# Mailing list "announce" missing Security Advisories?



## A-4 (Mar 16, 2022)

I am subscribed to mailing list _announce _since 22-Feb-2022 and have received 5 errata notices, and the "FreeBSD 12.2 end-of-life" mail.

However, I haven't received the security advisories: 2022-03-15 FreeBSD-SA-22:03.openssl and 2022-03-15 FreeBSD-SA-22:02.wifi.

So I went looking at the archives at lists.freebsd.org/archives/


> freebsd-announce/-2022-Mar-16 12:05


So the last message date is 2022-Mar-16 12:05 ?

However at lists.freebsd.org/archives/freebsd-announce/2022-March/index.html


> 2 messages: Starting Tue Mar 01 2022 - 04:38:57 UTC, Ending Fri Mar 11 2022 - 02:05:29 UTC
> sort by: [ thread ] [ author ] [ date ] [ subject ]
> Other periods:[ Previous, Thread view ] [ List of Folders ]
> 
> ...


And there, nothing past 11 march is listed. Is this because it's moderated or is that a bug?
In bugzilla I found something maybe related:
Bug 261168 - Delayed or non-appearance of e-mails at lists.freebsd.org/archives/

Searching further, the security advisories are visible in the _security_ mailing list.


> 5 messages: Starting Tue Mar 01 2022 - 22:39:59 UTC, Ending Tue Mar 15 2022 - 19:29:17 UTC
> sort by: [ thread ] [ author ] [ date ] [ subject ]
> Other periods:[ Previous, Thread view ] [ List of Folders ]
> 
> ...


According to the FreeBSD Security Information page:


> Advisories affecting the base system are sent to the following mailing lists:
> 
> FreeBSD-security-notifications@FreeBSD.org
> FreeBSD-security@FreeBSD.org
> FreeBSD-announce@FreeBSD.org


And in security-notifications there's also no security advisory listed.

The previous security advisory 2022-01-11 FreeBSD-SA-22:01.vt I can find in all 3 mailing lists.

Are the security advisories still underway waiting approval or did something go wrong?


----------



## SirDice (Mar 16, 2022)

A-4 said:


> Are the security advisories still underway waiting approval


If they were still waiting for approval they wouldn't have been posted to the website and made available through freebsd-update(8). The fact you can install the patches means they've been approved. I'm sure the announcements will come through shortly. Maybe something went wrong with the script that posts them.


----------



## A-4 (Mar 16, 2022)

SirDice said:


> The fact you can install the patches means they've been approved.


Sorry for not being clear.
What I meant was: Is the mail concerning the security advisory to the mailing list just delayed because it's waiting for approval from a mailing list moderator?


----------



## SirDice (Mar 16, 2022)

A-4 said:


> Is the mail concerning the security advisory to the mailing list just delayed because it's waiting for approval from a mailing list moderator?


Don't know, can't tell. But the fact they haven't appeared on the announce mailing list suggests they're stuck somewhere.


----------



## chrbr (Mar 16, 2022)

Ths is not about mail but newsgroups. The latest advisories have been posted already to comp.unix.bsd.freebsd.announce. That channel of information has been reliable in the past, too.


----------



## mer (Mar 16, 2022)

Do security things wind up on announce or on security-notifications?


----------



## SirDice (Mar 16, 2022)

mer said:


> Do security things wind up on announce or on security-notifications?


They should also appear on announce. Just look at the previous month for the previous errata/security issues.


----------



## Erichans (Mar 16, 2022)

A-4 said:


> I am subscribed to mailing list _announce _since 22-Feb-2022 and have received 5 errata notices, and the "FreeBSD 12.2 end-of-life" mail.
> 
> However, I haven't received the security advisories: 2022-03-15 FreeBSD-SA-22:03.openssl and 2022-03-15 FreeBSD-SA-22:02.wifi.


I've received in my e-mail (same country-NL):
FreeBSD Security Advisory FreeBSD-SA-22:03.openssl  --  "15 March, 2022 20:29", 
FreeBSD Security Advisory FreeBSD-SA-22:02.wifi  -- "15 March, 2022 20:29"

I've also received the mentioned 5 errata notices on 15 March; my only subscription is to freebsd-announce@FreeBSD.org


----------



## SirDice (Mar 16, 2022)

Maybe it's just the mailing list browser that needs a kick, perhaps it hasn't picked up new posts yet.


----------



## A-4 (Mar 16, 2022)

chrbr said:


> Ths is not about mail but newsgroups. The latest advisories have been posted already to comp.unix.bsd.freebsd.announce. That channel of information has been reliable in the past, too.


Thank you, I'll keep it in mind.


Erichans said:


> I've received in my e-mail (same country):
> FreeBSD Security Advisory FreeBSD-SA-22:03.openssl  --  "15 March, 2022 20:29",
> FreeBSD Security Advisory FreeBSD-SA-22:02.wifi  -- "15 March, 2022 20:29"


Thank you for mentioning this. Maybe my mail provider (KPN) thought that more than 5 mails in the same minute is spam? I'll add announce to my gmail account and see if in the future things go missing again.

Edit: Just noticed I didn't get the mail FreeBSD Quarterly Status Report - Fourth Quarter 2021 Joseph Mingrone either. 



SirDice said:


> Maybe it's just the mailing list browser that needs a kick, perhaps it hasn't picked up new posts yet.


I still think it's weird that the archive for announce is not (yet?) up to date, when for example archive ports-all has mail just over 2 hours old.


----------



## Erichans (Mar 16, 2022)

It is (now) on FreeBSD Security Advisories.
I don't know when it first appeared on that webpage and I don't if that has been put there manually or "scripted in".

(My mail provider is not KPN)


----------



## SirDice (Mar 16, 2022)

Erichans said:


> I don't know when it first appeared on that webpage


It was there yesterday. I know because I double-checked, I was wondering why there hadn't been any posts in the "Blogs and news" section yet.


----------



## grahamperrin@ (Mar 16, 2022)

Erichans said:


> 5 errata notices on 15 March



Nit:

three errata notices (`Reply-To: freebsd-stable@`)
two security advisories (`Reply-To: freebsd-security@`)
– I received all five via e-mail.

`Return-Path: <freebsd-announce+bounces-⋯`

…
Re: FreeBSD Errata Notice FreeBSD-EN-22:11.zfs
…
FreeBSD Security Advisory FreeBSD-SA-22:02.wifi
FreeBSD Security Advisory FreeBSD-SA-22:03.openssl


----------



## Erichans (Mar 16, 2022)

I misappropriated one, sorry. The last Errata Notice received per e-mail:
FreeBSD Errata Notice FreeBSD-EN-22:11.zfs [REVISED]  --  "16 March, 2022 01:10"


----------



## grahamperrin@ (Mar 16, 2022)

A-4 said:


> … I didn't get the mail FreeBSD Quarterly Status Report - Fourth Quarter 2021 Joseph Mingrone either. …



Received here:


----------



## grahamperrin@ (Mar 16, 2022)

chrbr said:


> Ths is not about mail but newsgroups. …



chrbr please, did you mean the opposite?


----------



## chrbr (Mar 16, 2022)

Good evening grahamperrin,
when I read my post now it is really unclear. I meant the following text about comp.unix.bsd.freebsd.announce. This is a newsgroup available on NNTP servers one can communicate with news/slrn or news/tin or so. The topic of the thread is about mail. I just wanted to show a different medium. Nowadays NNTP has lost of importance but it is still an efficient way of communication. 
Please excuse me to be so unclear .


----------



## A-4 (Mar 16, 2022)

Erichans said:


> I misappropriated one, sorry.


Whoops, me too. Let's just say I'm in UTC-1. 

This is all I've received so far from the mailing list announce:



(Local time is UTC+1.)
I've checked spam, searched my whole mailbox, nothing more. And I never delete anything.

It's just a private server (running happily since FreeBSD 10.0) so missing a security mail isn't really a big problem. Now that I know mails sometimes get misappropriated by demons I'm warned and I'll check other sources regularly.
I've also added my Gmail account to announce so I've got some redundancy.

Now I just need to wait and see when and if the announce archives get the mails. Then I can be sure there's access to a complete backlog. If not I'll check the newsgroup recommended by chrbr.



chrbr said:


> when I read my post now it is really unclear.
> news/slrn or news/tin


Actually, I got it. 
Thanks for the port suggestions.

Thank you, to everyone helping me solve my problem.


----------



## grahamperrin@ (Mar 16, 2022)

Thanks, now it's interesting: 



chrbr said:


> The latest advisories have been posted already to comp.unix.bsd.freebsd.announce. That channel of information has been reliable in the past, too.



Not reliable here, maybe it's my choice of server. What's yours?


----------



## A-4 (Mar 16, 2022)

Here, on my paid news server. The newsgroup works great.


----------



## chrbr (Mar 16, 2022)

Please see below a screenshot taken with scrot. The latest advisories do now have the green -100. The -100 is the score due to age. All posts have been read already.


----------



## grahamperrin@ (Mar 16, 2022)

`freenews.netfront.net here`. The tin view of things is, at a glance, no different from the Thunderbird view:



none of this year's errata notices or security advisories
– if I'm not mistaken, fifteen or more items are not present.

chrbr please, which NNTP server do you use? Now I see, `news.tota-refugium.de`


----------



## A-4 (Mar 16, 2022)

grahamperrin said:


> free here.


That's the problem with free news-servers, pay a _few _€ or $ and all demons vanish. I pay €6,50 a month for a proper news-server. I just noticed the retention went up from 2500 to 4200 days for my paid news-server thanks to chrbr.


----------



## grahamperrin@ (Mar 16, 2022)

`news.tota-refugium.de` requires authentication, can anyone suggest a freely available NNTP server that's more likely to receive the security advisories and so on? 

Thanks. 



A-4 said:


> problem with free news-servers,



So some servers silently fail to receive news?


----------



## chrbr (Mar 17, 2022)

To register at news.tota-refugim.de it should be possible at https://register.tota-refugium.de/. The little page is in German only. I did not found a *.org, *.co.uk or so. There are two fields to fill out.

Login - I do not remember, it could be the name or so.
E-Mail - The server will send the data for access to that address. With this information it should be possible to use the NNTP server.
I have registered years ago. As far as I remember there have been no problems at all.
A list of NNTP servers is https://curlie.org/Computers/Usenet/Public_News_Servers. A popular one is described here: http://www.eternal-september.org/


----------



## A-4 (Mar 17, 2022)

grahamperrin said:


> So some servers silently fail to receive news?


Yes, see completion.

My experience with free news servers dates back over a decade, and text based groups even further back. Free usenet used to be a best effort service and par2 had to be used regularly for binaries. Providing 10% par2 files was more or less the rule. Less popular groups weren't even indexed.
Because usenet grows somewhat exponentially, free usenet gets more expensive to keep running, paid usenet keeps getting better and more affordable to use. So currently few free ones are left.



grahamperrin said:


> can anyone suggest a freely available NNTP server that's more likely to receive the security advisories and so on?


Long, long ago, internet providers also provided usenet access to their customers. No idea if they still do.
Eternal september is according to their site only indexing text based news groups, so I'd think they provide proper completion. 
Just did a search on their website for FreeBSD and lots of groups showed up but _announce _has - if it's up to date - zero posts. _mailing.freebsd.announce_ has apparently 346 posts, but on my news-server _mailing.freebsd.*_ doesn't have any posts past 2016.


----------



## SirDice (Mar 17, 2022)

A-4 said:


> Long, long ago, internet providers also provided usenet access to their customers. No idea if they still do.


They rarely do nowadays, at least here in the Netherlands. I think the only notable exception is XS4All, they still give you access to their "newszilla" usenet servers (has a very high retention, even on the binary groups) with their internet accounts. But I see that KPN (company that bought XS4ALL a while back) will switch it off some time this year.


----------



## mendenlama (Mar 17, 2022)

For what it is worth: there is Google Groups https://groups.google.com where you may access old and deceased as well as running usenet newsgroups.
See for example: https://groups.google.com/g/comp.unix.bsd.freebsd.announce


----------



## grahamperrin@ (Mar 17, 2022)

mendenlama said:


> https://groups.google.com/g/comp.unix.bsd.freebsd.announce



Thanks, I forgot that Google can be an interface. 

In addition to security advisories and errata notices: 

<https://groups.google.com/g/comp.unix.bsd.freebsd> at a glance, nothing more recent than April 2005, I guess that things fell into disuse at this level
<https://groups.google.com/g/comp.unix.bsd.freebsd.misc> includes what's pictured behind the spoiler at <https://forums.freebsd.org/posts/556336>


----------

