On 3/16/07, Martin Schrvder <[EMAIL PROTECTED]> wrote: [snip blah blah blah...]
After all the kvetching and sensationalism that's characterized both this thread and the release of this errata, there's a few things I wanted to point out. Theo's already put out the timeline and circumstances around classification of reliability and later security fix. Core Security also included the timeline in their advisory. The first point to make is this: the fix was applied in a more-than-timely manner. The errata was merged into -stable and made available March 7. Core Security released their advisory March 13. That's very good lead time, and that means the patch was available darn near a week before the advisory came out. If people aren't checking the errata pages for a week at a time, there's a larger issue than a lack of email notification. The second point relates to the natural dissent that the first point invites; if the announcement doesn't go to the security announce list, how are people supposed to know that the errata is available? I want everyone trying to make that point to think of all the software vendors they deal with, including the commercial software vendors to whom you pay thousands (and depending on the size of your organization, millions) of dollars to per year. Can you say that you get SMTP notifications from all of them? The answer, if you're in any situation resembling what I've been in for the last decade, is no. The reality is, it's *not* an assumption that you'll get notifications from anyone in your happy little inbox. Most of my current vendors (lots of them, too) don't have any official vulnerability notification channel in place, and when we approach them about it, they point us to their web site support page where we can find updates as they are released. The landscape for this kind of thing is awful, and in fact OpenBSD is ahead of the curve here because they actually do admit and respond to vulnerabilities in an open manner. Closed source, commercial vendors hide it and sweep it under the rug. As has been pointed out, you will have better success tracking other sources such that you increase your chances of hearing about vulnerability information before it's too late. source-changes is a good option. Undeadly is nice. tech@ is a good one to lurk on. There's an IRC channel. And of course, there's the collection of Internet resources for vulnerability research information. If you're not tracking things like bugtraq, full-disclosure, Dshield, CERT lists, milw0rm, etc, etc, etc, then your problems (and your precious customers' problems) are much bigger than a IPv6 vulnerability in OpenBSD. You can bitch about the security announce mailing list, or you can put forth some effort to do something proactive yourself to get more benefit from the free software you use. Those of us that were patched before the advisory came out would probably say you're better off with the latter. DS
