From owner-freebsd-security  Mon Aug 27 16:41:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197])
	by hub.freebsd.org (Postfix) with ESMTP
	id E7D1C37B401; Mon, 27 Aug 2001 16:41:22 -0700 (PDT)
	(envelope-from christopher@schulte.org)
Received: from schulte-laptop.schulte.org (nb-97.netbriefings.com [209.134.134.97])
	by poontang.schulte.org (Postfix) with ESMTP
	id 1E658D14B9; Mon, 27 Aug 2001 18:41:21 -0500 (CDT)
Message-Id: <5.1.0.14.0.20010827182914.00b00e88@pop.schulte.org>
X-Sender: schulte@pop.schulte.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 27 Aug 2001 18:39:54 -0500
To: Mikhail Kruk <meshko@polkan2.dyndns.org>,
	Igor Roshchin <str@giganda.komkon.org>
From: Christopher Schulte <christopher@schulte.org>
Subject: Re: procmail, squid: any takers?
Cc: "Jacques A. Vidrine" <n@nectar.com>,
	<freebsd-security@FreeBSD.ORG>, <security-officer@FreeBSD.ORG>
In-Reply-To: <Pine.BSF.4.33.0108271922360.45703-100000@localhost>
References: <200108272048.f7RKm5k67160@giganda.komkon.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 07:27 PM 8/27/2001 -0400, Mikhail Kruk wrote:
>Another possibility (which of course was discussed many times here) is to
>release informal warnings on the list as soon as a bug is patched and then
>take as long as needed to release formal advisory... I guess it's not a
>an acceptable solution for some reason.

People who follow RELENG_4_X may be able to stay on top of these things 
easier, as we can see the changes more clearly in cvsup, and 
/usr/src/UPDATING now seems to document every commit to this branch.  Nice 
new feature, IMHO.

I've been aware of fixed problems long before security advisories have come 
out, now.

I do *still* need to cvsup, or subscribe to cvs-all, or watch the cvs repo 
via cvsweb to know what's going on.  But it's much easier than following 
every commit to -STABLE, since I know offhand most or all commits are 
security related and will probably be followed up by an advisory sooner or 
later.

My guess is that way too much support would go into 'informal advisories' 
as people would be clawing the security officer to death asking for exact 
directions for applying patches and installing fixed binaries.  This is 
what advisories are for!  Then of course when the security officer made a 
typo or mistake (which would happen), the same crowd would be right there 
to point out the mistakes.  Not to mention the madness when we have 
differing opinions on how to implement a source fix (remember the telnetd 
fiasco?).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message