[csw-maintainers] Security alerts and updates

Mike Watters mwatters at opencsw.org
Thu Feb 5 23:18:59 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Philip Brown wrote:
> On Thu, Feb 05, 2009 at 10:42:11PM +0100, William Bonnet wrote:
>> Hi
>>
>>
>>>> Should we set up a system to send security alerts ? a mailing list ? a 
>>>> rss feed ?
>>> it's called "the announce list"
>> I'm not really sure it is "enough" from a user point of view. I think it 
>> is important to find easily this kind of information on the web site for 
>> a user.
> 
> ok, so we need to publicise the announce list more?
> 
> 
> 
>> Moreover, the channel we use to send information is not the only point. 
>> It is easy to send the same announce to the list, to a blog (worpress 
>> allow posting from smtp) and to a rss feed.
> 
> true.
> 
> 
> 
>> But... my question is (blaming no one don't worry) how long since we 
>> last add a security announce on that list ?
> 
> how long has it been since we needed a security update?
> 
> the answer to both questions, is about the same I think.
> a long time.
> 
> 
> we dont do 'security only' updates very often.
> 
> 
> 
>> My point is not necessarily to change it, but to make it clear for 
>> users, to give them a easy access to this information. Some one who 
>> comes to the site should find the security alerts or where are the 
>> security alert in a minimal number of "mouse clicks" IMHO
> 
> please remember that, while having lots of information is potentialy good;
> having a very cluttered top page, is bad.
> 
> in some ways, users are best protected from "security issues" by simply
> always running the latest released versions of the packages they have
> installed.
> _______________________________________________
> maintainers mailing list
> maintainers at lists.opencsw.org
> https://lists.opencsw.org/mailman/listinfo/maintainers

There are a bunch of sites out there that report this information...
most notably www.us-cert.gov  they have an RSS feed and weekly emails.

off hand we could get an RSS feed from one or more of the sites, merge
them together and filter them based on the software in our catalog.

not a particularly easy task, but I wouldn't think smash your head
against the wall difficult either.  using php/pear/mysql we could format
the list with links back to the original reporting site, www.us-cert.gov
or another, along with a link to the software site.




- --

Thanks,
Mike

"Any intelligent fool can make things bigger, more complex,
and more violent.  It takes a touch of genius -- and a lot of courage --
to move in the opposite direction."

* Albert Einstein 1879 - 1955
    US German-born Theoretical Physicist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmLZdIACgkQLrhmsXMSLxebjwCgtW2cOsNbeO6L4nogGiw+khko
CugAnj49qygwTyMTKb4AlfbRnW5xFavR
=4iUY
-----END PGP SIGNATURE-----



More information about the maintainers mailing list