Re: Missing security announcements

[William Boshuck]

On Sun, Nov 30, 2008 at 10:23:56AM -0800, new_guy wrote:
> Martin SchrC6der wrote:
> >
> > Why do you maintain stable by issuing security patches for it if you
> > don't care if anybody installs them (by not telling them about the
> > patches through one of the designated channels)?  Don't you want
> > people installing them?
> >
> > Is it so hard to write a mail to the list once every few months? The
> > content is already there...
> >
> 
> I just check the errata web page every now and then. When/if anything huge
> is discovered (very seldom) then it's slashdotted or something. So in the
> end, I always seem to find out somehow.

If someone is following stable, and really cares
about keeping their system(s) up to date, I can't
imagine why they wouldn't take the few seconds
per day required to glance at the errata page.
I mean, if you're reading Slashdot, The Guardian,
Al-Jazeera, The Onion, or what-have-you, on a regular
basis, why not just toss the errata page into the mix?
For Christ's sake, the errata are listed in reverse
chronological order so you don't even have to hit the
space bar to see what's new.

Do they have to toss in a soother as well?

Not to mention that checking the errata page
daily only underlines the extent to which these
people---who give away for free a complete
operating system---are really on top of the game.

cheers,
-wb

Re: Missing security announcements

[new_guy]

Martin SchrC6der wrote:
>
> Why do you maintain stable by issuing security patches for it if you
> don't care if anybody installs them (by not telling them about the
> patches through one of the designated channels)?  Don't you want
> people installing them?
>
> Is it so hard to write a mail to the list once every few months? The
> content is already there...
>

I just check the errata web page every now and then. When/if anything huge
is discovered (very seldom) then it's slashdotted or something. So in the
end, I always seem to find out somehow.

--
View this message in context:
http://www.nabble.com/Missing-security-announcements-tp20465932p20760480.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Missing security announcements

[Henning Brauer]

* Martin Schrvder <[EMAIL PROTECTED]> [2008-11-13 10:02]:
> Is it so hard to write a mail to the list once every few months? The
> content is already there...

I have written security announcements before. It ia way more work and
way more involved than you think. it sucks. not sure wether I'll do it
again.

oh, and I actually run stable at places.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Missing security announcements

[Ted Unangst]

On Sat, Nov 15, 2008 at 5:21 AM, Toni Mueller <[EMAIL PROTECTED]> wrote:
> I can imagine having a script, somehow tied into the CVS commit hook,
> that would scan the commit message for "security" or "reliability" or
> so, and automatically send out mails to this list, but would you use it
> if I'd write it and give it to you? I'm sceptical, to say the least.

No, because emails to sec-announce deserve more than just random
commit messages.  In particular, it should not send emails everytime
somebody makes a "no change to security" commit.  And it needs to have
the path to the patches in it.

Re: Missing security announcements

[William Boshuck]

On Sat, Nov 15, 2008 at 11:21:22AM +0100, Toni Mueller wrote:
> Hi,
> 
> On Thu, 13.11.2008 at 08:55:04 -0500, Ted Unangst <[EMAIL PROTECTED]> wrote:
> > So get on the developer's case when they don't send out notifications.
> >  All this chatter now isn't going to change anything when the next
> > errata comes out.  You want security announcement? Do something to
> > make it happen!
> 
> how do you suggest that Joe Random User can change the way you
> developer folks work,

Ted already made a suggestion about this.
It's in the archives.

-wb

Re: Missing security announcements

[Toni Mueller]

Hi,

On Thu, 13.11.2008 at 08:55:04 -0500, Ted Unangst <[EMAIL PROTECTED]> wrote:
> So get on the developer's case when they don't send out notifications.
>  All this chatter now isn't going to change anything when the next
> errata comes out.  You want security announcement? Do something to
> make it happen!

how do you suggest that Joe Random User can change the way you
developer folks work, or what you work with?

I can imagine having a script, somehow tied into the CVS commit hook,
that would scan the commit message for "security" or "reliability" or
so, and automatically send out mails to this list, but would you use it
if I'd write it and give it to you? I'm sceptical, to say the least.


Kind regards,
--Toni++

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 11:50 AM, Thomas Pfaff <[EMAIL PROTECTED]> wrote:
> Apparently not, so just remove the damn thing and avoid confusion.

Thanks, but we've decided to keep the list so we won't need the patch.

>
> Here:
>
> Index: mail.html
> ===
> RCS file: /cvs/www/mail.html,v

Re: Missing security announcements

[Eric Furman]

On Thu, 13 Nov 2008 09:29:09 -0700, "Theo de Raadt"
<[EMAIL PROTECTED]> said:
> > someone should take the task to send a 
> > mail via it once something arrives on the errata page.
> 
> It is really easy to use that word "should" when it isn't you.

and some of us don't really consider the 'errata' to be 'security'
related.

Re: Missing security announcements

[Ed Ahlsen-Girard (TYBRIN Corp.)]

> -Original Message-
> From: Theo de Raadt [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 13, 2008 1:29 PM
> To: Ted Unangst
> Cc: Thomas Pfaff; misc@openbsd.org
> Subject: Re: Missing security announcements
>
> > Of course, this is how things always work on misc.  There's the
> > developers do it option and the community does it option.  The
> > community is full of ideas about the first option, and full of shit
> > when it comes to the second.
>
> That is exactly what happens.
>
> Now what happens next?
>
> You guys out there on misc have more ideas that we can ignore?
>
> Because that is exactly what I will do.  I'm just so sick and tired of
> the whining, and over the last year or so I have adjusted my attitude
> and started getting pleasure out of watching the futility.
>

One idea that could be ignored, or not, would be standing down
security-announcements and removing references to it from the FAQ.  In
the nine months I've subscribed I've seen two messages: "Welcome to the
security-announce
list" and "CONFIRM from security-announce (subscribe)".

Its existence raises expectations and elicits complaints.  It doesn't do
much else that I have seen.

Granted, if it went away COMPLETELY, within six months someone would
ask for it.  Less likely if this thread got put in the FAQ, though.  :-)



--

Ed Ahlsen-Girard

Re: Missing security announcements

[Artur Grabowski]

"Martin Schrvder" <[EMAIL PROTECTED]> writes:

> Do not let serious problems sit unsolved.

It's not a serious problem for us.

//art

Re: Missing security announcements

[andrew fresh]

On Thu, Nov 13, 2008 at 12:55:36PM -0500, Ted Unangst wrote:
> On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu <[EMAIL PROTECTED]> wrote:
> > Is security-announce an open list?  If not, give me access and I'll
> > keep it reasonably up to date, give or take a day or so of release of
> > the Security Errata on the website, unless there is an even faster way
> > of checking it out, such as CVS.
> 
> It is moderated, and really, outsiders should not be posting to it
> because then it appears that they have some position of authority.
> The only person who should be posting to the list is the person who
> made the fix, because they are the security contact.  When people
> reply, it is important they are talking to the right person.


I just wrote something quick in perl that scrapes the errata pages of
the two most recent releases and sends a nicely formatted email for any
that are have change since the last check.

It does require a couple of packages be installed (p5-libwww and
p5-HTML-Tree) but if there were enough interest from someone who could
do something with it, I could probably make it work with just what is
available in the base system.

There are lots of ways to break something that scrapes html, but it is
at least automated.

l8rZ,
-- 
andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED]


#!/usr/bin/perl -T
use strict;
use warnings;

%ENV = ();

#Additional modules needed
use LWP::Simple;  # pkg_add p5-libwww
use HTML::TreeBuilder;# pkg_add p5-HTML-Tree

# Core modules
use Text::Wrap;
use Fcntl ':flock';   # import LOCK_* constants

# should end with a /
my $base_url   = 'http://www.OpenBSD.org/';
my $start_page = 'errata.html';

my $sender= '[EMAIL PROTECTED]';
my $recipient = '[EMAIL PROTECTED]';

# should end with a /
my $base_dir = '/home/andrew/.openbsd_errata_notifier/';

my $max_versions_to_process = 2;

#*#*# Nothing to change beyond this point #*#*#

my $tree = HTML::TreeBuilder->new();

my $content = get( $base_url . $start_page )
or die "Could't get [$start_page]: $!";
$tree->parse($content)->eof;

my @errata_urls;
foreach my $link ( @{ $tree->extract_links('a') } ) {
my ( $url, $element, $attr, $tag ) = @{$link};
if ( $url =~ /^errata\d+\.html\Z/xms ) {
push @errata_urls, $base_url . $url;
}
}

$tree->delete;

my $processed = 0;
URL: foreach my $url ( reverse @errata_urls ) {
$processed++;
last URL if $processed > $max_versions_to_process;

my $tree = HTML::TreeBuilder->new();

my $content = get($url) or die "Couldn't get [$url]: $!";
$tree->parse($content)->eof;

my $title = $tree->find('title')->as_trimmed_text;
my ($version) = $title =~ /\b ( \d+ \. \d ) \b/xms;

foreach my $entry ( reverse $tree->find('ul')->find('li') ) {
my $errata = process_errata_entry($entry);
$errata->{version} = $version;
$errata->{url} = $url;

my $message = format_errata_message($errata);
my $file= make_errata_dir($errata);

if ( should_send( $message, $file ) ) {
mail($message);
}
}

$tree->delete;
}

sub process_errata_entry {
my ($errata) = @_;

my $id = $errata->find('a')->attr('name');

my ( $num, $type, $date ) = split /:\s*/xms,
$errata->find('strong')->as_trimmed_text;

my $arch = $errata->find('i')->as_trimmed_text;

my %errata = (
id => $id,
number => $num,
type   => $type,
date   => $date,
arch   => $arch,
);

foreach my $content ( $errata->content_list ) {
if ( ref $content eq 'HTML::Element' ) {
if ( my $href = $content->attr('href') ) {
if ( $href =~ m{ftp\.openbsd\.org.*patch\Z}ixms ) {
$errata{patch} = {
href => $href,
text => $content->as_trimmed_text,
};
$content->delete;
}
elsif ( $href =~ m{CVE-} ) {
push @{ $errata{cve} },
{
href => $href,
text => $content->as_trimmed_text,
};
$content->delete;
}
}
}
}

foreach my $br ( $errata->find('br') ) {
$br->replace_with("\n");
}

my @descr = split /\n/, $errata->as_text;
shift @descr;
pop @descr;

foreach my $m (@descr) {
$m =~ s/^\s+//xms;
$m =~ s/\.\W+\Z/\./xms;
}

$errata{description} = [EMAIL PROTECTED];

return \%errata;
}

sub mail {
my ($message) = @_;

open( my $sendmail, "|/usr/sbin/sendmail -oi -t -odq" )
or die "Can't fork for sendmail: $!\n";
print $sendmail $message;
close $sendmail or warn "sendmail didn't close nicely";
}

sub format_errata_message {
my ($errata) = @_;

my $message = <<"EOL";
From: $sender
To: $recipient
EOL

$message
.= 'Subject: Ope

Re: Missing security announcements

[Martin Schröder]

2008/11/13 Theo de Raadt <[EMAIL PROTECTED]>:
> You guys out there on misc have more ideas that we can ignore?

http://www.openbsd.org/goals.html";>
Do not let serious problems sit unsolved.


Best
   Martin

Re: Missing security announcements

[Aaron W. Hsu]

On Thu, 13 Nov 2008 10:38:06 -0800
[EMAIL PROTECTED] (Randal L. Schwartz) wrote:

> Surely, it would be easier to teach that small set of people (one?)
> to cc the mailing list on a security announcement, rather than
> expect that everyone with a core commit bit be reminded to watch
> errata to notice when their particular contribution has been
> accepted as a security patch.  What am I missing here?

Why should developers listen to people who are just consuming
resources that they are giving out for free?  We don't need to teach
them, we can just do the work they don't want to do to free them up
for doing the work they should be doing.  Why bug them?  They have
work to do. 

-- 
Aaron W. Hsu <[EMAIL PROTECTED]> | 
"Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else." -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Aaron W. Hsu]

On Thu, 13 Nov 2008 12:55:36 -0500
"Ted Unangst" <[EMAIL PROTECTED]> wrote:

> On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu <[EMAIL PROTECTED]> wrote:
> > Is security-announce an open list?  If not, give me access and I'll
> > keep it reasonably up to date, give or take a day or so of release of
> > the Security Errata on the website, unless there is an even faster way
> > of checking it out, such as CVS.
> 
> It is moderated, and really, outsiders should not be posting to it
> because then it appears that they have some position of authority.
> The only person who should be posting to the list is the person who
> made the fix, because they are the security contact.  When people
> reply, it is important they are talking to the right person.

Okay, I can see why everyone would prefer to see the developer's
sending their own fixes -- this is convenient to the users, though not
to the developers.  However, it is obvious that the developers do not
wish to do this, have no time to bother with it, and aren't concerned
at all.  I don't blame them, that's perfectly legitimate.  So we
should get someone else to do it, because some people do care about
having semi-timely security announcements on a mailing list. I also
see no reason why someone announcing a security announcement that is
detailed elsewhere should be required to be a developer heavily
involved in the development process.  The very nature of this suggests
that people who meet this requirement will not have the motivation or
time to do this.  There is nothing wrong with having someone else
assigned to the task. 

> What you can do is monitor the list.  If an erratum comes out and
> nothing happens for a day, email the person responsible and remind
> them.  The person responsible is not necessarily the person who
> happened to commit to stable, though, it's the person who made the
> original fix.  There's no announcements on the list because probably
> half the developers don't know they are supposed to make such
> announcements.

You're implying ignorance of the developers, which I doubt.  They
don't care about it, and we shouldn't be nagging them about it.
Instead, we should do something, rather than just being on the outside
bugging them like annoying gnats. 

I'm offering to do the work.  OpenBSD as a whole may not want me to do
anything, but that's not my fault.  At least I'm trying to *do*
something; I don't consider nagging people who don't have time or
motivation or reason to bother with such things to be an useful thing
to do. 

-- 
Aaron W. Hsu <[EMAIL PROTECTED]> | 
"Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else." -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 14:12:21 -0500
"Ted Unangst" <[EMAIL PROTECTED]> wrote:

> On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff <[EMAIL PROTECTED]> wrote:
> > On Thu, 13 Nov 2008 12:55:36 -0500
> > "Ted Unangst" <[EMAIL PROTECTED]> wrote:
> >
> >> [...] There's no announcements on the list because probably
> >> half the developers don't know they are supposed to make such
> >> announcements.
> >
[...]
> It doesn't matter which way is better, it only matters which way
> something will get done.

Applying my diff will get something done.

Thanks for your time.

Thomas

Re: Missing security announcements

[Theo de Raadt]

> Of course, this is how things always work on misc.  There's the
> developers do it option and the community does it option.  The
> community is full of ideas about the first option, and full of shit
> when it comes to the second.

That is exactly what happens.

Now what happens next?

You guys out there on misc have more ideas that we can ignore?

Because that is exactly what I will do.  I'm just so sick and tired of
the whining, and over the last year or so I have adjusted my attitude
and started getting pleasure out of watching the futility.

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 1:55 PM, Thomas Pfaff <[EMAIL PROTECTED]> wrote:
> On Thu, 13 Nov 2008 12:55:36 -0500
> "Ted Unangst" <[EMAIL PROTECTED]> wrote:
>
>> [...] There's no announcements on the list because probably
>> half the developers don't know they are supposed to make such
>> announcements.
>
> Excuse my ignorance, but who keeps http://openbsd.org/errata44.html
> updated, then?  Apparently the errata page is kept up-to-date, so
> why not automate the process of sending mail to security-announce?

Because it hasn't happened in 10 years of whining about it.

There are two ways to fix the problem.

One is the developers change their process.  As should be damn clear
by now, you're not making much progress in that regard.

The other option is to step up and remind the developers when they are
not doing what they should.  That doesn't mean throwing a pity party
on misc every 6 months, it means actively watching what's happening as
errata come out.  This is the one thing that *ANYONE* who cares can
do, yet nobody does it.  All we get is more chatter about changing
things that obviously aren't changing.

Of course, this is how things always work on misc.  There's the
developers do it option and the community does it option.  The
community is full of ideas about the first option, and full of shit
when it comes to the second.

It doesn't matter which way is better, it only matters which way
something will get done.

Re: Missing security announcements

[Emilio Perea]

On Thu, Nov 13, 2008 at 11:19:45AM -0600, Brian Drain wrote:
> So I am curious, what IS the best way to stay up to date?  Is manually
> checking the errata page every day really correct (seems like there
> would be an automated solutuion such as the lynx dump aforementioned)?
> It seems to me that even if there is a security flaw in OpenBSD most of
> them (from reading prior patches) would be exceedingly hard to exploit
> anyway so maybe it's not as big of a deal as, say, Windows B.S. (which
> is exactly the reason I am learning something else).

I'm not sure this is the best way, but what I do to keep up with -stable
is to have a cronjob do a cvs (or csup) update every day.  Most days
there is nothing updated, so it's quite noticeable when there's a
change.  These are the two changes since 4.4 release:

- Forwarded message from Cron Daemon <[EMAIL PROTECTED]> -

Date: 2 Nov 2008 11:00:02 -
From: Cron Daemon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cron <[EMAIL PROTECTED]> /home/eperea/Bin/updsrc

Starting /home/eperea/Bin/updsrc: Sun Nov 2 05:00:02 CST 2008
P sys/conf/newvers.sh
P sys/dev/pci/if_vr.c
P sys/netinet6/in6.c
P sys/netinet6/in6_var.h
P sys/netinet6/nd6_nbr.c
Finished updating source: Sun Nov 2 05:15:24 CST 2008

*==*

Date: 6 Nov 2008 11:00:02 -
From: Cron Daemon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cron <[EMAIL PROTECTED]> /home/eperea/Bin/updsrc

Starting /home/eperea/Bin/updsrc: Thu Nov 6 05:00:02 CST 2008
P sys/netinet/tcp_input.c
P usr.sbin/httpd/src/ap/ap_hook.c
P usr.sbin/httpd/src/modules/proxy/proxy_http.c
Finished updating source: Thu Nov 6 05:14:56 CST 2008

- End forwarded message -

When I see these, I check to see if it's something that requires
patching immediately (but haven't seen any of those yet).  Otherwise, I
build a release and install it after hours on the remote sites.

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 1:38 PM, Randal L. Schwartz
<[EMAIL PROTECTED]> wrote:
> Who handles the errata page, assigning the sequential numbers and deciding
> whether it's a security fix or not?  Surely, it would be easier to teach that
> small set of people (one?) to cc the mailing list on a security announcement,
> rather than expect that everyone with a core commit bit be reminded to watch
> errata to notice when their particular contribution has been accepted as a
> security patch.  What am I missing here?

There's no real good reason why it can't be the same person, but
maintaining stable already sucks enough without having more work.  I
won't ask that.  And I strongly believe that the person making a
security fix needs to take responsibility for seeing it through to the
end.  If they can't handle that, I don't think they should be making
security fixes.

Of course, everything I've said so far is more my opinion than project
rules.  By now, it should be pretty clear that the rules are not
clear.

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 12:55:36 -0500
"Ted Unangst" <[EMAIL PROTECTED]> wrote:

> [...] There's no announcements on the list because probably
> half the developers don't know they are supposed to make such
> announcements.

Excuse my ignorance, but who keeps http://openbsd.org/errata44.html
updated, then?  Apparently the errata page is kept up-to-date, so
why not automate the process of sending mail to security-announce?

Thomas

Re: Missing security announcements

[Randal L. Schwartz]

> "Ted" == Ted Unangst <[EMAIL PROTECTED]> writes:

Ted> What you can do is monitor the list.  If an erratum comes out and
Ted> nothing happens for a day, email the person responsible and remind
Ted> them.  The person responsible is not necessarily the person who
Ted> happened to commit to stable, though, it's the person who made the
Ted> original fix.  There's no announcements on the list because probably
Ted> half the developers don't know they are supposed to make such
Ted> announcements.

Who handles the errata page, assigning the sequential numbers and deciding
whether it's a security fix or not?  Surely, it would be easier to teach that
small set of people (one?) to cc the mailing list on a security announcement,
rather than expect that everyone with a core commit bit be reminded to watch
errata to notice when their particular contribution has been accepted as a
security patch.  What am I missing here?

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu <[EMAIL PROTECTED]> wrote:
> Is security-announce an open list?  If not, give me access and I'll
> keep it reasonably up to date, give or take a day or so of release of
> the Security Errata on the website, unless there is an even faster way
> of checking it out, such as CVS.

It is moderated, and really, outsiders should not be posting to it
because then it appears that they have some position of authority.
The only person who should be posting to the list is the person who
made the fix, because they are the security contact.  When people
reply, it is important they are talking to the right person.

What you can do is monitor the list.  If an erratum comes out and
nothing happens for a day, email the person responsible and remind
them.  The person responsible is not necessarily the person who
happened to commit to stable, though, it's the person who made the
original fix.  There's no announcements on the list because probably
half the developers don't know they are supposed to make such
announcements.

Re: Missing security announcements

[Tom Van Looy]

> just fire a crontab entry and move on

actually, that's a great idea, I just scheduled the following script
this mails the diff of errata.html, but only if something changed

#!/bin/sh
rel="44" # OpenBSD version

ftp http://www.openbsd.org/errata"$rel".html > /dev/null 2>&1
if [ "$?" != "0" ]; then
   echo "Unable to fetch errata page!"
   exit 1
fi

if [ ! -f .errata"$rel".old ]; then
   touch .errata"$rel".old
fi

mv errata"$rel".html .errata"$rel".new
diff -u .errata"$rel".old .errata"$rel".new > .errata"$rel".diff
if [ "$?" = "1" ]; then
   cat .errata"$rel".diff | mail -s "OpenBSD$rel errata changed" root
   rm .errata"$rel".old > /dev/null 2>&1
   mv .errata"$rel".new .errata"$rel".old
fi

exit 0

Re: Missing security announcements

[Aaron W. Hsu]

To everyone who wants security-announce to work:

On Thu, 13 Nov 2008 09:29:09 -0700
Theo de Raadt <[EMAIL PROTECTED]> wrote:

> > someone should take the task to send a mail via it once something
> > arrives on the errata page.
> 
> It is really easy to use that word "should" when it isn't you. 

I'll do it.  I care about having security announcements sent out in a
way that makes it easy for us to track without having to write out own
scripts.  I happen to think a mailing list is a very good way of doing
this.  I'm willing to put in the time to do this, since I *do* use
-stable. 

Is security-announce an open list?  If not, give me access and I'll
keep it reasonably up to date, give or take a day or so of release of
the Security Errata on the website, unless there is an even faster way
of checking it out, such as CVS. 

-- 
Aaron W. Hsu <[EMAIL PROTECTED]> | 
"Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else." -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Brian Drain]

As someone new to OpenBSD and UNIX in general (reading a lot and trying
to learn) I signed up for the security list due to the description of
the list thinking I would be covered if something serious were to come
up.  I only check errata about every week or so and as of right now I'm
not even sure how to apply the reliability patches, but I am trying to
learn without causing too much noise, only generally skimming to find
some golden nuggets that will help me with learning (admittedly, most is
over my head and I don't attempt much of what I read, but it does help
me).

By having the list seemingly available, it's possible new people such as
myself are missing announcements and after checking the errata for 4.4
(which I purchased as soon as it was avail along with 3 or 4 prior
versions which I only installed to test but gladly support this effort
albeit in a small way) lets me know that I am indeed missing things.

So I am curious, what IS the best way to stay up to date?  Is manually
checking the errata page every day really correct (seems like there
would be an automated solutuion such as the lynx dump aforementioned)?
It seems to me that even if there is a security flaw in OpenBSD most of
them (from reading prior patches) would be exceedingly hard to exploit
anyway so maybe it's not as big of a deal as, say, Windows B.S. (which
is exactly the reason I am learning something else).

If people really DO want the list, I would have no problem checking it
once a day and posting any relevant updates as they appear on errata.

Cheers,
Brian


>From http://www.openbsd.org/mail.html

"security-announce
Security announcements. This low volume list receives OpenBSD
security advisories and pointers to security patches as they
become available."

Re: Missing security announcements

[Thomas Pfaff]

On Thu, 13 Nov 2008 11:22:09 -0500
"Morris, Roy" <[EMAIL PROTECTED]> wrote:

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Janne Johansson
> Sent: Thursday, November 13, 2008 10:14 AM
> To: Misc OpenBSD
> Subject: Re: Missing security announcements
> 
> why not just get it yourself if you're worried about it? just fire a crontab
> entry and
> move on.
> 
> lynx -dump openbsd.org/errata44.html |mail -s "Daily Security" [EMAIL 
> PROTECTED]
> 

I agree.  Keeping yourself informed about security updates is easy,
at least once you realise security-announce is dead.

>From http://www.openbsd.org/mail.html

"security-announce
Security announcements. This low volume list receives OpenBSD
security advisories and pointers to security patches as they
become available."

Apparently not, so just remove the damn thing and avoid confusion.

Here:

Index: mail.html
===
RCS file: /cvs/www/mail.html,v
retrieving revision 1.110
diff -u -p -r1.110 mail.html
--- mail.html   4 Sep 2008 09:55:21 -   1.110
+++ mail.html   13 Nov 2008 16:45:27 -
@@ -19,12 +19,10 @@
 
 
 Mailing lists are an important means of communication among users and
-developers of OpenBSD. With the exceptions of announce and
-security-announce, the lists are not moderated.  We deliberately
-restrict the number of different mailing lists.
-This helps reduce the amount of cross-posting and makes sure that the
+developers of OpenBSD. With the exception of announce, the lists
+are not moderated.  We deliberately restrict the number of different mailing
+lists. This helps reduce the amount of cross-posting and makes sure that the
 information gets distributed to a wide audience.
-
 
 
 Netiquette
@@ -149,11 +147,6 @@ Problem before posting.
 announce
 Important announcements.  This low volume list is excellent for
 people who just want occasional news about the project.
-
-security-announce
-Security announcements.  This low volume list receives OpenBSD
-security advisories and pointers to security patches as they become
-available.
 
 ports
 Discussions about using and contributing to the 'ports' source tree.

If people continually complain about the lack of a security-announce
list, there's always the option of updating the FAQ.

Thomas

Re: Missing security announcements

[Theo de Raadt]

> someone should take the task to send a 
> mail via it once something arrives on the errata page.

It is really easy to use that word "should" when it isn't you.

Re: Missing security announcements

[Morris, Roy]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Janne Johansson
Sent: Thursday, November 13, 2008 10:14 AM
To: Misc OpenBSD
Subject: Re: Missing security announcements


why not just get it yourself if you're worried about it? just fire a crontab
entry and
move on.

lynx -dump openbsd.org/errata44.html |mail -s "Daily Security" [EMAIL PROTECTED]

Re: Missing security announcements

[Simon Connah]

On 13 Nov 2008, at 15:56, Tobias Weisserth wrote:


Janne,

On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson <[EMAIL PROTECTED]> wrote:


everybody knows that's not going to happen.
I remember having asked the same question YEARS AGO and
nothing has changed since then.


Reading those two next to eachother says everything.



Why ain't you a bit more explicit? Should /I/ have managed that  
list? Why
didn't you if you care to post messages in this thread? This kind of  
answer

is so redundant and hypocritical at the same time.



Seems perfectly simple. If you want them announced and nobody is doing  
it.

then do it yourself. If you don't care then stop posting about it.

Simon.

Re: Missing security announcements

[Tobias Weisserth]

Janne,

On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson <[EMAIL PROTECTED]> wrote:

> > everybody knows that's not going to happen.
> > I remember having asked the same question YEARS AGO and
> > nothing has changed since then.
>
> Reading those two next to eachother says everything.


Why ain't you a bit more explicit? Should /I/ have managed that list? Why
didn't you if you care to post messages in this thread? This kind of answer
is so redundant and hypocritical at the same time.

Re: Missing security announcements

[Aram HAVARNEANU]

> there is also the errata rss feed from undeadly

If anyone cares enough, someone could write a perl/ksh/whatever script
that can mail updates to that list. Apparently nobody cares and the
list is useless ATM, so IMHO it should be deleted.

-- 
Aram Havarneanu

Re: Missing security announcements

[Janne Johansson]

 All this chatter now isn't going to change anything when the next
errata comes out.  You want security announcement? Do something to
make it happen!


> Ted,
>
> everybody knows that's not going to happen.
> I remember having asked the same question YEARS AGO and
> nothing has changed since then.

Reading those two next to eachother says everything.

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 9:12 AM, Tobias Weisserth
<[EMAIL PROTECTED]> wrote:
> everybody knows that's not going to happen. Why no scrap the security
> announcement list if it's not being used or just whenever someone feels like
> it? The mere existence of this list implies to users that new errata are
> being announced to that list which is not the case. Get rid of the list and
> the problem is solved.

Because new errata should be announced on the list.

Re: Missing security announcements

[Tobias Weisserth]

Ted,

everybody knows that's not going to happen. Why no scrap the security
announcement list if it's not being used or just whenever someone feels like
it? The mere existence of this list implies to users that new errata are
being announced to that list which is not the case. Get rid of the list and
the problem is solved.

The website is updated with new errata. Everybody should be able to follow
the CVS. The list is flawed and obsolete.

Just my 2 cents, as I remember having asked the same question YEARS AGO and
nothing has changed since then.

cheers,

Tobias

On Thu, Nov 13, 2008 at 2:55 PM, Ted Unangst <[EMAIL PROTECTED]> wrote:

> So get on the developer's case when they don't send out notifications.
>  All this chatter now isn't going to change anything when the next
> errata comes out.  You want security announcement? Do something to
> make it happen!

Re: Missing security announcements

[Ted Unangst]

On Thu, Nov 13, 2008 at 5:59 AM, David Schulz <[EMAIL PROTECTED]> wrote:
> I too have of course subscribed myself to the list, and i think since its
> there, it should work and be updated regularly. If we don't need such a
> list, then lets delete it. But since its there, and people are subscribing
> to it in hope to get a quick mail notifying them of new patches or other
> security issues, someone should take the task to send a mail via it once
> something arrives on the errata page.

So get on the developer's case when they don't send out notifications.
 All this chatter now isn't going to change anything when the next
errata comes out.  You want security announcement? Do something to
make it happen!

Re: Missing security announcements

[David Schulz]

additionally, i care very about about those patches, and apply each and 
everyone where needed every time.


Martin Schrvder wrote:

2008/11/13 Theo de Raadt <[EMAIL PROTECTED]>:
  

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?



Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin


!DSPAM:491bed6c241107248971901!

Re: Missing security announcements

[David Schulz]

I too have of course subscribed myself to the list, and i think since 
its there, it should work and be updated regularly. If we don't need 
such a list, then lets delete it. But since its there, and people are 
subscribing to it in hope to get a quick mail notifying them of new 
patches or other security issues, someone should take the task to send a 
mail via it once something arrives on the errata page.


Martin Schrvder wrote:

2008/11/13 Theo de Raadt <[EMAIL PROTECTED]>:
  

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?



Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin


!DSPAM:491bed6c241107248971901!

Re: Missing security announcements

[Martin Schröder]

2008/11/13 Theo de Raadt <[EMAIL PROTECTED]>:
> I think that would work better.  I am not here saying this because
> I have answers.  I don't.  I think that people running old software
> quite frankly cannot rely on a mailing list run by people who don't
> run -stable.  So how can any of you hope we will solve your problems?

Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)?  Don't you want
people installing them?

Is it so hard to write a mail to the list once every few months? The
content is already there...

Frankly: We have this discussion about once a year. Please either
remove the list and spare us the discussions (and write a short notice
on the page why you don't have the list) or use it. Either way will
probably spare you more work then the status quo.

Finally: If you don't bother about changing the status quo, may I (or
someone else) use the list to send out mails about the erratas?

Best
   Martin

Re: Missing security announcements

[Theo de Raadt]

> > It does not work because noone who works on OpenBSD runs -stable.
> > Then every few months some of you come and yell at us.
> 
> Not yelling, honest; I was just curious. 
> 
> So, basically, no one has the time or motivation to send out updates?

None of the developers are on the list.

Heck!  More than half the developers don't even read misc because
of who posts to it.

Re: Missing security announcements

[Aaron W. Hsu]

On Wed, 12 Nov 2008 21:17:46 -0700
Theo de Raadt <[EMAIL PROTECTED]> wrote:

> It does not work because noone who works on OpenBSD runs -stable.
> Then every few months some of you come and yell at us.

Not yelling, honest; I was just curious. 

So, basically, no one has the time or motivation to send out updates?

-- 
Aaron W. Hsu <[EMAIL PROTECTED]> | 
"Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else." -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Emilio Perea]

On Wed, Nov 12, 2008 at 11:36:10PM -0500, Ted Unangst wrote:
> On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea <[EMAIL PROTECTED]> wrote:
> 
> > FWIW, I received the "Welcome to the security-announce mailing list!"
> > message on 9/4/2002 and nothing since.  I don't think it's a big deal
> > since there are other ways of getting the information.
> 
> Maybe you mean 2008, because I personally sent several messages to the
> list in the years since.

No, I meant 2002.  But as Rod suggested, it's quite possible I got
unsubscribed accidentally.  I see there are quite a few messages in the
mailing list archives...  In any case, I've seen announcements of all
errata on misc or source-changes, so it's no big deal.

Re: Missing security announcements

[Ted Unangst]

On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea <[EMAIL PROTECTED]> wrote:

> FWIW, I received the "Welcome to the security-announce mailing list!"
> message on 9/4/2002 and nothing since.  I don't think it's a big deal
> since there are other ways of getting the information.

Maybe you mean 2008, because I personally sent several messages to the
list in the years since.

If there was an errata that wasn't announced, remind the developer to
send such notice.  That's the only way they'll start sending such
messages.  I certainly can't remind them because I'm not subscribed so
I don't even know what's missing.

Re: Missing security announcements

[Rod Whitworth]

On Wed, 12 Nov 2008 21:32:57 -0600, Emilio Perea wrote:

>On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote:
>> I subscribed to security-announce a long time ago and thought I would 
>> receive information about security annoucements, but contrary to what 
>> is stated on http://openbsd.org/mail.html:
>>
>> "security-announce - Security announcements. This low volume list 
>> receives OpenBSD security advisories and pointers to security patches 
>> as they become available.",
>>
>
>FWIW, I received the "Welcome to the security-announce mailing list!"
>message on 9/4/2002 and nothing since.  I don't think it's a big deal
>since there are other ways of getting the information.
>

Maybe your email address got lost somewhere.
I have 75 entries from 12 April 2002 (in case your date format was not
the screwed up yank format) or a few less counting from Sep '02.

*** NOTE *** Please DO NOT CC me. I  subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: Missing security announcements

[Theo de Raadt]

> > I don't think it's a big deal
> > since there are other ways of getting the information.
> 
> Given that we usually sign up to a security-announce mailing list for 
> good reason, if the list isn't working as intended, or there is some 
> misunderstanding as to why the list exists, then I'd like to know 
> explicitely, if only so that I do not rely on the list too much. 

It does not work because noone who works on OpenBSD runs -stable.
Then every few months some of you come and yell at us.

Honestly, I think we should get rid of the list.  But then, it was
created because you people like you asked for it.  So, if we got
rid of it, people like you would yell at us.  So how about if we
leave the list in existance, and instaed ignore your requests?

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?
People who can't, won't.

Re: Missing security announcements

[Aaron W. Hsu]

On Wed, 12 Nov 2008 21:32:57 -0600
Emilio Perea <[EMAIL PROTECTED]> wrote:

> I don't think it's a big deal
> since there are other ways of getting the information.

Given that we usually sign up to a security-announce mailing list for 
good reason, if the list isn't working as intended, or there is some 
misunderstanding as to why the list exists, then I'd like to know 
explicitely, if only so that I do not rely on the list too much. 

-- 
Aaron W. Hsu <[EMAIL PROTECTED]> | 
"Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else." -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

[Emilio Perea]

On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote:
> I subscribed to security-announce a long time ago and thought I would 
> receive information about security annoucements, but contrary to what 
> is stated on http://openbsd.org/mail.html:
>
> "security-announce - Security announcements. This low volume list 
> receives OpenBSD security advisories and pointers to security patches 
> as they become available.",
>

FWIW, I received the "Welcome to the security-announce mailing list!"
message on 9/4/2002 and nothing since.  I don't think it's a big deal
since there are other ways of getting the information.

Re: Missing security announcements

[Eugene Prodeguene]

On Thu, 13 Nov 2008, Simon Connah wrote:


On 12 Nov 2008, at 17:57, Peer Janssen wrote:


Hi!

I subscribed to security-announce a long time ago and thought I would 
receive information about security annoucements, but contrary to what is 
stated on http://openbsd.org/mail.html:


"security-announce - Security announcements. This low volume list receives 
OpenBSD security advisories and pointers to security patches as they become 
available.",


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or 
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer



Four of those 4.4 patches are listed as reliability patches and not security 
patches. So I can why they were not posted to the security list. There is 
only one security patch there and that is patch 001.


I'm sure one of the developers will correct me if I am wrong but that is my 
assumption.


Simon.


For what its worth (probably not much), there is also the errata 
rss feed from undeadly, which clearly marks SECURITY vs RELIABILITY 
patches. I'm sure everyone knows about this by now, but it does make a 
nice addition to an rss reader of choice.


http://www.undeadly.org/cgi?action=errata

Re: Missing security announcements

[Simon Connah]

On 12 Nov 2008, at 17:57, Peer Janssen wrote:


Hi!

I subscribed to security-announce a long time ago and thought I  
would receive information about security annoucements, but contrary  
to what is stated on http://openbsd.org/mail.html:


"security-announce - Security announcements. This low volume list  
receives OpenBSD security advisories and pointers to security  
patches as they become available.",


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or  
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer



Four of those 4.4 patches are listed as reliability patches and not  
security patches. So I can why they were not posted to the security  
list. There is only one security patch there and that is patch 001.


I'm sure one of the developers will correct me if I am wrong but that  
is my assumption.


Simon.

Missing security announcements

[Peer Janssen]

Hi!

I subscribed to security-announce a long time ago and thought I would 
receive information about security annoucements, but contrary to what is 
stated on http://openbsd.org/mail.html:


"security-announce - Security announcements. This low volume list 
receives OpenBSD security advisories and pointers to security patches as 
they become available.",


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or 
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer