``In this research project, BindView Corporation has studied the processes
by which 27 operating-system vendors distribute security patches. The
report focuses onvulnerabilities in these processes, with the hope that
customers can use the information to assess the adequacy of the processes
used by their own vendors, in both an absolute and comparative sense.''

=> http://razor.bindview.com/publish/papers/os-patch.html


The following things can be learned from the text:

 * it's good we use PGP for security advisories
 * we should also PGP sign releases (or maybe just the checksum files?)
 * we should make SSH host keys of trusted anoncvs servers public
   (in a PGP-signed way).


 - Hubert

-- 
Hubert Feyrer <hubert@feyrer.de>