[nycbug-talk] Security alerts to the list, good idea or waste of time?

[G. Rosamond]

On Nov 21, 2004, at 5:32 PM, Scott Robbins wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As most if not all of you know, there was a recent vulnerablity in the
> fetch program, announced the 18th.  I had a completely hectic day that
> day, and didn't check some of the sites I usually check, therefore, I
> didn't know about this vulnerabilty till the next day.
>
> In this case, no production boxes were fetching anything, but of 
> course,
> they could have been for whatever reason.
>
> I wonder if you folks think it's a good idea that vulnerabilities get
> posted to this list, perhaps with security alert in the subject line.  
> I
> don't always read each item in my nycbug mailbox, but such a subject
> line would catch my attention.
>
> So, what do you folks think?  Is this just filling up people's 
> mailboxes
> with something that we should all be checking ourselves, anyway, at
> least in a perfect world?
>
>

I understand your reasoning. . . I have been on and off (mostly on) 
bugtraq since the early or mid 90's. . . I don't even remember. . . I 
quickly scan the messages but certainly delete all when there's a 
backlog. . .

I think the best solution is to either subscribe to the various BSD 
lists, or bugtraq if you want to get crazy. . .

Obviously, this list is the place to discuss vulnerabilities, but I 
personally think it would be a misuse to rebroadcast announced 
vulnerabilities. . .  Work out a filter on your MUA.. .that's probably 
the best option. . .

Other thoughts on this?

g