Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
Hi,

I followed the discussion and here are some thoughts:

There should be defenitely a Pre-Announcement with a vague
descritption like "Make X.XX has a security problem that be
exploited by people having login access to the PC getting root rights,
the author is informed and will publish a patch/rewrite soon", within
one or two weeks an in-depth description (probably with a patch)
was released.

Thus administrators could shut down affected services or take other
steps to protect their systems as the pre-release is poblished. Given
the fact that a hacker was investigating the code of this piece of
software, he can be shure that many administrators have taken their
steps to secure their systems and new code was released soon.
Further investigation on this code was absurd and a waste of time
for him like for all the other "problematic minds" out there as
whatever they are likely to find will not let them intrude other systems.

That way admins could have up to date security for their systems
without giving hackers instructions to intrude systems.

The messages indicate that many to most admins around here had
not enough spare time to fix securtiy holes themselves (including
me). For those who want to there could be an additional service,
upon sending an e-mail message to e.g. the SuSE security staff,
they could get detailed information by a GnuPG encrypted message.
But they needed to supply their personal data to the security stuff,
like written attestations from companies that they are the sysadmins
of their servers. This on the base "if SuSE trust them not to take the
information to exploit other systems, they must trust SuSE to treat
their data confidential".

For those who dislike aliases, imagine a MS employee who helps the
open source community in his spare time. If his empoyer knew
about his angagement it could make him unemployed. There are
many good reasons for aliases!

mike




< Previous Next >
List Navigation
Follow Ups