Date: Tue, 17 Apr 2001 19:14:54 -0700 From: Michael Bryan <fbsd-security@ursine.com> To: freebsd-security@freebsd.org Subject: Re: Latency of security notifications Message-ID: <3ADCF89E.14CD5D37@ursine.com> References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> <3ADCD543.8AB7B426@ursine.com> <20010417181710.A12757@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > > I think it would result in a flood of support questions about "how do > I fix this?"/"What does this mean?" and end up causing the security > officer team a lot more work if it came from us, even as some kind of > unofficial statement (especially if it was a very brief statement, > which it would have to be to get immediately released upon third party > disclosure of a vulnerability, because none of us have enough free > time to actively pre-empt whatever else we're doing to go and write > something comprehensive). > > Other people usually send copies of third party advisories to this > forum for serious issues as soon as they're published (on bugtraq or > wherever), and the community takes care of the interim support: that > seems like a much better solution to me. Except that there are definitely cases where that isn't adequate, judging from current and past complaints. Although I pick up the info from freebsd-security (and in a couple of cases was the person to forward it there in the first place), a lot of people just don't have the time to keep up with the discussion list, but would definitely keep up with the moderated announcement list. Even to the point of having that list forwarded to a pager for the fastest possible notification, which I think is an excellent idea. Nobody in their right mind would forward freebsd-security into a pager. At least not for very long. ;-) I understand your concern about the flood of questions, but that already happens anyway, at least within the freebsd-security list. Maybe such a mini "early alert" advisory to freebsd-security-announce could be worded in such a way that it would encourage people to check out the unmoderated list for rapid on-the-fly support questions, until such time as an official advisory came out? Something like this (very rough cut): The FreeBSD security team has been notified of a problem with XYZ. An official security announcement will be forthcoming shortly with the recommended fixes. In the meantime, please subscribe to and read the freebsd-security mailing list for the latest news on this issue. And then list the minimal information that can be included, such as the impact, the affected versions and any potential workarounds (to the best that they are understood at the time). This would -hopefully- minimize any questions sent directly to the security team, with most of the traffic going to freebsd-security. (Which already happens anyway, so it shouldn't be a significant increase in volume.) I really hope you seriously consider doing something like this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADCF89E.14CD5D37>