Date: Mon, 18 Apr 2022 13:19:19 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Kevin Oberman <rkoberman@gmail.com>, postmaster@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Lack of notification of security notices Message-ID: <D0D174DB-B479-478C-8C48-6B862A0DADCB@tetlows.org> In-Reply-To: <CAN6yY1tcGowuUPG0TGBvLuVZzm_inRt77yp7efpvU3JWHk2Dcg@mail.gmail.com> References: <CAN6yY1tcGowuUPG0TGBvLuVZzm_inRt77yp7efpvU3JWHk2Dcg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] From the secteam point of view, we haven't changed anything in the way we send messages to the mailing lists. I have double checked and all SAs are sent to the three addresses listed. I suspect this is likely fallout of the mailing list change over. I can say for my part, I have gotten a copy of the messages from both the freebsd-announce and freebsd-security mailing lists for the SAs I have sent out (I'm not subscribed to the freebsd-security-notifications list). I just confirmed the headers for the 2 copies of SA-22:08.zlib that I received that it is routing through the lists. It does appear as though the messages are not properly archiving into the mailing list archives. Adding postmaster to the thread for them to dig into why that might be. Gordon Hat: security-officer > On Apr 18, 2022, at 12:57 PM, Kevin Oberman <rkoberman@gmail.com> wrote: > > As per the FreeBSD Security Information web page <https://www.freebsd.org/security/>, security notifications are sent to: > FreeBSD-security-notifications@FreeBSD.org <mailto:FreeBSD-security-notifications@FreeBSD.org> > FreeBSD-security@FreeBSD.org <mailto:FreeBSD-security@FreeBSD.org> > FreeBSD-announce@FreeBSD.org <mailto:FreeBSD-announce@FreeBSD.org> > This policy has lately been ignored. No postings show up in the archives of FreeBSD-security-notifications@FreeBSD.org <mailto:FreeBSD-security-notifications@FreeBSD.org> since January. Likewise for freebsd-announce. The only list showing the April 6 announcements is this one, freebsd-security@freebad.org <mailto:freebsd-security@freebad.org>. > > In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not mentioned. This delayed the update of my systems by several days. Fortunately, only one of these vulnerabilities was relevant to my systems. > > Even though the announcements are almost 2 weeks old, it is still likely that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists. > > In passing, I will note that the same issue appears to be occurring with posts of Errata Notices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com <mailto:rkoberman@gmail.com> > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 [-- Attachment #2 --] <html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">From the secteam point of view, we haven't changed anything in the way we send messages to the mailing lists. I have double checked and all SAs are sent to the three addresses listed. I suspect this is likely fallout of the mailing list change over.<div class=""><br class=""></div><div class="">I can say for my part, I have gotten a copy of the messages from both the freebsd-announce and freebsd-security mailing lists for the SAs I have sent out (I'm not subscribed to the freebsd-security-notifications list). I just confirmed the headers for the 2 copies of SA-22:08.zlib that I received that it is routing through the lists. </div><div class=""><br class=""></div><div class="">It does appear as though the messages are not properly archiving into the mailing list archives. Adding postmaster to the thread for them to dig into why that might be.</div><div class=""><br class=""></div><div class="">Gordon</div><div class="">Hat: security-officer</div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 18, 2022, at 12:57 PM, Kevin Oberman <<a href="mailto:rkoberman@gmail.com" class="">rkoberman@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small"><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small">As per the <a href="https://www.freebsd.org/security/" target="_blank" class="">FreeBSD Security Information web page</a>, security notifications are sent to:</div><div class="gmail_default" style="font-family:tahoma,sans-serif;font-size:small"><div class=""> <ul class=""><li class=""><p class=""><a href="mailto:FreeBSD-security-notifications@FreeBSD.org" target="_blank" class="">FreeBSD-security-notifications@FreeBSD.org</a></p> </li><li class=""><p class=""><a href="mailto:FreeBSD-security@FreeBSD.org" target="_blank" class="">FreeBSD-security@FreeBSD.org</a></p> </li><li class=""><p class=""><a href="mailto:FreeBSD-announce@FreeBSD.org" target="_blank" class="">FreeBSD-announce@FreeBSD.org</a></p> </li></ul> </div></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default">This policy has lately been ignored. No postings show up in the archives of <a href="mailto:FreeBSD-security-notifications@FreeBSD.org" target="_blank" class="">FreeBSD-security-notifications@FreeBSD.org</a> since January. Likewise for freebsd-announce. The only list showing the April 6 announcements is this one, <a href="mailto:freebsd-security@freebad.org" target="_blank" class="">freebsd-security@freebad.org</a>.</div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default"><br class=""></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default">In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not mentioned. This delayed the update of my systems by several days. Fortunately, only one of these vulnerabilities was relevant to my systems.<br class=""></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default"><br class=""></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default">Even though the announcements are almost 2 weeks old, it is still likely that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists.</div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default"><br class=""></div><div style="font-family:tahoma,sans-serif;font-size:small" class="gmail_default">In passing, I will note that the same issue appears to be occurring with posts of Errata Notices.<font color="#888888" class=""><br class=""></font></div><font color="#888888" class=""></font></div>-- <br class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class="">Kevin Oberman, Part time kid herder and retired Network Engineer<br class="">E-mail: <a href="mailto:rkoberman@gmail.com" target="_blank" class="">rkoberman@gmail.com</a><br class=""></div><div class="">PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683</div></div></div></div></div></div></div></div></div> </div></blockquote></div><br class=""></div></body></html>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D0D174DB-B479-478C-8C48-6B862A0DADCB>