My proposal, going forwards, is to not produce security advisories or releases for these local denial of service attacks. Local issues that can result in privilege escalation, or denial of service attacks that can be performed by those outside a sites infrastructure would still result in advisories.
That sounds sane to me.
My supplemental question, is just how much use the "security releases" actually are. Most of our packagers ignore them, in favour of pulling the patches that we release with the advisory into their packaging. Is just providing these patches sufficient? Is there actually a demand for a "super-stable" point update that just contains the security code, or is it acceptable to provide the security fix as part of a normal stable release?
Patches are fine, IMO, but I think the download page should then indicate the recommended patches in a new (top!) section. Then again, you're still possibly providing binary downloads of a product with known security vulnerabilities, which means ideally yanking all binary links until there are updated packages, which means a maintenance chore... and it likely would have been just as easy to release 1.X.N+1 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
