On Sat, Oct 19, 2002 at 04:00:36AM -0000, soso@private wrote: Hi, > I'm new to both Openwall Gnu/Linux and this list, and would like to know > how updates & security alerts are announced for this distro. I looked on > the Openwall site and could find nothing about announcements. Normally, security fixes are just marked specially (with big "SECURITY FIX" and vulnerability severity summary) in the system-wide change log available as Owl/doc/CHANGES* in each branch. Before the 1.0 release, the two change logs for Owl-current and Owl 0.1-stable were linked from the Owl homepage, but now that 1.0 release is recommended for use instead of both of these branches and we haven't yet had a chance to apply significant changes to either Owl-current or Owl 1.0-stable, such links are temporarily gone. They will re-appear as soon as any significant changes are there. One link that always remains valid for Owl-current is: http://www.openwall.com/Owl/CHANGES.shtml At the moment it's the same as the 1.0 change log (where you can see how some security fixes were documented in the past), but will soon be replaced with the post-1.0 one. In general, minor security fixes (with low impact and/or affecting unusual setups) may not be announced other than by documenting them in the change logs, while critical security fixes will be announced to this list (owl-users) as well as sometimes to the announcement list (announce), although the latter isn't limited to Owl. Fixes for really bad vulnerabilities will also be announced to Bugtraq. We also provide vendor statements to CERT for inclusion in their Vulnerability Notes and advisories, but that's only for issues handled by them. Thanks for your posting. I agree that we should document this policy officially rather than just in mailing list discussions like this. -- /sd
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:17 PST