Rationally, shouldn’t we feel safer if it’s patched twice? Seems like it’s irrational to prefer a state where it was patched once over one where it was patched twice. It would seem to indicate that they dedicated time and resources to resolve it once then did proper follow up to catch missed cases. It certainly points to it being a pernicious issue but I’m can’t see why you’d presume it’s worse that it’s been patched more.
On the ”we should be worried” end of the scale, we have
”we fixed a bug but didn’t add a test, then accidentally reverted the bug fix, had to fix it again, and still didn’t improve our process to prevent this from happening again”
In the exaggerated version, they don’t use source control, so they had to figure out how to fix the bug twice, and they don’t even did a test, but, in both cases, only believed they fixed it.
Going back to your example, it depends on how they detected that they missed cases, and on how sure they are they know them all now. If (100% hypothetically) they only detected it after ten people died, denied existence of the problem, and were sued in court, we should be worried.
In the real world, just like all other companies working on autonomous driving, I think they will never be able to say they truly fixed the problem. The problem is, and always will be, underspecified, and even if we knew the problem well, we don’t really know for what kinds of problems the software we use to do this is a reliable solution.
I would be a bit more worried about Tesla than, say, about German car manufacturers because Tesla has shown to be willing to sail close to cliffs. Worried enough to be really worried? No.
Because the fact that it was patched twice means they didn't fix it the first time, which means they didn't test it properly and might not have fixed it the second time.
I’m not sure the number of patches actually provides any definive information on the current state from a purely logical argument.
Zero patches, one, two, or more. That there are patches merely tells you that they tried to respond to an identified threat. It doesn’t tell you the threat was properly mitigated in any case.
I think we can say it is strictly better to have more than zero patches in the case where a vulnerability is public. Exactly one patch to me doesn’t guarantee anything about the quality. Multiple patches at least implies persistent effort and dedication to securing the fix. Maybe at some point the number of patches implies incompetence but I’m not sure I’d draw that line at “2”?
Not really, a hotfix is a do no harm situation where an initially conservative approach that’s unlikely to cause harm may be deployed. That’s true even if it’s known not to completely solve the problem.
Now, in the case of an undisclosed voluntarily, waiting may be preferred as a path is going to get people to look on that direction. However, with public disclosure the clock is ticking.
