Re: procmail, squid: any takers?

From: Kris Kennaway (kris@obsecurity.org)
Date: 08/28/01


Date: Mon, 27 Aug 2001 17:44:45 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Christopher Schulte <christopher@schulte.org>


On Mon, Aug 27, 2001 at 06:39:54PM -0500, Christopher Schulte wrote:

> My guess is that way too much support would go into 'informal advisories'
> as people would be clawing the security officer to death asking for exact
> directions for applying patches and installing fixed binaries. This is
> what advisories are for! Then of course when the security officer made a
> typo or mistake (which would happen), the same crowd would be right there
> to point out the mistakes. Not to mention the madness when we have
> differing opinions on how to implement a source fix (remember the telnetd
> fiasco?).

That's exactly right. We're not going to start doing "informal
advisories" for the above reasons, but there's no reason the community
couldn't (or in fact shouldn't) be performing this informal support
role themselves. This already happens to some extent.

People just need to be aware that interim fixes may be wrong (and in
fact the "official fixes" from us may also be wrong, although we of
course strive hard to avoid that case and take responsibility for
correcting the incorrect information when it occurs)

Kris
FreeBSD Security Officer



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message