From owner-freebsd-audit  Sat Dec  4 23:53: 6 1999
Delivered-To: freebsd-audit@freebsd.org
Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133])
	by hub.freebsd.org (Postfix) with ESMTP
	id C24F214EF4; Sat,  4 Dec 1999 23:53:00 -0800 (PST)
	(envelope-from mark@grondar.za)
Received: from grondar.za (localhost [127.0.0.1])
	by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id JAA15703;
	Sun, 5 Dec 1999 09:50:25 +0200 (SAST)
	(envelope-from mark@grondar.za)
Message-Id: <199912050750.JAA15703@gratis.grondar.za>
To: Kris Kennaway <kris@hub.freebsd.org>
Cc: audit@FreeBSD.ORG
Subject: Re: Closed list policy? 
Date: Sun, 05 Dec 1999 09:50:25 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> I was wondering whether it would be smarter to have a closed list policy
> here, to prevent just anyone (read: evil people) from subscribing and
> getting early notification about vulnerabilities before they're patched
> (which may take several days). Obviously we still should have a full
> disclosure policy, but it gives ourselves time to fix bugs properly.

We are really supposed to be taling about _how_ we do the audit,
and results thereof, not the actual details.

The dirty details should be on -security, -arch, -current or -security-officer,
as appropriate.

What should be here is "I have finished foo(1), and it is now clean
of all bar/baz/qux problems that I could find.".

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message