Subject: silent(?) change to 19990120-accept security patch?!?!
To: NetBSD User's Discussion List <netbsd-users@NetBSD.ORG>
From: Greg A. Woods <woods@most.weird.com>
List: netbsd-users
Date: 04/14/1999 15:24:52
I was somewhat surprised and dismayed to discover that the
19990120-accept security patch was silently changed on ftp.netbsd.org a
day after it was first posted.

The currently available file is dated Jan 21 17:11 EST, but the original
that I ftp'ed was dated Jan 20 15:30 EST (as the filename would suggest
it should be), and these files contain fairly radically different patches.

Unfortunately to the best of my knowledge no mention was ever made of
the fact that the original patch was incorrect and had been replaced,
and no evidence remains on the FTP.NetBSD.ORG server to attest to this
fact.  This seems rather disconcerting, especially for a "security"
patch!

I wonder how many people diligently downloaded and applied the patch on
the day the advisory was posted, just as I did, and then failed to
notice that it was replaced with a totally different patch the next day.
I only discovered the discrepancy because I have not been quite so
diligent about more recent patches (mostly because the machines I've
been worrying over recently don't have un-trusted users logging in to
them), but this vfs_lookup bug got me interested and I decided I'd
better catch up and in the process of manually updating my "mirror" of
the security directory I noted that this file was different even though
I already had a copy of it.  Anyone doing automatic mirroring would
likley never have noticed the replacement.

What can we do to make sure this never happens again and that all
changes to the existing files on the ftp server are audited and tracked
in a visibly accountable fashion (i.e. so that all changes remain
visible on the ftp server)?  What can we do to make sure all security
advisories and any subsequent changes or updates to them also make it
into http://www.netbsd.org/Changes/ (only the most recent one seems to
be mentioned)?  What can we do to more prominently advertise an e-mail
address that will reliably reach the TNF "security officer" (if indeed
there is one)?  [Does <security@NetBSD.ORG> work?]

Should I have Cc'ed this message to BUGTRAQ to make sure the set of
readers only on that list will also be informed that if they acted
immediately on the original NetBSD-SA1999-001 advisory posted there then
they're not actually using the currently approved fix, or will someone
with official TNF responsibility correct this oversight?

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>