From owner-freebsd-security  Tue Aug  6 11: 3:11 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A98DD37B400
	for <freebsd-security@freebsd.org>; Tue,  6 Aug 2002 11:03:08 -0700 (PDT)
Received: from kagnew.autoloop.com (kagnew.autoloop.com [207.99.30.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A0DF143E65
	for <freebsd-security@freebsd.org>; Tue,  6 Aug 2002 11:03:07 -0700 (PDT)
	(envelope-from ash@kagnew.autoloop.com)
Received: by kagnew.autoloop.com (Postfix, from userid 1000)
	id A1EAF74479; Tue,  6 Aug 2002 18:03:00 +0000 (GMT)
Date: Tue, 6 Aug 2002 14:03:00 -0400
From: Anatole Shaw <shaw@autoloop.com>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: freebsd-security@freebsd.org
Subject: Re: advisory coordination (Re: SA-02:35)
Message-ID: <20020806140300.A24745@kagnew.autoloop.com>
References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com> <xzpznw0fgez.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <xzpznw0fgez.fsf@flood.ping.uio.no>; from des@ofug.org on Tue, Aug 06, 2002 at 12:08:36PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Aug 06, 2002 at 12:08:36PM +0200, Dag-Erling Smorgrav wrote:
> What do you propose?

I think that a policy of issuing "early warning" advisories, as Colin
Percival extrapolated from my original post, is one right solution.  That
is, an incomplete advisory is better than no advisory at all, when bug
details (i.e. patch) are already circulating.

Some other OS vendors issue advisories that say little more than "hurry up
and download the patch," but at least those make admins aware that an
issue exists.  I'd be happy to help make a (better, obviously) "early
warning system" happen for FreeBSD, if people agree that it's a good idea.
We're all on the same boat here.

Regards,

-- 
Anatole Shaw
Autoloop Security Consulting
http://www.autoloop.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message