From owner-freebsd-security Tue Aug 6 14:32:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94F4637B400 for ; Tue, 6 Aug 2002 14:32:17 -0700 (PDT) Received: from pd4mo3so.prod.shaw.ca (h24-71-223-10.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AE0A43E72 for ; Tue, 6 Aug 2002 14:32:16 -0700 (PDT) (envelope-from Colin_Percival@sfu.ca) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-ser.prod.shaw.ca [10.0.141.107]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F00KA5YHSD1@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 15:32:16 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca (pn2ml8so-qfe0.prod.shaw.ca [10.0.121.152]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F009C0YHS6X@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 15:32:16 -0600 (MDT) Received: from piii600.sfu.ca (h24-79-84-133.vc.shawcable.net [24.79.84.133]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H0F00K2HYHR5L@l-daemon> for freebsd-security@FreeBSD.ORG; Tue, 06 Aug 2002 15:32:16 -0600 (MDT) Date: Tue, 06 Aug 2002 14:32:12 -0700 From: Colin Percival Subject: Re: advisory coordination (Re: SA-02:35) In-reply-to: <20020806162024.A67456@cowbert.2y.net> X-Sender: cperciva@popserver.sfu.ca To: peter.lai@uconn.edu, Anatole Shaw Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Message-id: <5.0.2.1.1.20020806142610.01fe55b8@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Info-RBL1: ox.ac.uk filters email against various lists. X-Info-RBL2: If your replies bounce, try sending them to cperciva@sfu.ca References: <20020806140300.A24745@kagnew.autoloop.com> <1028312148.3d4acc54c5eef@webmail.vsi.ru> <20020806053237.A49851@kagnew.autoloop.com> <20020806140300.A24745@kagnew.autoloop.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 16:20 06/08/2002 -0400, Peter C. Lai wrote: >On Tue, Aug 06, 2002 at 02:03:00PM -0400, Anatole Shaw wrote: > > I think that a policy of issuing "early warning" advisories, as Colin > > Percival extrapolated from my original post, is one right solution. That > > is, an incomplete advisory is better than no advisory at all, when bug > > details (i.e. patch) are already circulating. > >[...] Still, the openssl revision along with the >stdio repatch seems to suggest that we may want to balance haste >with quality of the patches. I didn't mean at all that the quality of the patches should be endangered in order to issue an advisory quickly; rather, I meant that once everyone involved agreed that a patch was good, issuing an advisory saying "there's a problem, here's the patch, we don't know what the possible workarounds might be" would be preferable to waiting until you had analyzed exactly when there is a security risk and what the workarounds might be. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message