In article <20060328215928.GA15480@panix.com>,
Ed Ravin  <eravin@panix.com> wrote:
>On Mon, Mar 27, 2006 at 10:05:46AM +0100, Dave Tyson wrote:
>> [minor ranting]
>> 
>> Notwithstanding the discussion on this list a few days ago about the latest 
>> sendmail security alert, I am concerned that the project seems to be failing 
>> to get this information out to users in a timely manner. 
>> 
>> I actually got the FreeBSD security advisory mailed almost a week ago and a 
>> quick look convinced me this would apply to NetBSD as well. I expected to get 
>> a similar NetBSD missive in the post within a day or two and so far nothing 
>> has appeared.
>...
>> We've fixed up our vulnerable systems, but I wonder how many 'new starters'
>> are even aware of the issue. I am sure the project used to be a LOT more 
>> responsive in the past to dealing with security issues.
>
>I've been disappointed in the past when security vulnerabilities that
>seemed to me to be major problems went without advisories, and were
>fixed only in current and not the releases.
>
>I suspect there's a shortage of volunteer time in the security officer
>slot.  I agree that it makes NetBSD look bad compared to everyone else.
>
>BTW, it looks like the sendmail fixes were posted to CVS on March 24,
>for both current and releases.

And there are quite a few advisories in the pipeline. Security officer
is not a very glamorous role.

christos