Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Apr 2001 20:07:35 +0200
From:      Szilveszter Adam <sziszi@petra.hos.u-szeged.hu>
To:        Christopher Schulte <christopher@schulte.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Security Announcements?
Message-ID:  <20010410200735.A11098@petra.hos.u-szeged.hu>
In-Reply-To: <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>; from christopher@schulte.org on Tue, Apr 10, 2001 at 12:21:10PM -0500
References:  <3AD33218.FE8D7ACD@ursine.com> <3AD33218.FE8D7ACD@ursine.com> <20010410185256.A20479@petra.hos.u-szeged.hu> <5.0.2.1.0.20010410121258.031bce10@pop.schulte.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 10, 2001 at 12:21:10PM -0500, Christopher Schulte wrote:
> 
> I imagine many production servers do not follow -STABLE religiously, but 
> will upgrade as needed when heads-up of specific issues are unearthed.

Certainly. It was just that this is the only way to find out as of now.  

> It's that unearthing process that needs work; one can track list after list 
> after list, or look to their vendor.  I'd prefer to see 'hey here's a new 
> issue... we don't have it fixed yet, but workarounds may include...' rather 
> than silence from the security officer.
> 
> Perhaps a security-heads-up list of sorts.  It'd be the crossroad between 
> security and security-advisories.  Moderated, but with a less formal feel 
> than advisories.

I agree with you and did not say what I said as some sort of critique on
you or anything. This is the role the -security list was supposed to serve,
but as we all know, it fails in this role lately rather spectacularly.
Which is a pity. I am not sure moderation would help a lot, because when
discussion of upcoming problems is what you want, even the time it takes to
do the moderation may be too much sometimes. Of course, it serves well to
exclude the off-topic chatter that seems to be so prevalent on -security
today... I don't know a good solution. Also, at certain times it is
coordination with other vendors who have the same problem that might hold off an
SA and in this case it would not be possible to jump the gun on a heads-up
list either by announcing the thing earlier, even if only informally. 

Also, there is the problem that the same systems that cannot afford to
follow -STABLE regularly won't want to do this for SAs either but choose to
apply a patch instead, which on the other hand needs more careful testing
than just saying: "Upgrade to the latest and greatest". Maybe the best idea
would be to make the -security list on-topic again... yeah, I am
dreaming:-) 

Just my HUF 0.02 (which won't buy you anything here, BTW:-)
-- 
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010410200735.A11098>