Thomas Michael Wanka wrote:
There should be defenitely a Pre-Announcement with a vague descritption like "Make X.XX has a security problem that be exploited by people having login access to the PC getting root rights, the author is informed and will publish a patch/rewrite soon", within one or two weeks an in-depth description (probably with a patch) was released.
A good idea, but what to do with those working with another version of the same software product and as vulnerable as the one mentioned in the message. Nobody could test his installed version. Not on-topic on this SuSE security mailinglist but in general you can imagine that someone is using the same software product on another platform and would like to know if it's vulnerable ? How do you test it ? Or do you have just one possibility : disable the service / software ?
Thus administrators could shut down affected services or take other steps to protect their systems as the pre-release is poblished. Given the fact that a hacker was investigating the code of this piece of software, he can be shure that many administrators have taken their steps to secure their systems and new code was released soon. Further investigation on this code was absurd and a waste of time for him like for all the other "problematic minds" out there as whatever they are likely to find will not let them intrude other systems.
That way admins could have up to date security for their systems without giving hackers instructions to intrude systems.
See above.
The messages indicate that many to most admins around here had not enough spare time to fix securtiy holes themselves (including me). For those who want to there could be an additional service, upon sending an e-mail message to e.g. the SuSE security staff, they could get detailed information by a GnuPG encrypted message. But they needed to supply their personal data to the security stuff, like written attestations from companies that they are the sysadmins of their servers. This on the base "if SuSE trust them not to take the information to exploit other systems, they must trust SuSE to treat their data confidential".
OK, I'm having for almost 25 years my own business so I should send a letter to SuSE on my own paper admitting that I'm qualified to do the job ? Of course these rules can't be oppressed and SuSE has to make the decision if you're admitted to read the security alerts. In case they make a mistake, who would you blame ? They might oppress me to read the alerts and my systems are cracked. Are you then happy ? Or they permit me to read the alerts and someone else's system is cracked. Have I to be blamed then ? You see, more questions than reasonable answers. As always in security affairs, nothing is absolute, trust including.
For those who dislike aliases, imagine a MS employee who helps the open source community in his spare time. If his empoyer knew about his angagement it could make him unemployed. There are many good reasons for aliases!
Well said. Regards, Fred Mobach e-mail : fred at mobach.nl