For sysadmins that want to know as soon as possible about issues which are deemed patch-worthy (security vulnerabilities, critical reliability issues), what is the "best" way to stay on top of these issues as they are resolved?
The canonical source of information seems to be errta.html, which does tend to be updated quickly as the patch becomes available. To keep track of this, it requires the user to access the page and look for a new patch which may apply to him. One could also monitor commits to CVS and while reliable, it becomes a bit more difficult to pick the critical from some of the rest of it. There's also a vuxml setup for OpenBSD at http://www.vuxml.org/openbsd/index.html, which appears to be independently maintained and doesn't stay sufficiently updated to be used as an alerting mechanism. Then, as outlined in release announcements, "Security patch announcements are sent to the [EMAIL PROTECTED] mailing list." This method is preferred by a lot of people so they get some kind of proactive notification of potentially impactive problems. Patch announcements do make it to the list, some as early as 1 day after patch announcement, others 14 days after patch. The possible advantage over errata.html though is you get notified even if you've lapsed in checking out the web page. On the flip side, this requires a developer to take time and craft the message and send it, so the onus is on the project to do the work. DS
