Date: Tue, 10 Apr 2001 10:48:03 -0700 From: Michael Bryan <fbsd-secure@ursine.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? Message-ID: <3AD34753.E405CD6F@ursine.com> References: <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Christopher Schulte wrote: > > I imagine many production servers do not follow -STABLE religiously, but > will upgrade as needed when heads-up of specific issues are unearthed. Previous discussions on the list have made it clear that this is true for quite a few sites. It's certainly true for the one I manage. > It's that unearthing process that needs work; one can track list after list > after list, or look to their vendor. I'd prefer to see 'hey here's a new > issue... we don't have it fixed yet, but workarounds may include...' rather > than silence from the security officer. Exactly. > Perhaps a security-heads-up list of sorts. It'd be the crossroad between > security and security-advisories. Moderated, but with a less formal feel > than advisories. Actually, I think the existing security advisory format and mailing list works fine. I personally see nothing wrong with releasing an early version of an advisory that just says "Here's the issue and some potential workarounds, a fix will be forthcoming," and then release an updated version of the advisory when the fix is available. FreeBSD has done updated advisories in the past, I believe, and certainly other vendors have as well. IIRC, the procedure for advisories and older versions of FreeBSD follows that pattern as well, with updated advisories coming out when older versions get the fix some time after the current releases. It's a common enough procedure that's fairly easy to understand (as long as the updates make it clear what's different from the first advisory), and it avoids having to subscribe to yet another list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD34753.E405CD6F>