[rascul]

It's useless because I don't know if I need to care. Vulnerabilities in openssl are nothing new so as far as I know this is just par for the course, and I get nothing out of it as of yet.

[detaro]

... and an announcement like this is a fairly strong message of "assume you need to care"

[rascul]

I'm not going to assume anything in regards to a future release I have no details about.

[iamtedd]

So what do you propose is the alternative? Not tell you about the vulnerability at all until a patch is released? Publish all the details about the vulnerability before a patch is available?

Seriously, what are you complaining about?

[rascul]

I just want actionable information is all. If I have to wait a couple days, fine. Giving me vague information I can't do anything with is useless.

[detaro]

"be prepared to update affected systems at $point_in_time" seems actionable to me. You for some reason thinking that such a warning doesn't warrant taking the recommended action doesn't mean it isn't actionable, it means you choose to ignore it.

[rascul]

An update is nothing special that I have to be prepared for. I do it all the time across all my systems, and it's largely automated. If a single update is such a burden that you must prepare days in advance for then perhaps there's room to improve the processes.

[iso1631]

I spent a few minutes checking my cmdb for openssl3, and have allocated 30 minutes on Tuesday to upgrade the few machines that have openssl3.

When corporate infosec starts to panic, probably about Thursday based on the jndi issue, I'll be able to point them to our log which shows how it was handled.

[iamtedd]

> I just want actionable information

Which is, according to TFA, being released on 1 Nov., and according to my calendar, is in 3 days... Problem solved?

[rascul]

I'm not yet convinced there's a problem.

[apstls]

The detail that it patches a critical vulnerability should be enough for you to assume you should care, assuming you care about security.