Subject: Security advisories
To: None <>
From: Dave Tyson <>
List: tech-security
Date: 03/27/2006 10:05:46
[minor ranting]

Notwithstanding the discussion on this list a few days ago about the latest 
sendmail security alert, I am concerned that the project seems to be failing 
to get this information out to users in a timely manner. 

I actually got the FreeBSD security advisory mailed almost a week ago and a 
quick look convinced me this would apply to NetBSD as well. I expected to get 
a similar NetBSD missive in the post within a day or two and so far nothing 
has appeared.  FreeBSD has patches on their site, OpenBSD at least 
acknowledges that its releases are vulnerable, but there seems to be a 
deathly silence on the NetBSD site. OK the default install may not be 
vulnerable, but people reconfigure systems :-) and even just a note 
acknowledging that existence of the advisory would at least make people feel 
that "the light is on and someones's at home" - patches can follow latter as 

We've fixed up our vulnerable systems, but I wonder how many 'new starters'
are even aware of the issue. I am sure the project used to be a LOT more 
responsive in the past to dealing with security issues.

[/minor ranting]

Lest I end on a negative note, I still feel this project produces one of the 
most stable and useable operating systems and it is a tribute to the hard 
work of the developers. The 3.0 release is definately  one of the best and 
pkgsrc really rocks. We continue to run it as the the preferred OS about 
40 servers. 


Computing Services Dept         Phone/Fax: 0151-794-3731/3759
The University of Liverpool     Email:
Chadwick Tower, Peach Street    WWW:
Liverpool L69 7ZF               Open Source O/S: