Date: Tue, 17 Apr 2001 18:17:10 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Michael Bryan <fbsd-secure@ursine.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications Message-ID: <20010417181710.A12757@xor.obsecurity.org> In-Reply-To: <3ADCD543.8AB7B426@ursine.com>; from fbsd-secure@ursine.com on Tue, Apr 17, 2001 at 04:44:03PM -0700 References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> <3ADCD543.8AB7B426@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote: > Bottom line, I think a -lot- of people would be happier if the > FreeBSD SAs could go out as soon as possible after a security hole > is disclosed publicly in some other forum, even if all they say is > words to the effect of "Be aware that this security problem exists, > here's a workaround (if any), and we'll be updating this advisory > when official patch information is available." > > That way people can get rapid notification of potential problems > without having to read all of freebsd-security, and instead pick it > up via -announce, presumably with pager notification if they so > desire. Kris, what do you think about this? I think it would result in a flood of support questions about "how do I fix this?"/"What does this mean?" and end up causing the security officer team a lot more work if it came from us, even as some kind of unofficial statement (especially if it was a very brief statement, which it would have to be to get immediately released upon third party disclosure of a vulnerability, because none of us have enough free time to actively pre-empt whatever else we're doing to go and write something comprehensive). Other people usually send copies of third party advisories to this forum for serious issues as soon as they're published (on bugtraq or wherever), and the community takes care of the interim support: that seems like a much better solution to me. > And I realize that part of the delay for the recent advisories > (ntpd, ipfilter, ftpd) was because Kris was out of town for two > weeks. But when I heard that, I was surprised, as I didn't realize > he had no "backup". In the future, I think it would be a good idea > to try and have a second/backup person available who could send out > at least the initial SA if Kris isn't available for that task, if at > all possible. There are a number of others who are part of the security officer team, and in fact the ntpd advisory was written and released by Chris Faulhaber during my absence; it just so happens that we're all going through a busy time right now with our daytime lives and so the latency of released advisories has increased recently. Hopefully that will improve. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63OsWWry0BWjoQKURAgWqAKDLcewNomitLjlV3VvfOVQWBJzsqgCggP15 wuILBPRczbe8g9F4ItrQzQ0= =0KjN -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010417181710.A12757>