[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Security Announcements
 Date:  Thu, 26 Aug 2004 22:50:02 -0700 (PDT)
On Fri, 27 Aug 2004, Brian McKerr wrote:

> how does the m0n0wall community get notified of any security fixes ?
> how are these fixes/patches released etc, are we expected to use the 
> beta versions in production ? if that is where the patches are applied.
> As m0n0 is based on FreeBSD are we (users) expected to keep up to date 
> with those security announcments and determine if they are applicable ? 
> If so, thats cool.

Considering m0n0wall is only on its second "release" version, it shouldn't
be surprising that it doesn't have that kind of mechanism yet. :-)

Yes, it would probably make sense to have a "patch branch" vs. a "beta
branch", with the former only having critical bug fixes.  Though the
definition of "critical" is in the eye of the beholder. :-)

> I am slightly surprised that there are apparently no bugs in m0n0 or at 
> least none have been announced.

A number of bugs have been *discussed* (one right here just recently),
though they usually tend to be functionality problems rather than security
issues.

FreeBSD security fixes cover the whole range of components included in the
release.  Since m0n0wall only uses a small fraction of those, only a small
fraction tend to be applicable.  For example, m0n0wall doesn't have to
worry about the libpng exploits. :-)

					Fred Wright