Kurt Seifried's article http://www.securityportal.com/cover/coverstory20000724.html is extremely good. To make SuSE's security better, I would like the relevant people at SuSE to pay attention to Kurt's suggestions. These points I find particularly noteworthy (some of my own): * Organise the ftp server better. Some rpms get put up without notice. * Distinguish between security (= important) and maintanance (= I care if I need to) updates * Use the mailing lists properly. Like RH, you could mark advisories as important (RHSA) or unimportant (RHBA). Any scheme will do. Although much improved, I am still not comfortable in trusting suse-sec-announce. Sorry, but redhat-watch inspires much more confidence. The not uncommon bugginess of SuSE's alerts doesn't help. * Use long file names in all advisories and web pages to make life easier ("which version do I have / need to get?). That mentally deficient 8.3 is very annoying. I have used personnal computers of varying types since 1983, and was *never* forced to use 8.3, and now I switch to SuSE... * Checking md5 sums of updated packages is tedious. The advisory's f87a61fe... ftp://suse/.../package-version.rpm is good to feed into wget, but that lines doesn't go into md5sum. As the sum in the advisory appears to be handpasted, or how can the large number of incorrect sums be explained?, the whole procedure is probably a waste of time anyway. USE GPG-SIGNING - NOW! On the positive - I am still using SuSE :-) Volker