'Re: Security ad Reliability advisories'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Security ad Reliability advisories
From:       Gerardo Santana Gomez Garrido <santana () openbsd ! org ! mx>
Date:       2002-08-28 18:21:18
[Download RAW message or body]

On Wed, Aug 28, 2002 at 10:48:21AM -0700, Ben Goren wrote:
> On Wed,  Aug 28, 2002  at 12:24:54PM -0500, Gerardo  Santana Gomez
> Garrido wrote:
> 
> > On Wed, Aug 28, 2002 at 10:13:53AM -0700, Ben Goren wrote:
> >
> > > On  Wed, Aug  28, 2002  at 12:04:26PM  -0500, Gerardo  Santana
> > > Gomez Garrido wrote:
> > >
> > > > There are some tools out there that retrieve the list of new
> > > > patches for OpenBSD  by querying the FTP or  HTTP servers at
> > > > least once a day, maybe more.
> > > >
> > > > This  supposes  significat  traffic  that  can  be  avoided,
> > > > providing an appropriate announce service.
> > >
> > > It's   called  security-announce@openbsd.org.    There's  also
> > > announce@openbsd.org.
> >
> > Are you subscribed? I'm afraid not, or  you would know what I am
> > talking about.
> 
> Yes, I am subscribed. I  get infrequent advisories that correspond
> with   the  infrequent   vulnerabilities. Do  you   get  something
> different?

Did you receive all the advisories for OpenBSD 3.1?? I don't think so.
There are currently 14 advisories for OpenBSD 3.1 and most of them
are missed.

> 
> > I  mean *appropriate  announce service*,  not crap. Verify  your
> > sources before posting.
> 
> Define ``appropriate.'' I  find it  perfectly appropriate,  but it
> would seem you do not. What  I get is definitely not crap. Perhaps
> you  could  provide  an  example  of  some  crap  that  came  from
> security-announce?

With appropriate I mean an efficient system for deliverying *all*
advisories, in the same message format, so that can be processed later.

Anything less than this is crap.

> I also haven't heard any complaints from anybody who maintains any
> of the  FTP or HTTP  mirrors about excessive traffic  generated by
> cron jobs.  If it's just a matter of fetching /errata.html, that's
> barely even a  blip that'll register on a server  that offers over
> five gigabytes  of files  just for  the latest  release. Are *you*
> having DOS problems  related to other people  pounding the servers
> for updates? If so, that's something else to address. But, if it's
> not a problem, what's the problem?

It is certainly not *excesive* traffic, but we have two situations here:

a) unnecessary traffic, mainly because of
b) a defficient security-announce list

That's the problem. We can make things better than this, can't we?

-- 
Gerardo Santana Gómez Garrido
http://www.openbsd.org.mx/~santana/
OpenBSD México

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic