Date: Mon, 18 Apr 2022 14:06:48 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Gordon Tetlow <gordon@tetlows.org> Cc: postmaster@freebsd.org, freebsd-security@freebsd.org Subject: Re: Lack of notification of security notices Message-ID: <CAN6yY1sw0vW%2BnHbMmt%2BF57i9nSrFNGj%2B7jLH2xxKWzSg4TfF3Q@mail.gmail.com> In-Reply-To: <D0D174DB-B479-478C-8C48-6B862A0DADCB@tetlows.org> References: <CAN6yY1tcGowuUPG0TGBvLuVZzm_inRt77yp7efpvU3JWHk2Dcg@mail.gmail.com> <D0D174DB-B479-478C-8C48-6B862A0DADCB@tetlows.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000259d1105dcf42764 Content-Type: text/plain; charset="UTF-8" On Mon, Apr 18, 2022 at 1:19 PM Gordon Tetlow <gordon@tetlows.org> wrote: > From the secteam point of view, we haven't changed anything in the way we > send messages to the mailing lists. I have double checked and all SAs are > sent to the three addresses listed. I suspect this is likely fallout of the > mailing list change over. > > I can say for my part, I have gotten a copy of the messages from both the > freebsd-announce and freebsd-security mailing lists for the SAs I have sent > out (I'm not subscribed to the freebsd-security-notifications list). I just > confirmed the headers for the 2 copies of SA-22:08.zlib that I received > that it is routing through the lists. > > It does appear as though the messages are not properly archiving into the > mailing list archives. Adding postmaster to the thread for them to dig into > why that might be. > > Gordon > Hat: security-officer > Clearly, something has failed. The archives show no messages to stable, security-notifications or announce for security advisories or errata notes since an errata note on March 22. There was an e-mail on stable sent on the 7th asking why the April 6 messages did not get posted to stable, so it is not just me. The issue is new this month, so the change in mailers last year is not directly responsible. If I was to take a guess, I suspect something changed between the March ENs and April 6 in how the mai;er treats cross-posts. Looks like something changed in hte two weeks between March 22 and April 6. Mr. Postmaster??? > On Apr 18, 2022, at 12:57 PM, Kevin Oberman <rkoberman@gmail.com> wrote: > > As per the FreeBSD Security Information web page > <https://www.freebsd.org/security/>, security notifications are sent to: > > - > > FreeBSD-security-notifications@FreeBSD.org > - > > FreeBSD-security@FreeBSD.org > - > > FreeBSD-announce@FreeBSD.org > > This policy has lately been ignored. No postings show up in the archives > of FreeBSD-security-notifications@FreeBSD.org since January. Likewise for > freebsd-announce. The only list showing the April 6 announcements is this > one, freebsd-security@freebad.org. > > In the past, Security Announcements and Errata Notes have also been copied > to the stable and current lists as appropriate, although this is not > mentioned. This delayed the update of my systems by several days. > Fortunately, only one of these vulnerabilities was relevant to my systems. > > Even though the announcements are almost 2 weeks old, it is still likely > that some people are unaware of them, so I would strongly urge that they be > posted to, at least, FreeBSD-Announce and FreeBSD-Stable lists. > > In passing, I will note that the same issue appears to be occurring with > posts of Errata Notices. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkoberman@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --000000000000259d1105dcf42764 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:tahoma,sans-serif;font-size:small">On Mon, Apr 18, 2022 at 1:19 PM= Gordon Tetlow <<a href=3D"mailto:gordon@tetlows.org" target=3D"_blank">= gordon@tetlows.org</a>> wrote:<br></div></div><div class=3D"gmail_quote"= ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border= -left:1px solid rgb(204,204,204);padding-left:1ex"><div>From the secteam po= int of view, we haven't changed anything in the way we send messages to= the mailing lists. I have double checked and all SAs are sent to the three= addresses listed. I suspect this is likely fallout of the mailing list cha= nge over.<div><br></div><div>I can say for my part, I have gotten a copy of= the messages from both the freebsd-announce and freebsd-security mailing l= ists for the SAs I have sent out (I'm not subscribed to the freebsd-sec= urity-notifications list). I just confirmed the headers for the 2 copies of= SA-22:08.zlib that I received that it is routing through the lists.=C2=A0<= /div><div><br></div><div>It does appear as though the messages are not prop= erly archiving into the mailing list archives. Adding postmaster to the thr= ead for them to dig into why that might be.</div><div><br></div><div>Gordon= </div><div>Hat: security-officer</div></div></blockquote><div><br></div><di= v style=3D"font-family:tahoma,sans-serif;font-size:small" class=3D"gmail_de= fault">Clearly, something has failed. The archives show no messages to stab= le, security-notifications or announce for security advisories or errata no= tes since an errata note on March 22. There was an e-mail on stable sent on= the 7th asking why the April 6 messages did not get posted to stable, so i= t is not just me. The issue is new this month, so the change in mailers las= t year is not directly responsible. If I was to take a guess, I suspect som= ething changed between the March ENs and April 6 in how the mai;er treats c= ross-posts. Looks like something changed in hte two weeks between March 22 = and April 6.</div><div style=3D"font-family:tahoma,sans-serif;font-size:sma= ll" class=3D"gmail_default"><br></div><div style=3D"font-family:tahoma,sans= -serif;font-size:small" class=3D"gmail_default">Mr. Postmaster???</div><div= style=3D"font-family:tahoma,sans-serif;font-size:small" class=3D"gmail_def= ault"><br></div><div style=3D"font-family:tahoma,sans-serif;font-size:small= " class=3D"gmail_default"><br></div><blockquote class=3D"gmail_quote" style= =3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding= -left:1ex"><div><div><div><br><blockquote type=3D"cite"><div>On Apr 18, 202= 2, at 12:57 PM, Kevin Oberman <<a href=3D"mailto:rkoberman@gmail.com" ta= rget=3D"_blank">rkoberman@gmail.com</a>> wrote:</div><br><div><div dir= =3D"ltr"><div style=3D"font-family:tahoma,sans-serif;font-size:small"><div = style=3D"font-family:tahoma,sans-serif;font-size:small">As per the <a href= =3D"https://www.freebsd.org/security/" target=3D"_blank">FreeBSD Security I= nformation web page</a>, security notifications are sent to:</div><div styl= e=3D"font-family:tahoma,sans-serif;font-size:small"><div> <ul><li><p><a href=3D"mailto:FreeBSD-security-notifications@FreeBSD.org" ta= rget=3D"_blank">FreeBSD-security-notifications@FreeBSD.org</a></p> </li><li><p><a href=3D"mailto:FreeBSD-security@FreeBSD.org" target=3D"_blan= k">FreeBSD-security@FreeBSD.org</a></p> </li><li><p><a href=3D"mailto:FreeBSD-announce@FreeBSD.org" target=3D"_blan= k">FreeBSD-announce@FreeBSD.org</a></p> </li></ul> </div></div><div style=3D"font-family:tahoma,sans-serif;font-size:small">Th= is policy has lately been ignored. No postings show up in the archives of <= a href=3D"mailto:FreeBSD-security-notifications@FreeBSD.org" target=3D"_bla= nk">FreeBSD-security-notifications@FreeBSD.org</a> since January. Likewise = for freebsd-announce. The only list showing the April 6 announcements is th= is one, <a href=3D"mailto:freebsd-security@freebad.org" target=3D"_blank">f= reebsd-security@freebad.org</a>.</div><div style=3D"font-family:tahoma,sans= -serif;font-size:small"><br></div><div style=3D"font-family:tahoma,sans-ser= if;font-size:small">In the past, Security Announcements and Errata Notes have also been copied to the stable and current lists as appropriate, although this is not menti= oned.=C2=A0 This=20 delayed the update of my systems by several days. Fortunately, only one=20 of these vulnerabilities was relevant to my systems.<br></div><div style=3D= "font-family:tahoma,sans-serif;font-size:small"><br></div><div style=3D"fon= t-family:tahoma,sans-serif;font-size:small">Even though the announcements are almost 2 weeks old, it is still likely=20 that some people are unaware of them, so I would strongly urge that they be posted to, at least, FreeBSD-Announce and=C2=A0 FreeBSD-Stable=20 lists.</div><div style=3D"font-family:tahoma,sans-serif;font-size:small"><b= r></div><div style=3D"font-family:tahoma,sans-serif;font-size:small">In pas= sing, I will note=C2=A0 that the same issue appears to be occurring with po= sts of Errata Notices.<font color=3D"#888888"><br></font></div><font color= =3D"#888888"></font></div>-- <br><div dir=3D"ltr"><div dir=3D"ltr"><div><di= v dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr">Kevin Oberman, Pa= rt time kid herder and retired Network Engineer<br>E-mail: <a href=3D"mailt= o:rkoberman@gmail.com" target=3D"_blank">rkoberman@gmail.com</a><br></div><= div>PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683</div></div></= div></div></div></div></div></div></div> </div></blockquote></div><br></div></div></blockquote></div><br clear=3D"al= l"><br>-- <br><div dir=3D"ltr"><div dir=3D"ltr"><div><div dir=3D"ltr"><div>= <div dir=3D"ltr"><div><div dir=3D"ltr">Kevin Oberman, Part time kid herder = and retired Network Engineer<br>E-mail: <a href=3D"mailto:rkoberman@gmail.c= om" target=3D"_blank">rkoberman@gmail.com</a><br></div><div>PGP Fingerprint= : D03FB98AFA78E3B78C1694B318AB39EF1B055683</div></div></div></div></div></d= iv></div></div></div> --000000000000259d1105dcf42764--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1sw0vW%2BnHbMmt%2BF57i9nSrFNGj%2B7jLH2xxKWzSg4TfF3Q>