Subject: Re: Security advisories
To: None <firstname.lastname@example.org>
From: Christos Zoulas <email@example.com>
Date: 03/28/2006 22:27:04
In article <20060328215928.GA15480@panix.com>,
Ed Ravin <firstname.lastname@example.org> wrote:
>On Mon, Mar 27, 2006 at 10:05:46AM +0100, Dave Tyson wrote:
>> [minor ranting]
>> Notwithstanding the discussion on this list a few days ago about the latest
>> sendmail security alert, I am concerned that the project seems to be failing
>> to get this information out to users in a timely manner.
>> I actually got the FreeBSD security advisory mailed almost a week ago and a
>> quick look convinced me this would apply to NetBSD as well. I expected to get
>> a similar NetBSD missive in the post within a day or two and so far nothing
>> has appeared.
>> We've fixed up our vulnerable systems, but I wonder how many 'new starters'
>> are even aware of the issue. I am sure the project used to be a LOT more
>> responsive in the past to dealing with security issues.
>I've been disappointed in the past when security vulnerabilities that
>seemed to me to be major problems went without advisories, and were
>fixed only in current and not the releases.
>I suspect there's a shortage of volunteer time in the security officer
>slot. I agree that it makes NetBSD look bad compared to everyone else.
>BTW, it looks like the sendmail fixes were posted to CVS on March 24,
>for both current and releases.
And there are quite a few advisories in the pipeline. Security officer
is not a very glamorous role.