Hi, 

At work, I run a NetBSD that must be as stable and secure as possible. 
Unfortunantly, those two requirements conflict for trying to decide what
version to run.  NetBSD-current is probably the most secure (most up to
date fixes), but NetBSD-release is most stable.  We're currently running
1.2.1, and I run -current at home.  I try to watch the netbsd-bugs list
(and other lists like bugtraq) for anything security related, and apply
the appropriate patch.  However, I think many things slip through.  

Today I did a search of source-changes for "overflow" and "overrun", and
found a number of fixes for ftp and ftpd.  If we want NetBSD to be more
usable in a professional environment, I think we need to pay more
attention to security related bugs.  Ideally, when anything security
related was fixed in -current, a patch could be made available for the
most current release, and a message posted to one of the lists (maybe even
-announce, or maybe a new list).  The /pub/NetBSD/misc/security directory
on the ftp site has one patch file.  The biggest problem with this is that
it makes our vulnerabilites easily available to the wrong people.
However, I would much rather make the information available to everyone
than to no-one.

Realisticly, I would be happy with a flag in source-changes that I could
search for that indicates it's security related, and some way to get the
changes (either public CVS access, or just an attached diff).  

What do you think?
			Rick

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                System Admin, Tech Support
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/