From owner-freebsd-security Tue Apr 10 10:48: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id A642337B422 for ; Tue, 10 Apr 2001 10:48:04 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3AHm3T79342 for ; Tue, 10 Apr 2001 10:48:04 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AD34753.E405CD6F@ursine.com> Date: Tue, 10 Apr 2001 10:48:03 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Christopher Schulte wrote: > > I imagine many production servers do not follow -STABLE religiously, but > will upgrade as needed when heads-up of specific issues are unearthed. Previous discussions on the list have made it clear that this is true for quite a few sites. It's certainly true for the one I manage. > It's that unearthing process that needs work; one can track list after list > after list, or look to their vendor. I'd prefer to see 'hey here's a new > issue... we don't have it fixed yet, but workarounds may include...' rather > than silence from the security officer. Exactly. > Perhaps a security-heads-up list of sorts. It'd be the crossroad between > security and security-advisories. Moderated, but with a less formal feel > than advisories. Actually, I think the existing security advisory format and mailing list works fine. I personally see nothing wrong with releasing an early version of an advisory that just says "Here's the issue and some potential workarounds, a fix will be forthcoming," and then release an updated version of the advisory when the fix is available. FreeBSD has done updated advisories in the past, I believe, and certainly other vendors have as well. IIRC, the procedure for advisories and older versions of FreeBSD follows that pattern as well, with updated advisories coming out when older versions get the fix some time after the current releases. It's a common enough procedure that's fairly easy to understand (as long as the updates make it clear what's different from the first advisory), and it avoids having to subscribe to yet another list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message