On 03/15/2007 10:24:31 PM, Tony Abernethy wrote:
quoted text
> Karl O. Pinc wrote:
> >
> > On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
> > > 2007/3/13, Theo de Raadt <deraadt@cvs.openbsd.org>:
> > >> This means everyone should have our latest patches installed.
> >
> > > Just a reminder: security-announce exists for messages like
> > this. Use
> > > it or delete it.

quoted text
> > I rely on having a clear channel for security related problems.

quoted text
> > My high expectations have always been met and that's what
> > makes this communication breakdown hurt.  It's not the
> > magnitude of the security vulnerability that's the problem.
> >
> > Problems communicating patch availability lead to security
> > problems as severe as unpatched vulnerabilities.

quoted text
> 1) JUMP!
> 2) HOW HIGH?

quoted text
> If the security is real and is actually proactive
> Seems like you shouldn't have to play that game.

All the security in the world does me no good
if it's not installed on my systems.

quoted text
> Is the bug actually serious in practice?

No.

quoted text
> Are you actually safer with the bug fixed?

Yes.  If I wasn't then there wouldn't be
an errata would there?

quoted text
> My gut feel is that the next unsung fix will actually make more
> difference to how secure the resulting system is.

I track -STABLE, because I want relyability.  I won't
get the next unsung fix until an errata is announced
that might affect me.  I've better things to do
than install new builds all the time.

quoted text
> This is from a kibitzer, BUT
> I can guarantee that the security of OpenBSD is NOT due to panic
> attacks of trying to keep up with the latest security breaches.

No, but if security errata announcements arn't delivered
in a fashion that delivers them to a human then they
do no good.  I should not be expected to peruse the
misc@openbsd.org list to find errata announcements.
OpenBSD says announcements will be made on security-announce
when patches become available.  This did not happen.
Ergo, something is broken.  I can't fix it.  It may
not be fixable, but if it is fixable then it should
be fixed.  We should not all just pretend it didn't
happen.  If there is something that
can be fixed I'd like to hear about it when it
gets fixed.  Hence my post.

Further, it's important to let the OpenBSD project
know how important the brokenness is.  (Recall,
I'm not talking about the security vulnerability,
I'm talking about the communication breakdown.)
If my clients hear about a OpenBSD vulnerability
from the media, before I hear about it from
OpenBSD, that's bad.  I want them to hear about
problems with their systems, however slight, from
me (or directly from OpenBSD of course).  I don't
want clients to hear about problems on their systems
from some media panic attack article.

OpenBSD has always solicited feedback regards
how important particular bugs are.
Now you've the relevant information you
can decide how high to jump.

Regards,

Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein