Subject: Security of patch distributions
To: None <>
From: Hubert Feyrer <>
List: tech-security
Date: 12/29/2000 02:53:39
``In this research project, BindView Corporation has studied the processes
by which 27 operating-system vendors distribute security patches. The
report focuses onvulnerabilities in these processes, with the hope that
customers can use the information to assess the adequacy of the processes
used by their own vendors, in both an absolute and comparative sense.''


The following things can be learned from the text:

 * it's good we use PGP for security advisories
 * we should also PGP sign releases (or maybe just the checksum files?)
 * we should make SSH host keys of trusted anoncvs servers public
   (in a PGP-signed way).

 - Hubert

Hubert Feyrer <>