Date: Tue, 06 Aug 2002 14:32:12 -0700 From: Colin Percival <Colin_Percival@sfu.ca> To: peter.lai@uconn.edu, Anatole Shaw <shaw@autoloop.com> Cc: Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <5.0.2.1.1.20020806142610.01fe55b8@popserver.sfu.ca> In-Reply-To: <20020806162024.A67456@cowbert.2y.net> References: <20020806140300.A24745@kagnew.autoloop.com> <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com> <xzpznw0fgez.fsf@flood.ping.uio.no> <20020806140300.A24745@kagnew.autoloop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 16:20 06/08/2002 -0400, Peter C. Lai wrote: >On Tue, Aug 06, 2002 at 02:03:00PM -0400, Anatole Shaw wrote: > > I think that a policy of issuing "early warning" advisories, as Colin > > Percival extrapolated from my original post, is one right solution. That > > is, an incomplete advisory is better than no advisory at all, when bug > > details (i.e. patch) are already circulating. > >[...] Still, the openssl revision along with the >stdio repatch seems to suggest that we may want to balance haste >with quality of the patches. I didn't mean at all that the quality of the patches should be endangered in order to issue an advisory quickly; rather, I meant that once everyone involved agreed that a patch was good, issuing an advisory saying "there's a problem, here's the patch, we don't know what the possible workarounds might be" would be preferable to waiting until you had analyzed exactly when there is a security risk and what the workarounds might be. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20020806142610.01fe55b8>