[OpenAFS] When to publish security advisories?

Jeff Blaine jblaine@kickflop.net
Fri, 15 Apr 2011 14:13:59 -0400


> My proposal, going forwards, is to not produce security advisories or
> releases for these local denial of service attacks. Local issues that
> can result in privilege escalation, or denial of service attacks that
> can be performed by those outside a sites infrastructure would still
> result in advisories.

That sounds sane to me.

> My supplemental question, is just how much use the "security
> releases" actually are. Most of our packagers ignore them, in favour
> of pulling the patches that we release with the advisory into their
> packaging. Is just providing these patches sufficient? Is there
> actually a demand for a "super-stable" point update that just
> contains the security code, or is it acceptable to provide the
> security fix as part of a normal stable release?

Patches are fine, IMO, but I think the download page should then
indicate the recommended patches in a new (top!) section.

Then again, you're still possibly providing binary downloads of
a product with known security vulnerabilities, which means
ideally yanking all binary links until there are updated packages,
which means a maintenance chore... and it likely would have been
just as easy to release 1.X.N+1