Re: Lack of notification of security notices

From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Mon, 18 Apr 2022 21:06:48 UTC
On Mon, Apr 18, 2022 at 1:19 PM Gordon Tetlow <gordon@tetlows.org> wrote:

> From the secteam point of view, we haven't changed anything in the way we
> send messages to the mailing lists. I have double checked and all SAs are
> sent to the three addresses listed. I suspect this is likely fallout of the
> mailing list change over.
>
> I can say for my part, I have gotten a copy of the messages from both the
> freebsd-announce and freebsd-security mailing lists for the SAs I have sent
> out (I'm not subscribed to the freebsd-security-notifications list). I just
> confirmed the headers for the 2 copies of SA-22:08.zlib that I received
> that it is routing through the lists.
>
> It does appear as though the messages are not properly archiving into the
> mailing list archives. Adding postmaster to the thread for them to dig into
> why that might be.
>
> Gordon
> Hat: security-officer
>

Clearly, something has failed. The archives show no messages to stable,
security-notifications or announce for security advisories or errata notes
since an errata note on March 22. There was an e-mail on stable sent on the
7th asking why the April 6 messages did not get posted to stable, so it is
not just me. The issue is new this month, so the change in mailers last
year is not directly responsible. If I was to take a guess, I suspect
something changed between the March ENs and April 6 in how the mai;er
treats cross-posts. Looks like something changed in hte two weeks between
March 22 and April 6.

Mr. Postmaster???



> On Apr 18, 2022, at 12:57 PM, Kevin Oberman <rkoberman@gmail.com> wrote:
>
> As per the FreeBSD Security Information web page
> <https://www.freebsd.org/security/>, security notifications are sent to:
>
>    -
>
>    FreeBSD-security-notifications@FreeBSD.org
>    -
>
>    FreeBSD-security@FreeBSD.org
>    -
>
>    FreeBSD-announce@FreeBSD.org
>
> This policy has lately been ignored. No postings show up in the archives
> of FreeBSD-security-notifications@FreeBSD.org since January. Likewise for
> freebsd-announce. The only list showing the April 6 announcements is this
> one, freebsd-security@freebad.org.
>
> In the past, Security Announcements and Errata Notes have also been copied
> to the stable and current lists as appropriate, although this is not
> mentioned.  This delayed the update of my systems by several days.
> Fortunately, only one of these vulnerabilities was relevant to my systems.
>
> Even though the announcements are almost 2 weeks old, it is still likely
> that some people are unaware of them, so I would strongly urge that they be
> posted to, at least, FreeBSD-Announce and  FreeBSD-Stable lists.
>
> In passing, I will note  that the same issue appears to be occurring with
> posts of Errata Notices.
> --
> Kevin Oberman, Part time kid herder and retired Network Engineer
> E-mail: rkoberman@gmail.com
> PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
>
>
>

-- 
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683