Subject: Re: CVS commit: htdocs/Security
To: Jan Schaumann <jschauma@netbsd.org>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: www-changes
Date: 10/08/2002 22:24:35
--SIpeN1L2gmCc/JOo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 08, 2002 at 10:19:24PM -0400, Jan Schaumann wrote:

> Well, actually, I think it would be desirable to have them a bit more
> available than just in the cvs-archive for historical reasons.  IMHO
> keeping them in the page but clearly labeled (as the 1.3 used to be)
> would have been sufficient, maybe adding another bold disclaimer to the
> actual pages.

Do we also add a disclaimer, "examine all newer advisories, as the
vulnerabilities in question may apply?"

I'm not opposed to doing something for EOL'd branches, but it's probably
worth re-thinking the goals of doing so and then figuring out what will
best serve those goals.

What is our goal for security patch pages for EOL'd releases? What security
information do we wish to provide? How do we want to frame it in light of
the fact that there could easily be subsequent holes found in the same files
noted in outdated patch pages, thus lending a false sense of security even
in those cases where a particular file or subsystem has been explicitly
addressed in the outdated patch pages in question?

I'm CCing this to www@, for more comment. (I didn't subscribe to www-changes
'till just now. Heh.)

--=20
Mason Loring Bliss   mason@acheron.middleboro.ma.us   Ewige Blumenkraft!
https://www.deadsexy.org/  awake ? sleep : random() & 2 ? dream : sleep;

--SIpeN1L2gmCc/JOo
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE9o5NjykMMY715wXIRAm4tAKDktw/K5sPIAhL1Nf3TwVsrEbXHpwCeK3z2
ehSLChI7Jz2fsTls6x8VhfQ=
=j3nX
-----END PGP SIGNATURE-----

--SIpeN1L2gmCc/JOo--