On Fri 11 Apr 2014 12:11:06 NZST +1200, Jeremy Porter wrote: > The security@ email list is brand new. Its so we can announce > issues like Heartbleed. People can filter on it etc. > Any security issues we become aware of will be announce here, as > security advisories.
Perhaps it would be useful to clarify the intended use/purpose of the lists, at https://lists.pfsense.org/mailman/listinfo Write a paragraph if needed, it doesn't have to be a one-liner for each list. Is the intended purpose of the SAs to notify of a problem, to point users to a fix, or both? I am having the Linux distro security lists in mind[1], and there postings summarise the problem, point to the background, and state that the user needs to do X to deal with it. Only security-relevant issues are posted, not general bug fixes. I would find this method ideal for pfsense too because the noise is low. It should include problems with packages too - those not using the package don't need to read on. I do think all the actions the user needs to do (usually upgrades) need to be posted. If a fix is NA at the time of the problem notification then you need to post twice. Perhaps I am mistaken about the pfsense fix for the heartbleed bug - but if the required, or even only recommended, fix is to upgrade to pfsense 2.1.2 then that must be posted on the security-announce@ too. The idea, well my idea, would be to only have to follow security-announce@ and from that to be sure that no security-relevant action is missed. The discussion list doesn't need that prority. > The email list and page, we just started working on last week, prior > to finding out about this, so we push them ahead along with the > fixed version of pfsense. Thanks for that! And thanks too for all the work to fix this openssl problem! > I think we'd be happy to host a security-discusse@ mailing list if > people want that. Not for me. The normal discussion list should be fine. I was trying to raise the point of security announcements, not security itself. Thanks again, Volker [1] Specifically, opensuse-security-announce http://lists.opensuse.org/ -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
