From owner-freebsd-security Wed Apr 11 1:24: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id D7CE537B423 for ; Wed, 11 Apr 2001 01:24:01 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id DAA12742; Wed, 11 Apr 2001 03:23:59 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-41.tnt1.rac.cyberlynk.net(209.224.182.41) by peak.mountin.net via smap (V1.3) id sma012737; Wed Apr 11 03:23:40 2001 Message-Id: <4.3.2.20010410211055.02ce8470@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 10 Apr 2001 21:25:20 -0500 To: Nicole Harrington From: "Jeffrey J. Mountin" Subject: Re: Security Announcements? Cc: security@FreeBSD.ORG In-Reply-To: References: <20010410215014.A8173@scientia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:43 PM 4/10/01 -0700, Nicole Harrington wrote: >On 10-Apr-01 Ben Smithurst wrote: > > Michael Nottebrock wrote: > > > > > >> It certainly is starting to irritate people running > >> 4.2-Release. > > > > Well if you want the latest security fixes you shouldn't be running a > > -release anyway, that's that the -stable branch is for. > > > > Thats the most stupid thing I have every heard. I never knew that simply by >running -STABLE I would not have any security problems and would not need >patches or updates. It certainly doesn't address *when* you should update, but in many cases the fix was long before the advisory. Both sides here have merit. However, relying on blind updates would be foolish. The advisory can also mean avoiding a complete build. > As someone who runs many production level servers here is what I would want > In order: > > 1) A notice that there is problem - So I can tcpwrap or shutdown said > service >until a patch is available. > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. > > 3) A patch that everyone agrees works in an email or other notification that >says, here's were you can get the patch, this works, here's what to do with >it. Assessment should be first. Do you use it and in some cases is it configured in such a way as to be vulnerable. There are times when checking the latter takes longer than applying the fix would have. Would also fixing only systems that use a service has a downside should the configuration change. Documentation is helpful. > From my perspective it took days for people to stop discussing what patch >was best for ntpd and I still never heard a full resolution on the mailing >list. No official blessing of a patch other than what I would get via >CVSUP. I >have production servers, I can't run a CVsup everyday, let alone a make >world. > > > Yes I may have missed a few mails or something. But expecting people to > spend >their days tracking down patches and notices abt problems kinda negates the >whole idea of a security mailing and notification. > The process seemed much better in the past, but lately, it has been much > less >than optimal. The NTP was a bit messy, but don't think it's changed much. Other than more often and the port specific one. In a few cases it did take a while for the fix and/or advisory. Hard to say with all the traffic. All I *do* know is that a higher number are likely to affect more systems. Or its just that the past year has exceeded the prior 5 for the number that concerned me. It might be the recent confusion with the typical advisory delay make things seem worse than they are or it is a case load issue, which in most cases this list covers it and most times becomes the official fix. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message