Date: Fri, 3 Oct 2003 20:18:06 -0700 From: Steve Kargl <sgk@troutmask.apl.washington.edu> To: Barney Wolff <barney@databus.com> Cc: current@freebsd.org Subject: Re: [security-advisories@freebsd.org: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:17.procfs] Message-ID: <20031004031806.GA64214@troutmask.apl.washington.edu> In-Reply-To: <20031004024852.GA49129@pit.databus.com> References: <20031004014527.GB32411@pit.databus.com> <20031004015404.GW72999@procyon.firepipe.net> <20031004021041.GA33705@pit.databus.com> <20031004021750.GX72999@procyon.firepipe.net> <20031004024852.GA49129@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 03, 2003 at 10:48:53PM -0400, Barney Wolff wrote: > On Fri, Oct 03, 2003 at 07:17:50PM -0700, Will Andrews wrote: > > > > ... The rule is that changes are always committed to > > -CURRENT first, unless they do not apply. This rule is rarely > > broken in FreeBSD, and certainly never broken for security issues. > > That's of course expected and appreciated. But consider the different > actions required of a reasonably paranoid FreeBSD SA on receipt of > a security advisory: If following anything but -current, cvsup and > check the versions of the listed files. If following -current, > either trust that the updates made it to the mirror of choice, or > look up on www.freebsd.org what the latest versions of the listed > files are and check that you have them. Since the SO is presumably > taking the changes from -current, I hope it would not be too much > of an imposition to list those versions in the advisory as well. > If you're running -current, then you are reading the cvs-all or at least the cvs-src mailing list. It should be apparent that the fixes hit -current before the SA is announced. -- Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031004031806.GA64214>