On 3/16/07, Martin Schrvder <martin@oneiros.de> wrote:
[snip blah blah blah...]
After all the kvetching and sensationalism that's characterized both
this thread and the release of this errata, there's a few things I
wanted to point out. Theo's already put out the timeline and
circumstances around classification of reliability and later security
fix. Core Security also included the timeline in their advisory. The
first point to make is this: the fix was applied in a more-than-timely
manner. The errata was merged into -stable and made available March 7.
Core Security released their advisory March 13. That's very good lead
time, and that means the patch was available darn near a week before
the advisory came out. If people aren't checking the errata pages for
a week at a time, there's a larger issue than a lack of email
notification.
The second point relates to the natural dissent that the first point
invites; if the announcement doesn't go to the security announce list,
how are people supposed to know that the errata is available? I want
everyone trying to make that point to think of all the software
vendors they deal with, including the commercial software vendors to
whom you pay thousands (and depending on the size of your
organization, millions) of dollars to per year. Can you say that you
get SMTP notifications from all of them? The answer, if you're in any
situation resembling what I've been in for the last decade, is no. The
reality is, it's *not* an assumption that you'll get notifications
from anyone in your happy little inbox. Most of my current vendors
(lots of them, too) don't have any official vulnerability notification
channel in place, and when we approach them about it, they point us to
their web site support page where we can find updates as they are
released. The landscape for this kind of thing is awful, and in fact
OpenBSD is ahead of the curve here because they actually do admit and
respond to vulnerabilities in an open manner. Closed source,
commercial vendors hide it and sweep it under the rug.
As has been pointed out, you will have better success tracking other
sources such that you increase your chances of hearing about
vulnerability information before it's too late. source-changes is a
good option. Undeadly is nice. tech@ is a good one to lurk on. There's
an IRC channel. And of course, there's the collection of Internet
resources for vulnerability research information. If you're not
tracking things like bugtraq, full-disclosure, Dshield, CERT lists,
milw0rm, etc, etc, etc, then your problems (and your precious
customers' problems) are much bigger than a IPv6 vulnerability in
OpenBSD.
You can bitch about the security announce mailing list, or you can put
forth some effort to do something proactive yourself to get more
benefit from the free software you use. Those of us that were patched
before the advisory came out would probably say you're better off with
the latter.
DS
