Re: security issues and DragonFly

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

Jeremy C. Reed wrote:
> I couldn't find a DragonFly webpage that discussed security issues.
>
> I found a webpage that says: yes, DragonFly is ready for production and a 
> webpage that provides email address for reporting non-disclosable security 
> issues.
>
> Is there a security webpage I overlooked?

No, there is no web page.  Actually I don't think that's particularly useful.  Checking a web page is a "pull" action.  You could as well run a cvs up to get the latest sources of your release.

> Should just the bug tracking system be used? I think that may make it 
> difficult for weeding out the security specific issues. But nevertheless a 
> good place to also report security bugs.

I wouldn't know what for to use it.  Either you don't want to disclose information, then you can't use it, or you don't care, then it will be tracked as usual.  Not sure if it is necessary to track security issues separately.

> Okay if I just start a "security" page under wiki.dragonflybsd.org? 
> Basically it can list known issues and steps on how to report security 
> issues. And also note if someone is working on it or not.

Security officer usually fixes bugs within hours.  So usually there is only a pretty small window until a "known issue" becomes a "fixed issue".  A wiki page might suit that just well, though.

> As for the security-officer -- is there a private source that tracks the 
> issues reported there too?

What do you mean with "private source"?  Matt and me are receiving the mails and we act as needed, if it's that what you mean.

cheers
 simon

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

Attachment: signature.asc
Description: OpenPGP digital signature