My intention is not to critizise but to offer an idea and
help balance the sense of urgency.
Vincent Danen wrote:
> On Tue Jan 16, 2001 at 04:23:15PM -0500, b5dave wrote:
>> One expects to be the first notified
>> of Mandrake security issues when one is subscribed to
>> Mandrake's security-announce. There's an implied if not explicit
>> expectancy that the list should be sufficient for being alerted to
>> Mandrake security issues. ... It is analogous to some virus or
>> trojan disabling my system's local security warnings.
> While I think your comparison is ridiculous, I do agree that the list
> needs to be fixed.
Extreme maybe but not ridiculous. With mass mailing of security
problems the game becomes a race to see who can a) explot the weakness
or b) fix the weakness first. I fully support the idea of posting
security problems because this gives sysadmins at least a fighting
chance. But the information IS timely and communication lines must
be "fast" and reliable.
> However, I became aware of this problem two days
> ago. If this has been going on for a month, then someone should have
> said something.
Agreed - except people on the receiving and of the list don't know
when they have not received a message. Perhaps for those who need
up-to-the-minute reports, there could be a version of the list that
sends out a "deadman" message once per day. Folks who need this info,
and check their email constantly, would feel more secure about receiving
up-to-date reports, and thus then could also provide feedback sooner.
Many users might not want this much traffic, but I think it is desireable
for sysadmins with a lot of responsibility.
> At this point the going is slow to find a fix because that individual
> is gone for the week, but rest assured we are trying to get this fixed
> ASAP.
Great, thanks for the extra effort.
duane