On 03/15/2007 10:24:31 PM, Tony Abernethy wrote:
Karl O. Pinc wrote: > > On 03/14/2007 09:13:19 AM, Martin Schrvder wrote: > > 2007/3/13, Theo de Raadt <[EMAIL PROTECTED]>: > >> This means everyone should have our latest patches installed. > > > Just a reminder: security-announce exists for messages like > this. Use > > it or delete it.
> I rely on having a clear channel for security related problems.
> My high expectations have always been met and that's what > makes this communication breakdown hurt. It's not the > magnitude of the security vulnerability that's the problem. > > Problems communicating patch availability lead to security > problems as severe as unpatched vulnerabilities.
1) JUMP! 2) HOW HIGH?
If the security is real and is actually proactive Seems like you shouldn't have to play that game.
All the security in the world does me no good if it's not installed on my systems.
Is the bug actually serious in practice?
No.
Are you actually safer with the bug fixed?
Yes. If I wasn't then there wouldn't be an errata would there?
My gut feel is that the next unsung fix will actually make more difference to how secure the resulting system is.
I track -STABLE, because I want relyability. I won't get the next unsung fix until an errata is announced that might affect me. I've better things to do than install new builds all the time.
This is from a kibitzer, BUT I can guarantee that the security of OpenBSD is NOT due to panic attacks of trying to keep up with the latest security breaches.
No, but if security errata announcements arn't delivered in a fashion that delivers them to a human then they do no good. I should not be expected to peruse the [email protected] list to find errata announcements. OpenBSD says announcements will be made on security-announce when patches become available. This did not happen. Ergo, something is broken. I can't fix it. It may not be fixable, but if it is fixable then it should be fixed. We should not all just pretend it didn't happen. If there is something that can be fixed I'd like to hear about it when it gets fixed. Hence my post. Further, it's important to let the OpenBSD project know how important the brokenness is. (Recall, I'm not talking about the security vulnerability, I'm talking about the communication breakdown.) If my clients hear about a OpenBSD vulnerability from the media, before I hear about it from OpenBSD, that's bad. I want them to hear about problems with their systems, however slight, from me (or directly from OpenBSD of course). I don't want clients to hear about problems on their systems from some media panic attack article. OpenBSD has always solicited feedback regards how important particular bugs are. Now you've the relevant information you can decide how high to jump. Regards, Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
