On Tue, Apr 14, 2009 at 04:59:28PM +1000, Olivier Mehani wrote:
I'm wondering, however, if there were any security risks introduced by
specifically using the host key instead of one generated specifically
for that purpose and, if so, what they were.
Personally I like using user keys instead
Hello folks,
I'm pretty new to OpenBSD and BSD in general, but I have an OpenBSD
Syslog server up and receiving data. I'd like to have the system be
pretty secure, and I'd like to monitor its security via a simple script
that runs daily.
Here's what I have in the script at the present time
an OpenBSD
Syslog server up and receiving data. I'd like to have the system be
pretty secure, and I'd like to monitor its security via a simple script
that runs daily.
Here's what I have in the script at the present time:
{ uptime ; date ; who ; ps -al ; cat /var/log/adduser ; cat
/var/log
LeRoy, Ted wrote:
Can some of you BSD pro's out there recommend some additions or changes
or other things that should be checked to help ensure the system isn't
compromised?
For log monitoring try logsentry.
Is there a way to see who has logged into the system over a given period
for
Hello folks,
I'm pretty new to OpenBSD and BSD in general, but I have an OpenBSD
Syslog server up and receiving data. I'd like to have the system be
pretty secure, and I'd like to monitor its security via a simple script
that runs daily.
Here's what I have in the script at the present
On Tue, Apr 14, 2009 at 3:28 PM, LeRoy, Ted tle...@lsisolutions.com wrote:
Hello folks,
I'm pretty new to OpenBSD and BSD in general, but I have an OpenBSD
Syslog server up and receiving data. I'd like to have the system be
pretty secure, and I'd like to monitor its security via a simple
to have the system be pretty secure, and I'd like to
monitor its security via a simple script that runs daily.
Did you read daily(8) and security(8)?
Besides, OpenBSD is secure by default. Most people trying to
make it more secure will typically end up making it less secure.
Beginners will almost
Ingo, Jean-Francois, Gilbert Fernandes, Ted Unangst, Cesary Morga, Joe
Gidi, and Matheus Weber da Conceicao, (hope I didn't miss anyone)
Thank you all for your patience and guidance. I'll look at apropos(1),
daily(8), and security(8) in the man pages and try to utilize them more.
Last
On 2009-04-14, LeRoy, Ted tle...@lsisolutions.com wrote:
Here's what I have in the script at the present time:
{ uptime ; date ; who ; ps -al ; cat /var/log/adduser ; cat
/var/log/authlog ; cat /var/log/messages ; cat /var/log/secure ; cat
/var/log/router ; } daily-log.txt
you might be
ChC(r client PayPaI,
Par mesure de sC)curitC), nous contrC4lons rC)guliC(rement les activitC)s
PayPaI. Nous avons rC)cemment remarquC) un problC(me sur votre compte.
Nous avons dC)terminC) que quelqu'un a peut-C*tre tentC) d'accC)der C
votre compte PayPal sans votre autorisation. Pour votre
Is there a way to filter ARP on an OpenBSD bridge firewall joining a
bunch of ethernet ports with their own VLANs? I'm horrified by the
shared ethernet segments some organizations use for access among
mutually un-trusting people.
Currently pf does allow me to prevent L3 games, but it seems like
server, httpd, is chrooted ... so why would there be a
problem here ?
Because security is never absolute. It is a matter of probabilities,
measuring cost against risk, reducing possible attack vectors, and
minimizing the effects of a successful attack. In practice, it means
following redundant best
IPSec to
protect it at the network layer.
NFS is not designed with security in mind. It transmits data
unencrypted. It has no real authentication and no real access
control. If is designed for strictly private networks with
no external access that no potential attackers have access to.
If you
platform
- This box is actually used as firewall
- This box is also used as webserver
- This box is finally used as local shared drives via NFS file
but only open to subnetwork through PF
NFS is not designed with security in mind. It transmits data
unencrypted. It has no real authentication
with security in mind. It transmits data
unencrypted. It has no real authentication and no real access
control. If is designed for strictly private networks with
no external access that no potential attackers have access to.
Just to clarify,
On an OpenBSD list, i am talking about NFS
On Sat, Feb 28, 2009 at 05:49:22PM +0100, Felipe Alfaro Solana wrote:
[snip]
Of course if the attacker can gain remote access to the machine, IPSec is
not very useful since the attacker can probably retrieve the encryption keys
from the kernel :)
And the same is true of NFSv4. And if your
- This box is also used as webserver
- This box is finally used as local shared drives via NFS
file
but only open to subnetwork through PF
NFS is not designed with security in mind. It transmits
data
unencrypted
Ingo Schwarze wrote:
That doesn't help the original poster because NFSv4 is not available on
OpenBSD.
Technically there is an NFSv4 client server available for OpenBSD,
although.. it might need some manual tweaks for 4.4 or 4.5.
http://snowhite.cis.uoguelph.ca/nfsv4/ +
but only open to subnetwork through PF
NFS is not designed with security in mind. It transmits
data
unencrypted. It has no real authentication and no real
access
control. If is designed for strictly private networks
There is a very good alternative for NFS.The name is scp.A small
How-To is described
in book Mastering FreeBSD and OpenBSD security.
In my point of view firewall must be separate machine in all cases.
www and file server on one machine is acceptible solution in case of
use of chroot,jail,
zones
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Salutations --
The archive of ports-security shows the last post to be from January
2006.
What is the appropriate channel through which to receive security
notices regarding ports and packages?
Cheers -d
David Talkington
dt...@drizzle.com
On Sat, Feb 28, 2009 at 6:06 AM, dt...@drizzle.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Salutations --
The archive of ports-security shows the last post to be from January 2006.
What is the appropriate channel through which to receive security notices
regarding ports
Jean-Francois wrote:
Hi All,
I actually built the following system :
- OpenBSD running on a standard AMD platform
- This box is actually used as firewall
- This box is also used as webserver
- This box is finally used as local shared drives via NFS file but only
open to subnetwork through PF
.
If your real question is, is a properly configured OpenBSD system likely to
be somewhat more secure than other systems, most people on the OpenBSD list
would probably say probably. But asking about almost impossible is asking
to be lied to - no responsible security expert would make such a claim
is not designed with security in mind. It transmits data
unencrypted. It has no real authentication and no real access
control. If is designed for strictly private networks with
no external access that no potential attackers have access to.
If you can afford it, also seperate the webserver from
with external data. If you have a firewall and a
webserver running on the same machine, you shouldn't have the shared drives
there because in the event of a security breach you are giving information
for free to the attacker.
Mixing a webserver with a firewall it is also risky, you are again
probably sufficient, and lets you use your shiny new amd64
box as the webserver.
NFS is not designed with security in mind. It transmits data
unencrypted. It has no real authentication and no real access
control. If is designed for strictly private networks with
no external access
Hi All,
I actually built the following system :
- OpenBSD running on a standard AMD platform
- This box is actually used as firewall
- This box is also used as webserver
- This box is finally used as local shared drives via NFS file but only
open to subnetwork through PF
Assuming that
as
long as the (subnet is not compromised by false manipulation of course)
Never, because you are running a Web server on the machine, and possibly an
SSH server and lots of code that might contain security holes.
Thanks for care,
JF
--
http://www.felipe-alfaro.org/blog/disclaimer/
and a broad insurance policy. You want
OpenBSD's security profile to become even better than it is today?
Hire some of the competent core developers. Other than that, OpenBSD
is mostly a volunteer project, and the people who are so kind to
freely give the fruits of their labour of love to you and me
Richard Toohey schrieb:
$ md5 /usr/sbin/ntpd
MD5 (/usr/sbin/ntpd) = a0c8961d5818b438ecbfd6c40be47a5f
$ cat /etc/passwd
root:*:0:0:Charlie :/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System :/operator:/sbin/nologin
Your system must have been hacked.. The
Who said the french have no sense of humor? Thank you Jean-Francois for
a healthy laugh in the morning!
JB
Jean-Francois schreef:
Hi All,
It looks like my server running since few days has already been hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full
On 2009-02-20, Jean-Francois jfsimon1...@gmail.com wrote:
I am not sure at all about this, maybe one has changed the daemon.
After I checked the adresses that this daemon connected to, they were
very strange as webservers content (blogs, default page 'It works' and
so one ... I guess ntp
Hi All,
It looks like my server running since few days has already been hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full name 'The devil itself' First time I find out evidence
of hack on my server, however it's only one month running !!
It looks like
On 21 Feb 2009 at 0:46, Jean-Francois wrote:
Hi All,
It looks like my server running since few days has already been hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full name 'The devil itself' First time I find out evidence
of hack on my server,
On 21/02/2009, at 12:46 PM, Jean-Francois wrote:
Hi All,
It looks like my server running since few days has already been
hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full name 'The devil itself' First time I find out
evidence
of hack on my
Those are there by default. If the users shell is 'nologin' then you
are chasing phantoms.
Also, no, someone named 'Charlie' did not compromise root (well, most
likely :-).
-Bryan
On Fri, Feb 20, 2009 at 3:46 PM, Jean-Francois jfsimon1...@gmail.com wrote:
Hi All,
It looks like my server
I didn't reply here for a long time, but this crack me :D
You are the king :D
Jean-Francois pisze:
Hi All,
It looks like my server running since few days has already been hacked.
It looks like a new user called 'daemon' ID 1 and a new group daemon.
User's full name 'The devil itself'
Hi,
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
This feature is described in
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle
.html#wp1045897
The effect is, that the VPN no longer works.
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
I noticed that the cisco end of a VPN I configured on my openBSD sends a
DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or both?
HJ.
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer a icrit :
Hi,
On Mon, Jan 19, 2009 at 04:56:25PM +0100, Christoph Leser wrote:
I noticed that the cisco end of a VPN I configured on my openBSD
sends a
DELETE message after a certain amount of idle time.
Which SAs get deleted? isakmp, ipsec or
-Urspr|ngliche Nachricht-
Von: dug [mailto:d...@xgs-france.com]
Gesendet: Montag, 19. Januar 2009 17:44
An: Hans-Joerg Hoexer
Cc: Christoph Leser; misc@openbsd.org
Betreff: Re: Cisco IPSec Security Association Idle Timers and isakmpd
Le 19 janv. 09 ` 17:37, Hans-Joerg Hoexer
of security instead of an actual benefit.
We have hopes to protect the part of the process that we can trust eventually,
e.g., the parts internal to OpenBSD.
This requires a master key, dependent keys for packages signers, and that's
about it. Plus some process to revoke stuff.
Everything
the
integrity of the signatures, the source used to compile the binaries
that are signed, and the binaries themselves, you are providing a
misleading sense of security instead of an actual benefit.
An example of the difference:
http://rhn.redhat.com/errata/RHSA-2008-0855.html
--
Matthew
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base. :-{
Best
Martin
Martin Schrvder wrote:
2008/12/17 Marc Espie es...@nerim.net:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in
understand that nobody wants GnuPG
in base. :-{
I think a full chain of trust like PGP provides is ways too much for what
we need, and too complicated. There have been security holes in the past
in full PKIs. If we don't need full PKI, it's better to have a simpler model
that a normal human can
Jacob Yocom-Piatt j...@fixedpointgroup.com wrote:
the next best option i can think of is to have the hashes (sha256 and/or
others) fetched via ssh from a trusted site, e.g. your nearest anoncvs
server. it avoids the gnupg requirement but is still susceptible to mitm
on key fingerprints,
over a year ago, the issue is safe deployment of a correct pki.
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Without that, signatures provide a false sense of security that doesn't
match
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
Of course, that implies trust on the SSL PKI, but the moaners will
surely accept that.
--
Jussi Peltola
On Wed, Dec 17, 2008 at 3:56 PM, Jussi Peltola pe...@pelzi.net wrote:
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
It's that easy?
On Wed, Dec 17, 2008 at 04:11:43PM -0500, Ted Unangst wrote:
On Wed, Dec 17, 2008 at 3:56 PM, Jussi Peltola pe...@pelzi.net wrote:
OpenBSD already has an SSL cert. Just publish the checksums over HTTPS.
It's that easy?
To silence the people demanding magic security dust? Yes.
To guarantee
Well sorry if I may attend to this talk but what I saw so far is kinda
disappointing.
You all talk aout GnuBLAFOO and PKIs...
OpenBSD uses gzip (not even with -9..) for the packages and for gzip
there's a tool called gzsig wich is already included in the base.
What does the tool do?
gzsig
Yes m5sums are not that great. Sha1 would be nicer i guess.
2008/12/16 Martin Schrvder mar...@oneiros.de
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely
at
cough
OpenSUSE has signed packages and signed repos for years. So
On 2008-12-16, Martin Schrvder mar...@oneiros.de wrote:
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD is still
On Tue, Dec 16, 2008 at 10:53:01AM +0100, Martin Schrvder wrote:
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD
2008/12/15 Marc Espie es...@nerim.net:
Heck, we're further along the curve than most others. If you look closely at
cough
OpenSUSE has signed packages and signed repos for years. So have many
other Linux distros.
OpenBSD is still debating md5s of packages in 2008.
Best
Martin
It's generally an issue resources. Your most linux distros are
mostly commercial. Debian is the only non-commercial, but they still
get more funding than openbsd.
Openbsd has always been a developer's distro. If you feel that
strongly about things - fund it or build it yourself, or start a
OpenBSD is still debating md5s of packages in 2008.
Seems like the first step would be to have checksums for all
of the base system. Then do packages, then consider signatures.
Personally I can live without signatures, but a checksum
(or some form of data integrity verification) is needed.
I
- an australian security
conference a large number of participants had openbsd t-shirts
stickers etc - if one had a sig / link to a chain it could have been
spread / if it was on a cd -- key could be compared to what others
had) . Why not openbsd ?
Because nobody has implemented it yet
(and then distributed in the
operating system) is likely to result in package integrity being
compromised.
It does not matter what faith one places in the pki or webs of trust
(gpg/pgp style). Most linux distributions have had their packages signed for
years (for example at ruxcon - an australian security
(and then distributed in the
operating system) is likely to result in package integrity being
compromised.
It does not matter what faith one places in the pki or webs of trust
(gpg/pgp style). Most linux distributions have had their packages signed for
years (for example at ruxcon - an australian security
On Sun, 14 Dec 2008, spamtester spamtester wrote:
It does not matter what faith one places in the pki or webs of trust
(gpg/pgp style). Most linux distributions have had their packages
signed for years (for example at ruxcon - an australian security
conference a large number of participants
Martin SchrC6der wrote:
Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)? Don't you want
people installing them?
Is it so hard to write a mail to the list
On Sun, Nov 30, 2008 at 10:23:56AM -0800, new_guy wrote:
Martin SchrC6der wrote:
Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)? Don't you want
* Martin Schrvder [EMAIL PROTECTED] [2008-11-13 10:02]:
Is it so hard to write a mail to the list once every few months? The
content is already there...
I have written security announcements before. It ia way more work and
way more involved than you think. it sucks. not sure wether I'll do
Jose de Paula Eufrasio Junior wrote:
Hello, before anything else, I did read all material about the OpenBSD
security policies on the website.
...
I read the documentation on the site already and would like to get some
more info about the process.
...
2) The OpenBSD and OpenSSH code
Jose de Paula Eufrasio Junior wrote:
Hello, before anything else, I did read all material about the OpenBSD
security policies on the website.
...
I read the documentation on the site already and would like to get some
more info about the process.
...
2) The OpenBSD and OpenSSH code
On Thu, Nov 20, 2008 at 7:44 AM, Janne Johansson [EMAIL PROTECTED] wrote:
You said twice above that you read all materials and couldn't figure out if
the code is always available or have periodic releases? Booo.
As I also said:
I used the same questions on all
projects I researched so they
On Thu, Nov 20, 2008 at 11:44 AM, Janne Johansson [EMAIL PROTECTED] wrote:
You said twice above that you read all materials and couldn't figure out if
the code is always available or have periodic releases? Booo.
) ( ((
Jose de Paula Eufrasio Junior wrote:
On Thu, Nov 20, 2008 at 7:44 AM, Janne Johansson [EMAIL PROTECTED] wrote:
You said twice above that you read all materials and couldn't figure out if
the code is always available or have periodic releases? Booo.
As I also said:
I used the same questions
While most modern PATA drives (circa 2000/2001) have the ATA security features
included in their electronics, it is not clear to me how usable the atactl
security commands are for the typical OpenBSD admin with PATA drives.
1. Many BIOSes issue a FREEZE LOCK on discovery, disabling security
On Wed, Nov 19, 2008 at 10:34 PM, Jose de Paula Eufrasio Junior
[EMAIL PROTECTED] wrote:
Hello, before anything else, I did read all material about the OpenBSD
security policies on the website. Now I am trying to get some more
insider insight on it.
Writing a paper about open source software
Hello, before anything else, I did read all material about the OpenBSD
security policies on the website. Now I am trying to get some more
insider insight on it.
Writing a paper about open source software security and not including
OpenBSD case is kinda idiot so I am running against time to find
Hi,
On Thu, 13.11.2008 at 08:55:04 -0500, Ted Unangst [EMAIL PROTECTED] wrote:
So get on the developer's case when they don't send out notifications.
All this chatter now isn't going to change anything when the next
errata comes out. You want security announcement? Do something to
make
comes out. You want security announcement? Do something to
make it happen!
how do you suggest that Joe Random User can change the way you
developer folks work,
Ted already made a suggestion about this.
It's in the archives.
-wb
On Sat, Nov 15, 2008 at 5:21 AM, Toni Mueller [EMAIL PROTECTED] wrote:
I can imagine having a script, somehow tied into the CVS commit hook,
that would scan the commit message for security or reliability or
so, and automatically send out mails to this list, but would you use it
if I'd write
Martin Schrvder [EMAIL PROTECTED] writes:
Do not let serious problems sit unsolved.
It's not a serious problem for us.
//art
-Original Message-
From: Theo de Raadt [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 13, 2008 1:29 PM
To: Ted Unangst
Cc: Thomas Pfaff; misc@openbsd.org
Subject: Re: Missing security announcements
Of course, this is how things always work on misc. There's the
developers do
' to be 'security'
related.
On Thu, Nov 13, 2008 at 11:50 AM, Thomas Pfaff [EMAIL PROTECTED] wrote:
Apparently not, so just remove the damn thing and avoid confusion.
Thanks, but we've decided to keep the list so we won't need the patch.
Here:
Index: mail.html
will solve your problems?
Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about the
patches through one of the designated channels)? Don't you want
people installing them?
Is it so hard to write a mail to the list once
security issues, someone should take the task to send a
mail via it once something arrives on the errata page.
Martin Schrvder wrote:
2008/11/13 Theo de Raadt [EMAIL PROTECTED]:
I think that would work better. I am not here saying this because
I have answers. I don't. I think that people
running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable. So how can any of you hope we will solve your problems?
Why do you maintain stable by issuing security patches for it if you
don't care if anybody installs them (by not telling them about
to it in hope to get a quick mail notifying them of new patches or other
security issues, someone should take the task to send a mail via it once
something arrives on the errata page.
So get on the developer's case when they don't send out notifications.
All this chatter now isn't going to change
Ted,
everybody knows that's not going to happen. Why no scrap the security
announcement list if it's not being used or just whenever someone feels like
it? The mere existence of this list implies to users that new errata are
being announced to that list which is not the case. Get rid of the list
On Thu, Nov 13, 2008 at 9:12 AM, Tobias Weisserth
[EMAIL PROTECTED] wrote:
everybody knows that's not going to happen. Why no scrap the security
announcement list if it's not being used or just whenever someone feels like
it? The mere existence of this list implies to users that new errata
All this chatter now isn't going to change anything when the next
errata comes out. You want security announcement? Do something to
make it happen!
Ted,
everybody knows that's not going to happen.
I remember having asked the same question YEARS AGO and
nothing has changed since
there is also the errata rss feed from undeadly
If anyone cares enough, someone could write a perl/ksh/whatever script
that can mail updates to that list. Apparently nobody cares and the
list is useless ATM, so IMHO it should be deleted.
--
Aram Havarneanu
Janne,
On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote:
everybody knows that's not going to happen.
I remember having asked the same question YEARS AGO and
nothing has changed since then.
Reading those two next to eachother says everything.
Why ain't you a bit
On 13 Nov 2008, at 15:56, Tobias Weisserth wrote:
Janne,
On Thu, Nov 13, 2008 at 4:14 PM, Janne Johansson [EMAIL PROTECTED] wrote:
everybody knows that's not going to happen.
I remember having asked the same question YEARS AGO and
nothing has changed since then.
Reading those two next to
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Janne Johansson
Sent: Thursday, November 13, 2008 10:14 AM
To: Misc OpenBSD
Subject: Re: Missing security announcements
why not just get it yourself if you're worried about it? just fire a crontab
entry
someone should take the task to send a
mail via it once something arrives on the errata page.
It is really easy to use that word should when it isn't you.
On Thu, 13 Nov 2008 11:22:09 -0500
Morris, Roy [EMAIL PROTECTED] wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Janne Johansson
Sent: Thursday, November 13, 2008 10:14 AM
To: Misc OpenBSD
Subject: Re: Missing security announcements
why
As someone new to OpenBSD and UNIX in general (reading a lot and trying
to learn) I signed up for the security list due to the description of
the list thinking I would be covered if something serious were to come
up. I only check errata about every week or so and as of right now I'm
not even sure
To everyone who wants security-announce to work:
On Thu, 13 Nov 2008 09:29:09 -0700
Theo de Raadt [EMAIL PROTECTED] wrote:
someone should take the task to send a mail via it once something
arrives on the errata page.
It is really easy to use that word should when it isn't you.
I'll do
just fire a crontab entry and move on
actually, that's a great idea, I just scheduled the following script
this mails the diff of errata.html, but only if something changed
#!/bin/sh
rel=44 # OpenBSD version
ftp http://www.openbsd.org/errata$rel.html /dev/null 21
if [ $? != 0 ]; then
echo
On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu [EMAIL PROTECTED] wrote:
Is security-announce an open list? If not, give me access and I'll
keep it reasonably up to date, give or take a day or so of release of
the Security Errata on the website, unless there is an even faster way
of checking
, it's the person who made the
Ted original fix. There's no announcements on the list because probably
Ted half the developers don't know they are supposed to make such
Ted announcements.
Who handles the errata page, assigning the sequential numbers and deciding
whether it's a security fix
, then? Apparently the errata page is kept up-to-date, so
why not automate the process of sending mail to security-announce?
Thomas
801 - 900 of 1391 matches
Mail list logo