Peter,
You are right about the problem, but personally I think a new mailing list would be a using a sledgehammer to crack a walnut. The existing suse-security-announce list is very low traffic and would still be low traffic if once a week or so there were a summary of outstanding problems. The summary should also be put on the web site with the security alerts.
I also think SuSE should consider finding someone less technical to do this. Roman and colleagues do a fantastic job preparing the updates but I get the impression they are sometimes too busy with the next burning issue to finish off the boring publicity work for the last problem. Ideally there should be someone with technical writing skills who knows how to install a system who has the responsibility of making sure customers get the information they need on security matters. That person would for example make sure that every security update had an associated announcement (which sadly does not always happen at the moment).
I know...such people are like gold dust and SuSE have to save money like everyone else. But there's no harm in asking...
Actually, all members of the SuSE security team know exactly that all good security work requires publicity, and we do not consider this an overhead, more a necessary thing to do. And, for my side, I kindof like the contact with the people, which is also why I am present on this list, catching up ideas, wishes and suggestions of all kind, hoping to be able to improve the processes in general. I have been following the thread and thought about it for a while, and I think it is a very beautiful idea. There's just some little things that keep us from doing it: Time and money. You can't hire a person in charge for publicity work and then feed him all day with stuff that needs to be published - the overhead is too much since that person must know her way around not only in security, operating system design, deep insights in the SuSE products, but also proper language usage (communication skills). I think with the current setup, we (Thomas, Sebastian, Marc and myself) have these capabilities and we can do that on our own, because we keep track of what's going on in the security field (which is extremely busy these days, unfortunately). Since this is a very time consuming at best, our current resource situation does not allow for such a publishing effort. While we are constantly improving our internal processes, we will have this idea in mind, and I am confident that there will be a solution for it. For the time being, I am sorry to say that such a service might not be affordable for SuSE without this thing becoming a subscription service that customers pay for. Security processes are expensive if you buy them in the industry, because the people providing the service have high expenses as well. The price of a sole SuSE Linux product such as SuSE Linux 7.3 will not be enough. As I said, we are thinking about it, communicating it internally. Thanks for the discussion! Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -