On Tue, 2006-03-28 at 16:59, Ed Ravin wrote:
> On Mon, Mar 27, 2006 at 10:05:46AM +0100, Dave Tyson wrote:
> > [minor ranting]
> > 
> > Notwithstanding the discussion on this list a few days ago about the latest 
> > sendmail security alert, I am concerned that the project seems to be failing 

Yea even if the official security advisory isn't released, as soon as
these fixes are committed there should be some threads appearing on the
list.

If the advisories are on delay due to the need for careful review and
testing, then how else can you accelerate the process then by starting
discussion?

Ed/Dave: I just had the same thoughts about OpenBSD of all things.  You
know up until some very recent release, they were shipping a base
userland that bound sendmail to wildcard TCP/25, so...They omitted the
Sendmail patches from their front page "Daily Changelog", but
immediately made an Errata entry for 3.7 and 3.8.

http://openbsd.org/errata37.html

...but very little discussion on the lists.

We don't have an "Errata" system, but I would except to see these fixes
listed in:

http://www.netbsd.org/Security/patches-3.0.html
http://www.netbsd.org/Security/patches-2.1.html
http://www.netbsd.org/Security/patches-2.0.html

Of course, they don't do formal advisories either.  But I think the idea
here is that NetBSD is generally the best of both worlds >:}

~BAS