Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Request to SuSE
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Thu, 21 Feb 2002 16:18:17 +0000 (GMT)
  • Message-id: <Pine.OSF.4.44.0202211603320.11750-100000@xxxxxxxxxxxxxxxxxxxxx>
Peter,

You are right about the problem, but personally I think a new mailing list
would be a using a sledgehammer to crack a walnut. The existing
suse-security-announce list is very low traffic and would still be low
traffic if once a week or so there were a summary of outstanding problems.
The summary should also be put on the web site with the security alerts.

I also think SuSE should consider finding someone less technical to do
this. Roman and colleagues do a fantastic job preparing the updates but I
get the impression they are sometimes too busy with the next burning issue
to finish off the boring publicity work for the last problem. Ideally
there should be someone with technical writing skills who knows how to
install a system who has the responsibility of making sure customers get
the information they need on security matters. That person would for
example make sure that every security update had an associated
announcement (which sadly does not always happen at the moment).

I know...such people are like gold dust and SuSE have to save money like
everyone else. But there's no harm in asking...

Bob


On Wed, 13 Feb 2002, Peter Nixon wrote:

> Hi Guys.
>
> I would like to bounce an idea off the list which I think would be of
> value. I propose that SuSE setup a suse-security-announce-pending
> mailing list where SuSE would officially notify of Pending problems in
> SuSE packages. Like most of you I recieve alot of email every day,
> (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other
> application specific mailing lists, plus of course my normal work and
> personal correspondence). Now of course I run _plenty_ of filters and
> everything is reasonably manageable, however as I am in the nice
> position that _every_ single piece of infrastructure I have under my
> control (with the exception of my routers, Sat Equipment, Load Balancers
> and 1 of my firewall levels) is SuSE Linux. To put it another way, every
> listening port on my network is on a SuSE box. Now I may be at the far
> end of the scale regarding SuSE's customers in this regard, but it would
> be very usefull to me if I only _had_ to keep track of one mailing list
> to know if I have to disable some service or other until a fix comes
> out.
>
> Now, I know that this is not too much extra work because invariably
> whenever something new hits BugTraq that affects SuSE, a question gets
> sent to SuSE-Security to ask if this affects SuSE or not.
>
> Take the current outstanding issue with ucsnmpd for instance. The
> question has already been asked (and answered by Roman) as to whether
> SuSE is vulnerable or not. So as the time was take by Roman to do this,
> (and say that there is an update pending) i think this info should be
> sent to an announcement list as a matter of course as soon as an issue
> breaks (If SuSE already has a patch ready due to coordination with other
> vendors etc, then it becomes unnecessary)
>
> As it was I had already read about the SNMPD problem (and disabled it on
> servers where it could conceviably cause a problem) on 4 other mailing
> lists before the response from Roman.
>
> As far as I'm concerned, the speed of _notification_ is more important
> than the speed at which a patch is released. I am quite comfortable
> disabling a service for days if necessary if I know there is a problem
> coming. Unfortunately to have this choice I currently have to wade
> through BugTraq etc every morning rather than just keeping an eye on a
> single low traffic SuSE maillist and leaving my bugtraq reading until
> lunchtime/weekends etc..
>
> This idea is obviously of less use to people who run more hetrogenous
> networks than I do, but as I'm sure SuSE would love to have more
> companies in my situation, this is something that should be looked at.
>

==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691


< Previous Next >
Follow Ups
References