[tptacek]

Right, all I'm saying is that we were asymptotically close many years ago; all that's changed is that nobody can kid themselves about it anymore.

The actual policy responses to it, I couldn't say! I've always believed, even when there was a meaningful gap between patching and disclosing, that coordinated disclosure norms were a bad default.

[riknos314]

What process or mechanism would you prefer to use instead of coordinated disclosure?

[DoctorOetker]

I guess people could download (but not install) encrypted patches with an announced key release date+time, so that by the moment it is disclosed essentially everyone is applying the patch.

[riknos314]

That's still coordinated, but by the publicizing of the key

[akerl_]

The most common alternative is full disclosure.