Re: Updates

From: Solar Designer (solar@private)
Date: Fri Oct 18 2002 - 21:26:16 PDT


On Sat, Oct 19, 2002 at 04:00:36AM -0000, soso@private wrote:

Hi,

> I'm new to both Openwall Gnu/Linux and this list, and would like to know
> how updates & security alerts are announced for this distro.  I looked on
> the Openwall site and could find nothing about announcements.

Normally, security fixes are just marked specially (with big "SECURITY
FIX" and vulnerability severity summary) in the system-wide change log
available as Owl/doc/CHANGES* in each branch.  Before the 1.0 release,
the two change logs for Owl-current and Owl 0.1-stable were linked from
the Owl homepage, but now that 1.0 release is recommended for use
instead of both of these branches and we haven't yet had a chance to
apply significant changes to either Owl-current or Owl 1.0-stable,
such links are temporarily gone.  They will re-appear as soon as any
significant changes are there.  One link that always remains valid for
Owl-current is:

	http://www.openwall.com/Owl/CHANGES.shtml

At the moment it's the same as the 1.0 change log (where you can see
how some security fixes were documented in the past), but will soon be
replaced with the post-1.0 one.

In general, minor security fixes (with low impact and/or affecting
unusual setups) may not be announced other than by documenting them in
the change logs, while critical security fixes will be announced to
this list (owl-users) as well as sometimes to the announcement list
(announce), although the latter isn't limited to Owl.  Fixes for
really bad vulnerabilities will also be announced to Bugtraq.  We also
provide vendor statements to CERT for inclusion in their Vulnerability
Notes and advisories, but that's only for issues handled by them.

Thanks for your posting.  I agree that we should document this policy
officially rather than just in mailing list discussions like this.

-- 
/sd



This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:17 PST