On Wed Jan 17, 2001 at 01:47:49PM -0600, duane voth wrote:
> My intention is not to critizise but to offer an idea and
> help balance the sense of urgency.
I understand.
> >> One expects to be the first notified
> >> of Mandrake security issues when one is subscribed to
> >> Mandrake's security-announce. There's an implied if not explicit
> >> expectancy that the list should be sufficient for being alerted to
> >> Mandrake security issues. ... It is analogous to some virus or
> >> trojan disabling my system's local security warnings.
>
> > While I think your comparison is ridiculous, I do agree that the list
> > needs to be fixed.
>
> Extreme maybe but not ridiculous. With mass mailing of security
> problems the game becomes a race to see who can a) explot the weakness
> or b) fix the weakness first. I fully support the idea of posting
> security problems because this gives sysadmins at least a fighting
> chance. But the information IS timely and communication lines must
> be "fast" and reliable.
Well, it is ridiculous. It's a silly comparison. A broken mailing
list similar to a virus? I don't think so. It's not like that
mailing list is the *only* avenue for becoming aware of updates.
There are other means just as easy, convenient, and simple as the
mailing list (which, FYI, is fixed now).
> > However, I became aware of this problem two days
> > ago. If this has been going on for a month, then someone should have
> > said something.
>
> Agreed - except people on the receiving and of the list don't know
> when they have not received a message. Perhaps for those who need
> up-to-the-minute reports, there could be a version of the list that
> sends out a "deadman" message once per day. Folks who need this info,
> and check their email constantly, would feel more secure about receiving
> up-to-date reports, and thus then could also provide feedback sooner.
I don't think that's necessary. If people want that kind of
redundancy, they can subscribe to mdk-security (a mailing list I run
from my Freezer Burn website) or bugtraq (securityfocus) or linuxlist
(securityportal). I cc the advisories to those three lists in
addition to security-announce.
If anyone is interested in subscribing to mdk-security, you can do so
by emailing [EMAIL PROTECTED] For the others,
visit www.securityfocus.com or www.securityportal.com for instructions
on how to subscribe to those lists. Your best bet is either the
securityportal list or mdk-security... messages to mdk-security go
out about 10 seconds after I post to the list since the server is 2
feet from me. Messages to linuxlist (from securityportal) are
received in my mailbox within 10 minutes (more often than not).
> Many users might not want this much traffic, but I think it is desireable
> for sysadmins with a lot of responsibility.
I think the above idea (redundancy in mailing lists by subscribing to
another of the three previously mentioned) is a better idea than
creating a new "security-announce-deadman" list.
> > At this point the going is slow to find a fix because that individual
> > is gone for the week, but rest assured we are trying to get this fixed
> > ASAP.
>
> Great, thanks for the extra effort.
You're welcome. And it's fixed now (thanks to jloup for that!)
--
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
- Danen Consulting Services www.danen.net, www.freezer-burn.org
- MandrakeSoft, Inc. Security www.linux-mandrake.com
Current Linux uptime: 2 days 3 hours 43 minutes.
