Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Request to SuSE
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 27 Feb 2002 19:59:13 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0202271943060.18900-100000@xxxxxxxxxxxx>
> Peter,
> You are right about the problem, but personally I think a new mailing list
> would be a using a sledgehammer to crack a walnut. The existing
> suse-security-announce list is very low traffic and would still be low
> traffic if once a week or so there were a summary of outstanding problems.
> The summary should also be put on the web site with the security alerts.
> I also think SuSE should consider finding someone less technical to do
> this. Roman and colleagues do a fantastic job preparing the updates but I
> get the impression they are sometimes too busy with the next burning issue
> to finish off the boring publicity work for the last problem. Ideally
> there should be someone with technical writing skills who knows how to
> install a system who has the responsibility of making sure customers get
> the information they need on security matters. That person would for
> example make sure that every security update had an associated
> announcement (which sadly does not always happen at the moment).
> I know...such people are like gold dust and SuSE have to save money like
> everyone else. But there's no harm in asking...

Actually, all members of the SuSE security team know exactly that all good
security work requires publicity, and we do not consider this an overhead,
more a necessary thing to do. And, for my side, I kindof like the contact
with the people, which is also why I am present on this list, catching up
ideas, wishes and suggestions of all kind, hoping to be able to improve
the processes in general.

I have been following the thread and thought about it for a while, and I
think it is a very beautiful idea. There's just some little things that
keep us from doing it: Time and money. You can't hire a person in charge
for publicity work and then feed him all day with stuff that needs to be
published - the overhead is too much since that person must know her way
around not only in security, operating system design, deep insights in the
SuSE products, but also proper language usage (communication skills). I
think with the current setup, we (Thomas, Sebastian, Marc and myself) have
these capabilities and we can do that on our own, because we keep track of
what's going on in the security field (which is extremely busy these days,
unfortunately). Since this is a very time consuming at best, our current
resource situation does not allow for such a publishing effort.

While we are constantly improving our internal processes, we will have
this idea in mind, and I am confident that there will be a solution for
it. For the time being, I am sorry to say that such a service might not be
affordable for SuSE without this thing becoming a subscription service
that customers pay for. Security processes are expensive if you buy them
in the industry, because the people providing the service have high
expenses as well. The price of a sole SuSE Linux product such as SuSE
Linux 7.3 will not be enough.

As I said, we are thinking about it, communicating it internally.

Thanks for the discussion!
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >