login
Search
Hi! I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: "security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available.", as is easily verifyable here: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/ together with: http://openbsd.org/errata44.html, the patches are not announced. If the stated annoucement process via mailing list is unreliable or untimely, I'd think it's useless, and with it that mailing list. Regards Peer
Four of those 4.4 patches are listed as reliability patches and not security patches. So I can why they were not posted to the security list. There is only one security patch there and that is patch 001. I'm sure one of the developers will correct me if I am wrong but that is my assumption. Simon.
For what its worth (probably not much), there is also the errata rss feed from undeadly, which clearly marks SECURITY vs RELIABILITY patches. I'm sure everyone knows about this by now, but it does make a nice addition to an rss reader of choice. http://www.undeadly.org/cgi?action=errata
> there is also the errata rss feed from undeadly If anyone cares enough, someone could write a perl/ksh/whatever script that can mail updates to that list. Apparently nobody cares and the list is useless ATM, so IMHO it should be deleted. -- Aram Havarneanu
FWIW, I received the "Welcome to the security-announce mailing list!" message on 9/4/2002 and nothing since. I don't think it's a big deal since there are other ways of getting the information.
On Wed, 12 Nov 2008 21:32:57 -0600 Given that we usually sign up to a security-announce mailing list for good reason, if the list isn't working as intended, or there is some misunderstanding as to why the list exists, then I'd like to know explicitely, if only so that I do not rely on the list too much. -- Aaron W. Hsu <arcfide@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
It does not work because noone who works on OpenBSD runs -stable. Then every few months some of you come and yell at us. Honestly, I think we should get rid of the list. But then, it was created because you people like you asked for it. So, if we got rid of it, people like you would yell at us. So how about if we leave the list in existance, and instaed ignore your requests? I think that would work better. I am not here saying this because I have answers. I don't. I think that people running old software quite frankly cannot rely on a mailing list run by people who don't run -stable. So how can any of you hope we will solve your problems? People who can't, won't.
On Wed, 12 Nov 2008 21:17:46 -0700 Not yelling, honest; I was just curious. So, basically, no one has the time or motivation to send out updates? -- Aaron W. Hsu <arcfide@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
None of the developers are on the list. Heck! More than half the developers don't even read misc because of who posts to it.
Why do you maintain stable by issuing security patches for it if you don't care if anybody installs them (by not telling them about the patches through one of the designated channels)? Don't you want people installing them? Is it so hard to write a mail to the list once every few months? The content is already there... Frankly: We have this discussion about once a year. Please either remove the list and spare us the discussions (and write a short notice on the page why you don't have the list) or use it. Either way will probably spare you more work then the status quo. Finally: If you don't bother about changing the status quo, may I (or someone else) use the list to send out mails about the erratas? Best Martin
I too have of course subscribed myself to the list, and i think since its there, it should work and be updated regularly. If we don't need such a list, then lets delete it. But since its there, and people are subscribing to it in hope to get a quick mail notifying them of new patches or other security issues, someone should take the task to send a mail via it once something arrives on the errata page.
So get on the developer's case when they don't send out notifications. All this chatter now isn't going to change anything when the next errata comes out. You want security announcement? Do something to make it happen!
Ted, everybody knows that's not going to happen. Why no scrap the security announcement list if it's not being used or just whenever someone feels like it? The mere existence of this list implies to users that new errata are being announced to that list which is not the case. Get rid of the list and the problem is solved. The website is updated with new errata. Everybody should be able to follow the CVS. The list is flawed and obsolete. Just my 2 cents, as I remember having asked the same question YEARS AGO and nothing has changed since then. cheers, Tobias
On Thu, Nov 13, 2008 at 9:12 AM, Tobias Weisserth Because new errata should be announced on the list.
> Ted, > > everybody knows that's not going to happen. > I remember having asked the same question YEARS AGO and > nothing has changed since then. Reading those two next to eachother says everything.
Janne, Why ain't you a bit more explicit? Should /I/ have managed that list? Why didn't you if you care to post messages in this thread? This kind of answer is so redundant and hypocritical at the same time.
Seems perfectly simple. If you want them announced and nobody is doing it. then do it yourself. If you don't care then stop posting about it. Simon.
Hi, how do you suggest that Joe Random User can change the way you developer folks work, or what you work with? I can imagine having a script, somehow tied into the CVS commit hook, that would scan the commit message for "security" or "reliability" or so, and automatically send out mails to this list, but would you use it if I'd write it and give it to you? I'm sceptical, to say the least. Kind regards, --Toni++
Ted already made a suggestion about this. It's in the archives. -wb
No, because emails to sec-announce deserve more than just random commit messages. In particular, it should not send emails everytime somebody makes a "no change to security" commit. And it needs to have the path to the patches in it.
It is really easy to use that word "should" when it isn't you.
To everyone who wants security-announce to work: On Thu, 13 Nov 2008 09:29:09 -0700 I'll do it. I care about having security announcements sent out in a way that makes it easy for us to track without having to write out own scripts. I happen to think a mailing list is a very good way of doing this. I'm willing to put in the time to do this, since I *do* use -stable. Is security-announce an open list? If not, give me access and I'll keep it reasonably up to date, give or take a day or so of release of the Security Errata on the website, unless there is an even faster way of checking it out, such as CVS. -- Aaron W. Hsu <arcfide@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
It is moderated, and really, outsiders should not be posting to it because then it appears that they have some position of authority. The only person who should be posting to the list is the person who made the fix, because they are the security contact. When people reply, it is important they are talking to the right person. What you can do is monitor the list. If an erratum comes out and nothing happens for a day, email the person responsible and remind them. The person responsible is not necessarily the person who happened to commit to stable, though, it's the person who made the original fix. There's no announcements on the list because probably half the developers don't know they are supposed to make such announcements.
>>>>> "Ted" == Ted Unangst <ted.unangst@gmail.com> writes: Ted> What you can do is monitor the list. If an erratum comes out and Ted> nothing happens for a day, email the person responsible and remind Ted> them. The person responsible is not necessarily the person who Ted> happened to commit to stable, though, it's the person who made the Ted> original fix. There's no announcements on the list because probably Ted> half the developers don't know they are supposed to make such Ted> announcements. Who handles the errata page, assigning the sequential numbers and deciding whether it's a security fix or not? Surely, it would be easier to teach that small set of people (one?) to cc the mailing list on a security announcement, rather than expect that everyone with a core commit bit be reminded to watch errata to notice when their particular contribution has been accepted as a security patch. What am I missing here? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
On Thu, Nov 13, 2008 at 1:38 PM, Randal L. Schwartz There's no real good reason why it can't be the same person, but maintaining stable already sucks enough without having more work. I won't ask that. And I strongly believe that the person making a security fix needs to take responsibility for seeing it through to the end. If they can't handle that, I don't think they should be making security fixes. Of course, everything I've said so far is more my opinion than project rules. By now, it should be pretty clear that the rules are not clear.
On Thu, 13 Nov 2008 10:38:06 -0800 Why should developers listen to people who are just consuming resources that they are giving out for free? We don't need to teach them, we can just do the work they don't want to do to free them up for doing the work they should be doing. Why bug them? They have work to do. -- Aaron W. Hsu <arcfide@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
On Thu, 13 Nov 2008 12:55:36 -0500 Excuse my ignorance, but who keeps http://openbsd.org/errata44.html updated, then? Apparently the errata page is kept up-to-date, so why not automate the process of sending mail to security-announce? Thomas
Because it hasn't happened in 10 years of whining about it. There are two ways to fix the problem. One is the developers change their process. As should be damn clear by now, you're not making much progress in that regard. The other option is to step up and remind the developers when they are not doing what they should. That doesn't mean throwing a pity party on misc every 6 months, it means actively watching what's happening as errata come out. This is the one thing that *ANYONE* who cares can do, yet nobody does it. All we get is more chatter about changing things that obviously aren't changing. Of course, this is how things always work on misc. There's the developers do it option and the community does it option. The community is full of ideas about the first option, and full of shit when it comes to the second. It doesn't matter which way is better, it only matters which way something will get done.
That is exactly what happens. Now what happens next? You guys out there on misc have more ideas that we can ignore? Because that is exactly what I will do. I'm just so sick and tired of the whining, and over the last year or so I have adjusted my attitude and started getting pleasure out of watching the futility.
<quote src="http://www.openbsd.org/goals.html"> Do not let serious problems sit unsolved. </quote> Best Martin
It's not a serious problem for us. //art
One idea that could be ignored, or not, would be standing down security-announcements and removing references to it from the FAQ. In the nine months I've subscribed I've seen two messages: "Welcome to the security-announce list" and "CONFIRM from security-announce (subscribe)". Its existence raises expectations and elicits complaints. It doesn't do much else that I have seen. Granted, if it went away COMPLETELY, within six months someone would ask for it. Less likely if this thread got put in the FAQ, though. :-) -- Ed Ahlsen-Girard
On Thu, 13 Nov 2008 14:12:21 -0500 Applying my diff will get something done. Thanks for your time. Thomas
On Thu, 13 Nov 2008 12:55:36 -0500 Okay, I can see why everyone would prefer to see the developer's sending their own fixes -- this is convenient to the users, though not to the developers. However, it is obvious that the developers do not wish to do this, have no time to bother with it, and aren't concerned at all. I don't blame them, that's perfectly legitimate. So we should get someone else to do it, because some people do care about having semi-timely security announcements on a mailing list. I also see no reason why someone announcing a security announcement that is detailed elsewhere should be required to be a developer heavily involved in the development process. The very nature of this suggests that people who meet this requirement will not have the motivation or time to do this. There is nothing wrong with having someone else You're implying ignorance of the developers, which I doubt. They don't care about it, and we shouldn't be nagging them about it. Instead, we should do something, rather than just being on the outside bugging them like annoying gnats. I'm offering to do the work. OpenBSD as a whole may not want me to do anything, but that's not my fault. At least I'm trying to *do* something; I don't consider nagging people who don't have time or motivation or reason to bother with such things to be an useful thing to do. -- Aaron W. Hsu <arcfide@sacrideo.us> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
I just wrote something quick in perl that scrapes the errata pages of the two most recent releases and sends a nicely formatted email for any that are have change since the last check. It does require a couple of packages be installed (p5-libwww and p5-HTML-Tree) but if there were enough interest from someone who could do something with it, I could probably make it work with just what is available in the base system. There are lots of ways to break something that scrapes html, but it is at least automated. l8rZ, -- andrew - ICQ# 253198 - Jabber: andrew@rraz.net #!/usr/bin/perl -T use strict; use warnings; %ENV = (); #Additional modules needed use LWP::Simple; # pkg_add p5-libwww use HTML::TreeBuilder; # pkg_add p5-HTML-Tree # Core modules use Text::Wrap; use Fcntl ':flock'; # import LOCK_* constants # should end with a / my $base_url = 'http://www.OpenBSD.org/'; my $start_page = 'errata.html'; my $sender = 'andrew@mad-techies.org'; my $recipient = 'andrew@rraz.net'; # should end with a / my $base_dir = '/home/andrew/.openbsd_errata_notifier/'; my $max_versions_to_process = 2; #*#*# Nothing to change beyond this point #*#*# my $tree = HTML::TreeBuilder->new(); my $content = get( $base_url . $start_page ) or die "Could't get [$start_page]: $!"; $tree->parse($content)->eof; my @errata_urls; foreach my $link ( @{ $tree->extract_links('a') } ) { my ( $url, $element, $attr, $tag ) = @{$link}; if ( $url =~ /^errata\d+\.html\Z/xms ) { push @errata_urls, $base_url . $url; } } $tree->delete; my $processed = 0; URL: foreach my $url ( reverse @errata_urls ) { $processed++; last URL if $processed > $max_versions_to_process; my $tree = HTML::TreeBuilder->new(); my $content = get($url) or die "Couldn't get [$url]: $!"; $tree->parse($content)->eof; my $title = $tree->find('title')->as_trimmed_text; my ($version) = $title =~ /\b ( \d+ \. \d ) \b/xms; ...
On Thu, 13 Nov 2008 09:29:09 -0700, "Theo de Raadt" and some of us don't really consider the 'errata' to be 'security' related.
additionally, i care very about about those patches, and apply each and everyone where needed every time.
I have written security announcements before. It ia way more work and way more involved than you think. it sucks. not sure wether I'll do it again. oh, and I actually run stable at places. -- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
I just check the errata web page every now and then. When/if anything huge is discovered (very seldom) then it's slashdotted or something. So in the end, I always seem to find out somehow. -- View this message in context: http://www.nabble.com/Missing-security-announcements-tp20465932p20760480.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
If someone is following stable, and really cares about keeping their system(s) up to date, I can't imagine why they wouldn't take the few seconds per day required to glance at the errata page. I mean, if you're reading Slashdot, The Guardian, Al-Jazeera, The Onion, or what-have-you, on a regular basis, why not just toss the errata page into the mix? For Christ's sake, the errata are listed in reverse chronological order so you don't even have to hit the space bar to see what's new. Do they have to toss in a soother as well? Not to mention that checking the errata page daily only underlines the extent to which these people---who give away for free a complete operating system---are really on top of the game. cheers, -wb
Maybe your email address got lost somewhere. I have 75 entries from 12 April 2002 (in case your date format was not the screwed up yank format) or a few less counting from Sep '02. *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Maybe you mean 2008, because I personally sent several messages to the list in the years since. If there was an errata that wasn't announced, remind the developer to send such notice. That's the only way they'll start sending such messages. I certainly can't remind them because I'm not subscribed so I don't even know what's missing.
No, I meant 2002. But as Rod suggested, it's quite possible I got unsubscribed accidentally. I see there are quite a few messages in the mailing list archives... In any case, I've seen announcements of all errata on misc or source-changes, so it's no big deal.
