From owner-freebsd-security@FreeBSD.ORG Sun Oct 21 14:34:53 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C96216A41A for ; Sun, 21 Oct 2007 14:34:53 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id BE93F13C4DD for ; Sun, 21 Oct 2007 14:34:28 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mr4so.prod.shaw.ca (pd4mr4so-qfe3.prod.shaw.ca [10.0.141.215]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JQ800DRIMBILDE0@l-daemon> for freebsd-security@FreeBSD.org; Sat, 20 Oct 2007 19:18:54 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd4mr4so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JQ800HQBMBIJD30@pd4mr4so.prod.shaw.ca> for freebsd-security@FreeBSD.org; Sat, 20 Oct 2007 19:18:54 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.201.197]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JQ800LTBMBHKF79@l-daemon> for freebsd-security@FreeBSD.org; Sat, 20 Oct 2007 19:18:53 -0600 (MDT) Received: (qmail 21582 invoked from network); Sun, 21 Oct 2007 01:18:39 +0000 Received: from unknown (HELO hexahedron.daemonology.net) (127.0.0.1) by localhost with SMTP; Sun, 21 Oct 2007 01:18:39 +0000 Date: Sat, 20 Oct 2007 18:18:38 -0700 From: Colin Percival In-reply-to: <20071021015451.U70919@fledge.watson.org> To: Robert Watson Message-id: <471AA8EE.7050406@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.95.0 References: <1191595847.2850.21.camel@amd.uni.vrs> <47065710.6090702@freebsd.org> <20071021015451.U70919@fledge.watson.org> User-Agent: Thunderbird 2.0.0.6 (X11/20070812) Cc: freebsd-security@FreeBSD.org Subject: Re: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2007 14:34:53 -0000 Robert Watson wrote: > On Fri, 5 Oct 2007, Colin Percival wrote: >>> ftp://ftp.freebsd.org/CERT/ >> >> We stopped uploading advisories there because we kept on running into >> problems with ftp mirrors being out of date, while have complete >> control over the security.freebsd.org webserver and can make sure >> files are there before we send out the advisory. > > Sounds like we should remove this from ftp-master so it stops being > replicated, or at least put a note there about it being historic. Any > preference on which? It would be easy for me to put a warning and > redirection at the top of README or rename CERT to CERT.old. All of the old advisories point to ftp.freebsd.org (both as "the latest revision of this advisory can be found at" and for the patches), so we should leave the existing files there for the near future at least. Adding a README pointing people towards security.freebsd.org sounds like the best option to me. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sun Oct 21 17:34:46 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E171216A421 for ; Sun, 21 Oct 2007 17:34:46 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id C75D913C4B0 for ; Sun, 21 Oct 2007 17:34:46 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 3391546EBA; Sat, 20 Oct 2007 20:55:57 -0400 (EDT) Date: Sun, 21 Oct 2007 01:55:56 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Colin Percival In-Reply-To: <47065710.6090702@freebsd.org> Message-ID: <20071021015451.U70919@fledge.watson.org> References: <1191595847.2850.21.camel@amd.uni.vrs> <47065710.6090702@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Olli Hauer , freebsd-security@freebsd.org Subject: Re: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2007 17:34:47 -0000 On Fri, 5 Oct 2007, Colin Percival wrote: > Olli Hauer wrote: >> I am missing the advisory for openssl at ftp://ftp.freebsd.org/CERT/ > > We stopped uploading advisories there because we kept on running into > problems with ftp mirrors being out of date, while have complete control > over the security.freebsd.org webserver and can make sure files are there > before we send out the advisory. Sounds like we should remove this from ftp-master so it stops being replicated, or at least put a note there about it being historic. Any preference on which? It would be easy for me to put a warning and redirection at the top of README or rename CERT to CERT.old. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sun Oct 21 20:48:18 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99D8516A418; Sun, 21 Oct 2007 20:48:18 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 45B4813C49D; Sun, 21 Oct 2007 20:48:18 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 5043046E02; Sun, 21 Oct 2007 16:48:05 -0400 (EDT) Date: Sun, 21 Oct 2007 21:48:05 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Colin Percival In-Reply-To: <471AA8EE.7050406@freebsd.org> Message-ID: <20071021214717.L70919@fledge.watson.org> References: <1191595847.2850.21.camel@amd.uni.vrs> <47065710.6090702@freebsd.org> <20071021015451.U70919@fledge.watson.org> <471AA8EE.7050406@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Re: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2007 20:48:18 -0000 On Sat, 20 Oct 2007, Colin Percival wrote: > Robert Watson wrote: >> On Fri, 5 Oct 2007, Colin Percival wrote: >>>> ftp://ftp.freebsd.org/CERT/ >>> >>> We stopped uploading advisories there because we kept on running into >>> problems with ftp mirrors being out of date, while have complete control >>> over the security.freebsd.org webserver and can make sure files are there >>> before we send out the advisory. >> >> Sounds like we should remove this from ftp-master so it stops being >> replicated, or at least put a note there about it being historic. Any >> preference on which? It would be easy for me to put a warning and >> redirection at the top of README or rename CERT to CERT.old. > > All of the old advisories point to ftp.freebsd.org (both as "the latest > revision of this advisory can be found at" and for the patches), so we > should leave the existing files there for the near future at least. Adding > a README pointing people towards security.freebsd.org sounds like the best > option to me. What I've done is update the README and index.html to reflect the new location, but left the existing files in place for historical reasons. Thanks, Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sun Oct 21 21:40:01 2007 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 057A316A41B for ; Sun, 21 Oct 2007 21:40:01 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 71A2113C4B0 for ; Sun, 21 Oct 2007 21:40:00 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 21 Oct 2007 21:39:52 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp018) with SMTP; 21 Oct 2007 23:39:52 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX19xei1nJ1dxkojfOFjxNlvnGr9HPM/p0/SJWt2Njo JT8N7QUXyoGArq Message-ID: <471BC71B.9090703@gmx.de> Date: Sun, 21 Oct 2007 23:39:39 +0200 From: Olli Hauer User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Colin Percival References: <1191595847.2850.21.camel@amd.uni.vrs> <47065710.6090702@freebsd.org> <20071021015451.U70919@fledge.watson.org> <471AA8EE.7050406@freebsd.org> In-Reply-To: <471AA8EE.7050406@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-security@FreeBSD.org, Robert Watson Subject: Re: missing Advisory at ftp.freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Oct 2007 21:40:01 -0000 Colin Percival wrote: > Robert Watson wrote: >> On Fri, 5 Oct 2007, Colin Percival wrote: >>>> ftp://ftp.freebsd.org/CERT/ >>> We stopped uploading advisories there because we kept on running into >>> problems with ftp mirrors being out of date, while have complete >>> control over the security.freebsd.org webserver and can make sure >>> files are there before we send out the advisory. OK, that is a good reason. (with ftp it was very easy to get the advisories/patches with a script and wget without filtering icons and index.html files) >> Sounds like we should remove this from ftp-master so it stops being >> replicated, or at least put a note there about it being historic. Any >> preference on which? It would be easy for me to put a warning and >> redirection at the top of README or rename CERT to CERT.old. > All of the old advisories point to ftp.freebsd.org (both as "the latest > revision of this advisory can be found at" and for the patches), so we > should leave the existing files there for the near future at least. Adding > a README pointing people towards security.freebsd.org sounds like the best > option to me. For humans who browse the website it is better to correct the link to CERT at http://security.freebsd.org/ to the new location. <-- snipped from the website http://security.freebsd.org/ -- Advisories are always signed using the FreeBSD Security Officer PGP key and are archived, along with their associated patches, at our FTP CERT repository. ......................................................^^^^^^^^ At the time of this writing, the following advisories are currently available (note that this list may be a few days out of date - for the very latest advisories please check the FTP site): .................^^^^^^^^ -- end snipped --> olli