From owner-freebsd-security Tue Apr 10 11: 7:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 44E5F37B422 for ; Tue, 10 Apr 2001 11:07:45 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id UAA14958; Tue, 10 Apr 2001 20:07:35 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14n2YB-00035P-00; Tue, 10 Apr 2001 20:07:35 +0200 Date: Tue, 10 Apr 2001 20:07:35 +0200 From: Szilveszter Adam To: Christopher Schulte Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <20010410200735.A11098@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , Christopher Schulte , freebsd-security@FreeBSD.ORG References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <20010410185256.A20479@petra.hos.u-szeged.hu> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>; from christopher@schulte.org on Tue, Apr 10, 2001 at 12:21:10PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Apr 10, 2001 at 12:21:10PM -0500, Christopher Schulte wrote: > > I imagine many production servers do not follow -STABLE religiously, but > will upgrade as needed when heads-up of specific issues are unearthed. Certainly. It was just that this is the only way to find out as of now. > It's that unearthing process that needs work; one can track list after list > after list, or look to their vendor. I'd prefer to see 'hey here's a new > issue... we don't have it fixed yet, but workarounds may include...' rather > than silence from the security officer. > > Perhaps a security-heads-up list of sorts. It'd be the crossroad between > security and security-advisories. Moderated, but with a less formal feel > than advisories. I agree with you and did not say what I said as some sort of critique on you or anything. This is the role the -security list was supposed to serve, but as we all know, it fails in this role lately rather spectacularly. Which is a pity. I am not sure moderation would help a lot, because when discussion of upcoming problems is what you want, even the time it takes to do the moderation may be too much sometimes. Of course, it serves well to exclude the off-topic chatter that seems to be so prevalent on -security today... I don't know a good solution. Also, at certain times it is coordination with other vendors who have the same problem that might hold off an SA and in this case it would not be possible to jump the gun on a heads-up list either by announcing the thing earlier, even if only informally. Also, there is the problem that the same systems that cannot afford to follow -STABLE regularly won't want to do this for SAs either but choose to apply a patch instead, which on the other hand needs more careful testing than just saying: "Upgrade to the latest and greatest". Maybe the best idea would be to make the -security list on-topic again... yeah, I am dreaming:-) Just my HUF 0.02 (which won't buy you anything here, BTW:-) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message