Re: OpenBSD remote root

[David Damerell <djsd100 () cam ac uk>]

On Mon, 18 Dec 2000, Emre wrote:
> On Sunday 17 December 2000 23:26, Typo Princep wrote:
> > Now the funny thing is that 2 weeks have passed since the initial
> > bugreport, to the openbsd bugs mailinglist, and NetBSD in the meanwhile
> > seems to have put OpenBSDs bugfix into cvs.
> > But noone has made the userbase aware of the security problems nor has any
> > further discussion taken place on obsd-bugs.
> From http://www.openbsd.org/plus.html:
>       SECURITY FIX: Fix buffer overflow in ftpd
>       A patch is available.
>       [Applied to stable]
> For us, who check the daily changelog, this isn't new.  I dont believe it's
> OpenBSD's responsibility to notify every user of EVERY bug they fix.  It's
> your (the user's) responsibility to keep up with patches and such.  If you
> really care about your security, you should check the webpage more often.

There's a very fundamental difference between an alerting mechanism
that emails interested users and one that requires them to check a Web
page - or between the general classes of mechanisms that alert you
when there's a change and those you have to be constantly checking.

The latter is - well, I hesitate to say not acceptable, but
suboptimal; even the OS vendors one thinks of as having a rotten track
record on security can manage to run a security alerts mailing list.

--
David Damerell, Computer Officer, Department of Chemistry, Cambridge
Work: djsd100 () cam ac uk    Personal: damerell () chiark greenend org uk
   These are my opinions, not those of the Department as a whole.