From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 20:49:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C704316A4B3; Wed, 17 Sep 2003 20:49:05 -0700 (PDT) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE3A443FB1; Wed, 17 Sep 2003 20:49:04 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLE003O159RF5@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLE0017N59RRX@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) with ESMTP id <0HLE00MBB59Q2H@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Date: Wed, 17 Sep 2003 20:49:01 -0700 From: Colin Percival In-reply-to: <200309180340.h8I3e8Hl042756@intruder.kitchenlab.org> X-Sender: cperciva@popserver.sfu.ca To: bmah@freebsd.org, Nielsen Message-id: <5.0.2.1.1.20030917204627.02df0a38@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <3F68FE17.5050700@memberwebs.com> <3F68FE17.5050700@memberwebs.com> cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 03:49:05 -0000 At 20:40 17/09/2003 -0700, Bruce A. Mah wrote: >I'm not sure what's a good solution to this. I know that security-team >is aware of the problem, in fact it came up in the security-officer BoF >at BSDCon. It was mentioned, but I don't recall anything being decided. >(One possibility might be to put the advisories on the Web site and >force an update immediately after an advisory is issued. I do this >during the late stages of a release cycle to push out the release >announcements and release notes. The problem with this, however, is >that everyone is conditioned to look to the FTP sites for advisories.) One option would be to put the patch signatures on the website (where they could be force-updated). Nobody would ever consider applying a patch without verified the attached signature, right? Colin Percival