From owner-freebsd-security  Tue Aug  6  4:58:32 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F04D237B400
	for <freebsd-security@FreeBSD.ORG>; Tue,  6 Aug 2002 04:58:29 -0700 (PDT)
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6271643E77
	for <freebsd-security@FreeBSD.ORG>; Tue,  6 Aug 2002 04:57:49 -0700 (PDT)
	(envelope-from nectar@nectar.cc)
Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id C978195; Tue,  6 Aug 2002 06:57:38 -0500 (CDT)
Received: from madman.nectar.cc (localhost [IPv6:::1])
	by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g76Bvcvd094952;
	Tue, 6 Aug 2002 06:57:38 -0500 (CDT)
	(envelope-from nectar@madman.nectar.cc)
Received: (from nectar@localhost)
	by madman.nectar.cc (8.12.3/8.12.3/Submit) id g76BvciD094951;
	Tue, 6 Aug 2002 06:57:38 -0500 (CDT)
Date: Tue, 6 Aug 2002 06:57:38 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>
To: Colin Percival <Colin_Percival@sfu.ca>
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	Anatole Shaw <shaw@autoloop.com>, freebsd-security@FreeBSD.ORG
Subject: Re: advisory coordination (Re: SA-02:35)
Message-ID: <20020806115738.GG94762@madman.nectar.cc>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Colin Percival <Colin_Percival@sfu.ca>,
	Dag-Erling Smorgrav <des@ofug.org>, Anatole Shaw <shaw@autoloop.com>,
	freebsd-security@FreeBSD.ORG
References: <20020806053237.A49851@kagnew.autoloop.com> <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com> <5.0.2.1.1.20020806031941.01febf28@popserver.sfu.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.0.2.1.1.20020806031941.01febf28@popserver.sfu.ca>
X-Url: http://www.nectar.cc/
User-Agent: Mutt/1.5.1i-ja.1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Aug 06, 2002 at 03:33:59AM -0700, Colin Percival wrote:
>   It wouldn't be a panacea, but if the mirrors could be set to update 
> automatically when a security issue arises (instead of operating on their 
> normal schedule) then the issue of advisories coming out before relevant 
> files were mirrored would not be a danger.  I can't see that this would 
> cause any problems, since any blackhats looking for unannounced patches 
> would be looking on the main ftp server anyway.

As I implied in my previous message, no patches will hit any FTP
server or other public source before being committed to the FreeBSD
security branches.  Once they are in the security branches, the
patches themselves are public and available.

>   Apart from that... is there anything wrong with issuing a preliminary 
> notice and following up with full details later?

Not in and of itself.  In this case, I released the advisory as soon
as I believed that we had enough information to do so.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message