At 12:08 06/08/2002 +0200, Dag-Erling Smorgrav wrote:
>Anatole Shaw <shawautoloop.com> writes:
> > I'm all for full-disclosure, but something is very wrong in these 2
> cases.
> > Known security problems are being released in fragments without any
> > coordination. It seems that a basic Vulnerability Coordination function
> > is broken or missing, and surely we can fix this.
>
>What do you propose?

   It wouldn't be a panacea, but if the mirrors could be set to update
automatically when a security issue arises (instead of operating on their
normal schedule) then the issue of advisories coming out before relevant
files were mirrored would not be a danger. I can't see that this would
cause any problems, since any blackhats looking for unannounced patches
would be looking on the main ftp server anyway.
   Apart from that... is there anything wrong with issuing a preliminary
notice and following up with full details later? I think everyone knows
you're volunteering -- and is very happy with everything you're doing --
and would not complain if you miss a few details in order to send out a
warning sooner.

Colin Percival

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]