Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 00:44:33 +0400
From: Solar Designer <>
Subject: Re: Closed list

On Sun, Apr 03, 2011 at 01:23:26PM +0200, Miklos Vajna wrote:
> Please subscribe me to the new list. I was a vendor-sec subscriber.

I've tentatively subscribed you, for Frugalware.  However, I am not
convinced that you are / will be making sufficiently good use of the
advance notifications on medium-severity security issues.  I went to and here's what I saw:

1. There are recent non-security package updates (such as yesterday's).

2. The latest "security announcement" is dated 2011-02-13, and it is for
"opera".  Slightly older ones are for "drupal6-mollom", "wireshark",
"horde-webmail", "wordpress", and even more web apps stuff.  Then we
finally see an update to "kernel" on 2010-12-12.  Surely a distro that
supports running and even includes a web browser and popular web apps
also includes lots of other stuff, common to other distros, however
where are the security updates to those components for the last 3-4
months?  There have been some security bugs in them, including many more
in the kernel since 2010-12-12.  I understand that it's hard to find
time for all of the low and medium severity updates when you're just one
person doing security response for a non-tiny distro, and I understand
that you have a legitimate need for the info.  I am just not convinced
that the risk of "one more person" is justified when you haven't issued
an update for 48 days (or so) whereas the suggested embargo period on
the new list is up to 14 days.

Yet you're on the list for now.  Perhaps try to evaluate your use of the
info that will be arriving to you through the list and ask to be
unsubscribed if you determine that you're not making timely use of the
info anyway.

I must admit that we sometimes have the same problem at Openwall -
non-critical security issues are sometimes not patched for a while, and
we tended not to start preparing security updates for issues discussed
on vendor-sec until the CRD was very close.  We did the latter in part
not to add to the risk of inadvertently disclosing the issue.  This
suggests that the embargoes were unnecessarily too long, though (for us
at least).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.