Re: procmail, squid: any takers?

From: Kris Kennaway (kris@obsecurity.org)
Date: 08/28/01


Date: Mon, 27 Aug 2001 17:44:45 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Christopher Schulte <christopher@schulte.org>


On Mon, Aug 27, 2001 at 06:39:54PM -0500, Christopher Schulte wrote:

> My guess is that way too much support would go into 'informal advisories'
> as people would be clawing the security officer to death asking for exact
> directions for applying patches and installing fixed binaries. This is
> what advisories are for! Then of course when the security officer made a
> typo or mistake (which would happen), the same crowd would be right there
> to point out the mistakes. Not to mention the madness when we have
> differing opinions on how to implement a source fix (remember the telnetd
> fiasco?).

That's exactly right. We're not going to start doing "informal
advisories" for the above reasons, but there's no reason the community
couldn't (or in fact shouldn't) be performing this informal support
role themselves. This already happens to some extent.

People just need to be aware that interim fixes may be wrong (and in
fact the "official fixes" from us may also be wrong, although we of
course strive hard to avoid that case and take responsibility for
correcting the incorrect information when it occurs)

Kris
FreeBSD Security Officer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • Re: Upcoming Releases Schedule...
    ... My guess is that we could eat the first 25% of a person just catching up on current obligations so as to reduce latency on advisories, handle back-analysis of reports that don't appear to be vulnerabilities but we'd like to be sure, etc. ... 50%-75% of a person would allow us to move into extending our obligations as well as put more resources into proactive work. ... When Sun, Microsoft, et al decide that they don't have the resources to support 3 major revisions, it's a pretty good reason to think that FreeBSD can't either;-) ...
    (freebsd-stable)
  • Re: procmail, squid: any takers?
    ... >release informal warnings on the list as soon as a bug is patched and then ... /usr/src/UPDATING now seems to document every commit to this branch. ... I've been aware of fixed problems long before security advisories have come ... as people would be clawing the security officer to death asking for exact ...
    (FreeBSD-Security)
  • Re: Upcoming Releases Schedule...
    ... supported by the Security Officer for a minimum of 12 months after the ... it's poor when a long-term branch goes EoL before there's another one ... This does make it clear to me why the release team can't find the resources to do longer support. ...
    (freebsd-stable)
  • [FreeBSD-Announce] FreeBSD supported branches update
    ... The branches supported by the FreeBSD Security Officer have been updated ... to reflect the EoL (end-of-life) of FreeBSD 6.3. ... The upcoming FreeBSD 7.3-RELEASE will receive Extended support, i.e., it ...
    (freebsd-announce)
  • FreeBSD supported branches update
    ... The branches supported by the FreeBSD Security Officer have been updated ... to reflect the EoL (end-of-life) of FreeBSD 6.3. ... The upcoming FreeBSD 7.3-RELEASE will receive Extended support, i.e., it ...
    (FreeBSD-Security)