Easy Roman! I think he meant this in good faith. We all appreciate the great work you guys do, and we all use SuSE because we think it's the best Linux (possibly the best OS) available. Sometimes we get a little "short" when we find out about a new hole in a package we all run, and we all know that it's usually not SuSE's fault. As you know I work for a company who among other things does vulnerability research. It is of utmost importance that Vendors DO try and syncronise their release of updates where possible. We have numerous vulnerabilities that we have submitted to vendors, some of them up to 6 months ago that have not yet been released to the wider public. This is taking things too far IMHO, but a couple of days to give vendors a chance to respond/bug check their code is most definitely a good idea. SuSE: Thank You for making a GREAT Distro, and thank you for taking the time to continue to keep it secure and up to date. I have spent the last 3 months teaching IT Admins and Security folk (including several banks, Defense Departments and Computer Crime Squads etc) to hack into systems (and how to secure them.) The servers we break are NT and RedHat, which both have _heaps_ of default holes. I Run my personal Notebook as a server during these excercises and the attendees use my Notebook running SuSE (originally 6.4, but now 7.0) as a launchpad to compile and run exploits against the other machines. Obviously the notebook itself is a target (especially considering everyone is given a normal shell account on it!) Indeed I challenge anyone to have a go at it once they are successful at breaking the other machines on the network. Now I haven't done anything to this machine, other than to keep packages to a minimum, and use the security features that come with SuSE. ie. secmod and harden_suse etc. and no-one has yet managed to break this machine. I think that is a testament to how well SuSE are doing their job of security... Well done boys! I think what Roberto meant was that he would like to see an expected eta published on a web page somewhere for all "public" bugs (is stuff that has already hit BugTraq etc..) We don't really need to see your timesheets Roman :-) Cheers Nix At 09:07 PM 14/11/2000 +0100, r.maurizzi@gvs.it wrote:
8 years in the business must have taught you to not make any claims about things that you don't know very much about, at least not in the public. I consider your words rude and inadequate. More below.
I'm very sorry. I didn't mean to say you don't work well, as I think exactly the contrary is true (I consider SuSE the best distribution security wise). My request was about what we could do to help you out in any manner. And to avoid other misunderstanding, yes, I know there's little we can do to help you directly: I'm firmly convinced that you/your team must continue to work as a whole to be able to work with the quality you showed thus far, that is by any means very high.
The problem is, these kind of things usually don't get done because "there's no time" ;-)
Who are you talking about?
Nobody in particular. I was referring to the general situation you can find in a lot of workplaces, and in which I found myself involved many times. Again, I wasn't referring to your situation since as you rightfully state I do not know it for the least. The thing I want to stress here is that the "no time for improvement" problem is a problem I have found many times, and I might add that it's never a fault of the people that works in an organization. It's sometime caused by external factors (I'd say linux popularity in your case) and sometime by problems somewhere in a organization (problems that I *try* to solve with my work).
If it's a safe and clear thing to reveal, could you (== SuSE) tell us how you do your tracking work now? Maybe someone could suggest (or write) something useful. I'm not sure if I get your point here. Just to make sure that there is no misunderstanding wrt your question: Our work tracking/time management is not for disposition here.
My idea was that if you are using some popular open source packages, then maybe someone here could be able to add features or contribute resources that could help your work. You did similar things for us many times, posting examples or scripts that for you are trivial while for many of us were beyond reach. Maybe someone could have some code half-ready to help you with your work. Maybe not likely, but possibile. Sadly for me for this kind of things I use Lotus Notes, but I'd be really glad to be able to help you in any way, since you and SuSE did help me a lot.
The fact that it does take time does need as much justification as the fact that we try our best to not publish any information unless we're absolutely sure that we know what we're talking about: none.
And that's exactly what I want you to continue to do. I *really* appreciate when you post a report saying "this problem does not affect SuSE because it uses a more tested/less feature-bloated/more old-and-secure package". I'm of the opinion that if I want to experiment with new and flashy things I must use a test environment, not my users. On production boxes I follow your approach completely: better with an older package with acceptable flaws than with a newer one with unknown problems.
Avoid working on weekends: the quality of what you "produce" tends to drop sharply... :-) If my ego wasn't so big, I would not have had to answer this mail and wasted the time that could have been used otherwise. Anyway, I hope that your last sentence was at least as friendly as your smiley at the end.
Sigh! I should have read my message more carefully, re-reading it I must say it's really easy to take it as insults... :-( I wanted to express, with regard to the "please understand this. Its weekend. We do our best." of Sebastian, that I completely second his point: working overtime and on weekend can do bad things for *everyone*. Speaking of which I'd better go home since it's really late, so maybe tomorrow I won't write other stupid messages on this list... ;-)
Ciao, Roberto.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com