Date: Tue, 6 Aug 2002 16:20:24 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Anatole Shaw <shaw@autoloop.com> Cc: Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@freebsd.org Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <20020806162024.A67456@cowbert.2y.net> In-Reply-To: <20020806140300.A24745@kagnew.autoloop.com>; from shaw@autoloop.com on Tue, Aug 06, 2002 at 02:03:00PM -0400 References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com> <xzpznw0fgez.fsf@flood.ping.uio.no> <20020806140300.A24745@kagnew.autoloop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 06, 2002 at 02:03:00PM -0400, Anatole Shaw wrote: > On Tue, Aug 06, 2002 at 12:08:36PM +0200, Dag-Erling Smorgrav wrote: > > What do you propose? > > I think that a policy of issuing "early warning" advisories, as Colin > Percival extrapolated from my original post, is one right solution. That > is, an incomplete advisory is better than no advisory at all, when bug > details (i.e. patch) are already circulating. It depends. We have already seen multiple cases where we have had multiple revisions of the same advisory. I believe 3 of the more recent advisories were revised due to revisions of the original release. This makes support hard for the customers; I have had to build world about 3 times in the last two weeks (tracking RELENG_4_6) whereas prior to the openssh debacle I lasted a few months without building world. This is probably worse for the large-installation administrators who are currently tracking a moving target even with the help of build farms and build testing. Still, the openssl revision along with the stdio repatch seems to suggest that we may want to balance haste with quality of the patches. > > Some other OS vendors issue advisories that say little more than "hurry up > and download the patch," but at least those make admins aware that an > issue exists. I'd be happy to help make a (better, obviously) "early > warning system" happen for FreeBSD, if people agree that it's a good idea. > We're all on the same boat here. > > Regards, > > -- > Anatole Shaw > Autoloop Security Consulting > http://www.autoloop.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020806162024.A67456>