Peter, You are right about the problem, but personally I think a new mailing list would be a using a sledgehammer to crack a walnut. The existing suse-security-announce list is very low traffic and would still be low traffic if once a week or so there were a summary of outstanding problems. The summary should also be put on the web site with the security alerts. I also think SuSE should consider finding someone less technical to do this. Roman and colleagues do a fantastic job preparing the updates but I get the impression they are sometimes too busy with the next burning issue to finish off the boring publicity work for the last problem. Ideally there should be someone with technical writing skills who knows how to install a system who has the responsibility of making sure customers get the information they need on security matters. That person would for example make sure that every security update had an associated announcement (which sadly does not always happen at the moment). I know...such people are like gold dust and SuSE have to save money like everyone else. But there's no harm in asking... Bob On Wed, 13 Feb 2002, Peter Nixon wrote:
Hi Guys.
I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence). Now of course I run _plenty_ of filters and everything is reasonably manageable, however as I am in the nice position that _every_ single piece of infrastructure I have under my control (with the exception of my routers, Sat Equipment, Load Balancers and 1 of my firewall levels) is SuSE Linux. To put it another way, every listening port on my network is on a SuSE box. Now I may be at the far end of the scale regarding SuSE's customers in this regard, but it would be very usefull to me if I only _had_ to keep track of one mailing list to know if I have to disable some service or other until a fix comes out.
Now, I know that this is not too much extra work because invariably whenever something new hits BugTraq that affects SuSE, a question gets sent to SuSE-Security to ask if this affects SuSE or not.
Take the current outstanding issue with ucsnmpd for instance. The question has already been asked (and answered by Roman) as to whether SuSE is vulnerable or not. So as the time was take by Roman to do this, (and say that there is an update pending) i think this info should be sent to an announcement list as a matter of course as soon as an issue breaks (If SuSE already has a patch ready due to coordination with other vendors etc, then it becomes unnecessary)
As it was I had already read about the SNMPD problem (and disabled it on servers where it could conceviably cause a problem) on 4 other mailing lists before the response from Roman.
As far as I'm concerned, the speed of _notification_ is more important than the speed at which a patch is released. I am quite comfortable disabling a service for days if necessary if I know there is a problem coming. Unfortunately to have this choice I currently have to wade through BugTraq etc every morning rather than just keeping an eye on a single low traffic SuSE maillist and leaving my bugtraq reading until lunchtime/weekends etc..
This idea is obviously of less use to people who run more hetrogenous networks than I do, but as I'm sure SuSE would love to have more companies in my situation, this is something that should be looked at.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691