FreezerBurn.org: Important: vendor updates are for you!Jan 22, 2001, 08:09 (0 Talkback[s])
(Other stories by Vincent Danen)
[ Thanks to RBM for this link. ]
"Most vendors have a security department or team. These security teams do a number of things for various vendors, but not all vendors go to the same extent. For example, LinuxPPC is just now releasing updates for things that were fixed by most vendors about six months ago. TurboLinux had a security team, but it looks like it was cut (least important department in management's eyes?). Linux-Mandrake has a security team that deals with a number of areas: Security Updates (which I deal with for MandrakeSoft, in case anyone didn't know), hardening of the distribution itself, development of new security tools, and the upcoming Internet Security Pack (aka firewall product, currently in beta testing). RedHat issues security updates. Immunix does the same... in fact, a number of recent advisories were due to some internal auditing on their behalf. SuSE does the same. Debian as well... there are most likely others, but these are the ones I deal with on a semi-regular basis, so I think I can confidently say that these distributions (RedHat, SuSE, Debian, Immunix, and of course Linux-Mandrake) have good security teams that do varying degrees of security work."
"Of course, the security teams for any given vendor can only do so much. We can find, identify, fix, and make updated packages for vulnerabilities, but it is up to you, the end user, to apply them. Typically we make this as easy as possible to do. Linux-Mandrake uses MandrakeUpdate, a tool that will automatically install updates and make you aware of the problems associated with them. Other distributions have similar tools or rely on mailing list messages in security mailing lists to advise users of updated packages. All of this is made available for the end user... you. More often than not, we cannot force you to update your systems or even recommend that you do. That's one of the side-affects of a freely downloadable and useable operating system. We can't possible know who is using what, or what version."