At 08:19 AM 1/30/2002 +1300, you wrote:
Oh please. rpm's package signing is there to check the integrity of packages which have come from unknown sources
Ok, ok.
<snip> I find downloading a recursive ftp server dir listing tells me what's new
a. Most of us are aware that updates can be applied manually. b. not all of use want to: I don't know about you, but time I spend on security comes mostly straight out of my small companies pocket. We can't really charge our customers for it. Thus, anything that speeds up the process is highly desirable. Besides, then less time I spend manually downloading and installing rpms, the more time I have to get serious work done, and do things like learn more about security /System Administration in general.
No doubt YOU will get there.
I truly hope so and think it will so long as SuSE cares about it.
I have submitted several bug reports to feedback@suse.com and bugs@suse.de
It's feedback@suse.de
I got feedback@suse.com directly from SuSE's web site. Perhaps you should tell SuSE their web site is wrong. And I did get auto replies from feedback@sues.com, so it's a valid feedback address, ok? If the US and German SuSE offices have problems communicating, it's their issue, not mine.
Also, as it's security-relevant you ought to be using security@suse.de at least some days before contacting bugtraq.
1. I have no memory of ever seeing that address. 2. I would have discussed it here or on suse-linux-e before posting to BugTraq (note: as a result of what CKM and Roman told me, I won't in the future be posting it to suse-linux-e. I'm just telling you what I would have done.) 3. As anyone wise soul would do, I would have asked on the SuSE mailing lists - or, if necessary, on BugTraq - for a security contact address at SuSE before posting any details. This is standard protocol. And I would have given them 1 to 2 months to do something about it first. - again, ~40 days seems to be the average standard for waiting. I probably would have asked how long I should wait for a small security issue (longer then for a large one, I would imagine) And
and not heard back from them. I have a serious mind to submit this to BugTraq in the hope of forcing SuSE to do something about it. I've never done anything like that before - do you think I should?
1. This was a question. I was asking the list for opinions on whether or not I should. Not when I should.
I consider it to be a serious issue if true,
I can't help but wonder at the sincerity of this statement. If you consider it potentially serious, perhaps you should participate in a little empirical science. What I said in my post is convincing enough. At worst, it would need to be replicated by another user, which would be easy to do and obviously would require someone else besides me.
but unless you correctly notify SuSE
And I would have...
you can't claim "vendor notified" status on bugtraq,
...and I wouldn't have...
which does not look good on you.
No it wouldn't, but I wouldn't do that.
Volker
---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com