Dear Uli, It is worse than that: sometimes patches are inserted on the web server with an old date. So if you want to be sure of reading about all security updates: (1) It is not enough to read the e-mail announcements (2) It is not enough to check all patches released since you last checked (3) You have to read every single patch description from the beginning of time in case SuSE have slipped one in It isn't easy for SuSE because keeping up with security fixes is very manpower-intensive and they don't get any direct revenue for it. Sending out the official announcement is the last step of a long process and sometimes gets missed out. I think there are a couple of simple things SuSE could do which would help: (1) The date in the patch description on http://www.suse.de/en/private/download/updates/82_i386.html should reflect the date the web page was updated, not some earlier date. (2) Publish a status board giving brief information about each security vulnerability (e.g. "we are working on it", "patch available", "SuSE not vulnerable"). This would eliminate many of the questions on this mailing list. Bob On Tue, 26 Aug 2003, Ulrich Roth wrote:
Hello people from SuSE,
why isn't every security update announced here? As I want to update some of our servers, I looked through the list of downloadable patches on your server and found that some of them weren't announced in this list, e.g. patches for MySQL in June. Why is it like that? Regards Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth at impact dot de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691