From owner-freebsd-security Tue Aug 6 13:20:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D12D637B400 for ; Tue, 6 Aug 2002 13:20:26 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id EF89743E3B for ; Tue, 6 Aug 2002 13:20:25 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 67562 invoked by uid 1001); 6 Aug 2002 20:20:25 -0000 Date: Tue, 6 Aug 2002 16:20:24 -0400 From: "Peter C. Lai" To: Anatole Shaw Cc: Dag-Erling Smorgrav , freebsd-security@freebsd.org Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <20020806162024.A67456@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <20020806053237.A49851@kagnew.autoloop.com> <20020806140300.A24745@kagnew.autoloop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020806140300.A24745@kagnew.autoloop.com>; from shaw@autoloop.com on Tue, Aug 06, 2002 at 02:03:00PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 06, 2002 at 02:03:00PM -0400, Anatole Shaw wrote: > On Tue, Aug 06, 2002 at 12:08:36PM +0200, Dag-Erling Smorgrav wrote: > > What do you propose? > > I think that a policy of issuing "early warning" advisories, as Colin > Percival extrapolated from my original post, is one right solution. That > is, an incomplete advisory is better than no advisory at all, when bug > details (i.e. patch) are already circulating. It depends. We have already seen multiple cases where we have had multiple revisions of the same advisory. I believe 3 of the more recent advisories were revised due to revisions of the original release. This makes support hard for the customers; I have had to build world about 3 times in the last two weeks (tracking RELENG_4_6) whereas prior to the openssh debacle I lasted a few months without building world. This is probably worse for the large-installation administrators who are currently tracking a moving target even with the help of build farms and build testing. Still, the openssl revision along with the stdio repatch seems to suggest that we may want to balance haste with quality of the patches. > > Some other OS vendors issue advisories that say little more than "hurry up > and download the patch," but at least those make admins aware that an > issue exists. I'd be happy to help make a (better, obviously) "early > warning system" happen for FreeBSD, if people agree that it's a good idea. > We're all on the same boat here. > > Regards, > > -- > Anatole Shaw > Autoloop Security Consulting > http://www.autoloop.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message