Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann <firstname.lastname@example.org> [050714 17:58]:
> I am trying to understand if my organization can rely on the debian
> security announcement mailing list as only source of security alerts in
> the future.
I think even when there are no temporary problems with the security
infrastructure, this is not enough. Debian's security announcement
list (and I think most other vendors' lists) only announce new
patched or updated packages.
More important is to know if you are vulnerable. Not every service
is vital, many things can be worked around temporarily, or made
impossible due to local circumstances. And as long it is not
a vulnerability found in a audit and only told the security teams,
the time between theese two events (knowledge about the problem
and availability of updated packages) is non-zero even with a perfect
Bernhard R. Link