Date: Tue, 06 Aug 2002 03:33:59 -0700 From: Colin Percival <Colin_Percival@sfu.ca> To: Dag-Erling Smorgrav <des@ofug.org>, Anatole Shaw <shaw@autoloop.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <5.0.2.1.1.20020806031941.01febf28@popserver.sfu.ca> In-Reply-To: <xzpznw0fgez.fsf@flood.ping.uio.no> References: <20020806053237.A49851@kagnew.autoloop.com> <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:08 06/08/2002 +0200, Dag-Erling Smorgrav wrote: >Anatole Shaw <shaw@autoloop.com> writes: > > I'm all for full-disclosure, but something is very wrong in these 2 > cases. > > Known security problems are being released in fragments without any > > coordination. It seems that a basic Vulnerability Coordination function > > is broken or missing, and surely we can fix this. > >What do you propose? It wouldn't be a panacea, but if the mirrors could be set to update automatically when a security issue arises (instead of operating on their normal schedule) then the issue of advisories coming out before relevant files were mirrored would not be a danger. I can't see that this would cause any problems, since any blackhats looking for unannounced patches would be looking on the main ftp server anyway. Apart from that... is there anything wrong with issuing a preliminary notice and following up with full details later? I think everyone knows you're volunteering -- and is very happy with everything you're doing -- and would not complain if you miss a few details in order to send out a warning sooner. Colin Percival To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.1.20020806031941.01febf28>