Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Apr 2001 10:48:03 -0700
From:      Michael Bryan <fbsd-secure@ursine.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Security Announcements?
Message-ID:  <3AD34753.E405CD6F@ursine.com>
References:  <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>

next in thread | previous in thread | raw e-mail | index | archive | help


Christopher Schulte wrote:
> 
> I imagine many production servers do not follow -STABLE religiously, but
> will upgrade as needed when heads-up of specific issues are unearthed.

Previous discussions on the list have made it clear that this is true for
quite a few sites.  It's certainly true for the one I manage.

> It's that unearthing process that needs work; one can track list after list
> after list, or look to their vendor.  I'd prefer to see 'hey here's a new
> issue... we don't have it fixed yet, but workarounds may include...' rather
> than silence from the security officer.

Exactly.

> Perhaps a security-heads-up list of sorts.  It'd be the crossroad between
> security and security-advisories.  Moderated, but with a less formal feel
> than advisories.

Actually, I think the existing security advisory format and mailing list
works fine.  I personally see nothing wrong with releasing an early version
of an advisory that just says "Here's the issue and some potential workarounds,
a fix will be forthcoming," and then release an updated version of the advisory
when the fix is available.  FreeBSD has done updated advisories in the past, I
believe, and certainly other vendors have as well.  IIRC, the procedure for
advisories and older versions of FreeBSD follows that pattern as well, with
updated advisories coming out when older versions get the fix some time after
the current releases.  It's a common enough procedure that's fairly easy to
understand (as long as the updates make it clear what's different from the first
advisory), and it avoids having to subscribe to yet another list.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AD34753.E405CD6F>