From owner-freebsd-security Tue Apr 10 15:43:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from beast.daemontech.com (beast.daemontech.com [208.135.51.45]) by hub.freebsd.org (Postfix) with SMTP id DB44737B424 for ; Tue, 10 Apr 2001 15:43:47 -0700 (PDT) (envelope-from nmh@daemontech.com) Received: (qmail 37685 invoked for bounce); 10 Apr 2001 22:43:47 -0000 Received: from xwin.daemontech.net (208.135.51.161) by beast.daemontech.com with SMTP; 10 Apr 2001 22:43:47 -0000 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010410215014.A8173@scientia.demon.co.uk> Date: Tue, 10 Apr 2001 15:43:47 -0700 (PDT) From: Nicole Harrington To: Ben Smithurst Subject: Re: Security Announcements? Cc: freebsd-security@freebsd.org, Michael Bryan , Michael Nottebrock Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 10-Apr-01 Ben Smithurst wrote: > Michael Nottebrock wrote: > > >> It certainly is starting to irritate people running >> 4.2-Release. > > Well if you want the latest security fixes you shouldn't be running a > -release anyway, that's that the -stable branch is for. > Thats the most stupid thing I have every heard. I never knew that simply by running -STABLE I would not have any security problems and would not need patches or updates. As someone who runs many production level servers here is what I would want In order: 1) A notice that there is problem - So I can tcpwrap or shutdown said service until a patch is available. 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. Just download and run. No compiles no installs. 3) A patch that everyone agrees works in an email or other notification that says, here's were you can get the patch, this works, here's what to do with it. From my perspective it took days for people to stop discussing what patch was best for ntpd and I still never heard a full resolution on the mailing list. No official blessing of a patch other than what I would get via CVSUP. I have production servers, I can't run a CVsup everyday, let alone a make world. Yes I may have missed a few mails or something. But expecting people to spend their days tracking down patches and notices abt problems kinda negates the whole idea of a security mailing and notification. The process seemed much better in the past, but lately, it has been much less than optimal. Just my 2C Nicole > -- > Ben Smithurst / ben@FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ---------------------------------- E-Mail: Nicole Date: 10-Apr-01 Time: 15:26:44 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message