Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] SuSE security reputation, etc..
  • From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 03 Aug 2000 21:48:23 +1200 (NZST)
  • Message-id: <200008030948.VAA27234@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Kurt Seifried's article

http://www.securityportal.com/cover/coverstory20000724.html

is extremely good. To make SuSE's security better, I would like the
relevant people at SuSE to pay attention to Kurt's suggestions.

These points I find particularly noteworthy (some of my own):

* Organise the ftp server better. Some rpms get put up without notice.

* Distinguish between security (= important) and maintanance (= I care
if I need to) updates

* Use the mailing lists properly. Like RH, you could mark advisories as
important (RHSA) or unimportant (RHBA). Any scheme will do. Although much
improved, I am still not comfortable in trusting suse-sec-announce. Sorry,
but redhat-watch inspires much more confidence. The not uncommon bugginess
of SuSE's alerts doesn't help.

* Use long file names in all advisories and web pages to make life easier
("which version do I have / need to get?). That mentally deficient 8.3
is very annoying. I have used personnal computers of varying types since
1983, and was *never* forced to use 8.3, and now I switch to SuSE...

* Checking md5 sums of updated packages is tedious. The advisory's
f87a61fe... ftp://suse/.../package-version.rpm
is good to feed into wget, but that lines doesn't go into md5sum. As
the sum in the advisory appears to be handpasted, or how can the large
number of incorrect sums be explained?, the whole procedure is probably
a waste of time anyway. USE GPG-SIGNING - NOW!

On the positive - I am still using SuSE :-)

Volker

< Previous Next >
Follow Ups