I've not commented either way on the subject in this thread, but personally I would much rather have read this as a writeup 2 or 3 months from now after the discoverer had responsibly disclosed the vulnerability and Apple had a chance to patch it.

On the other hand, I'm glad that I have this information so I know not to install High Sierra on my work iMac (sitting on a desk in a WeWork behind a door whose lock would be very easy to force open) until this is fixed.

[Edit: I now see that there's a simple workaround (change the root password and keep root enabled), so I'm all for "irresponsible disclosure" in this case]

As an addendum apple released a fix for this less than 48 hours after it was reported (I think I've got the timeframe right), so there's something to be said for irresponsibly disclosing to light a fire under the ass of whomever is responsible for fixing a vulnerability.

> I think the problem is due to the fact that they are fans.

I think this is an unfair characterization. Sure, it's hard to hear that their "hero is irresponsible", but the real reason is that this kind of behavior puts everyone at risk while Apple tries to fix it.

That may be true for cisco and juniper where upgrades must be carefully rolled out across globally distributed critical infrastructure, but this is APPLE. They need no such help. They can push to everyone, now, and it will be fine. Forcing their hand is safer than trying to hide a flaw a 3 year old could find on accident.

Oh my goodness I totally forgot they had to build it first! /s

They were already at risk. Now they can mitigate.