosure, including bugfix
- privelege separation is suggested as a way to avoid future bugs
- many people caught off guard, and exploited
I know which scenario I like better. Unfortunately, unhappy people would suggest otherwise. *sigh*.