Date: Thu, 13 Jul 2000 12:31:18 -0600 (MDT) From: "David G. Andersen" <dga@POBOX.COM> To: security@freebsd.org Subject: Re: Two kinds of advisories? Message-ID: <200007131831.MAA23590@faith.cs.utah.edu> In-Reply-To: <4.3.2.7.2.20000713122244.00b06410@localhost> from "Brett Glass" at Jul 13, 2000 12:26:06 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Brett Glass once said:
>
> Many of them don't read the disclaimers because they're scanning the
> subject lines. When they see one with "FreeBSD" in it, some of them
> call in a panic. They often don't read the message because they
> believe that they won't understand it.
>
> Yes, I know, it'd be nice if they weren't so clueless about computer
> security and FreeBSD, but then, they're experts in their own fields,
> which WE don't know much about. Instead of writing them off, why
> not make the subject lines clearer?
Because they're already clear.
It says "FreeBSD" - it's related to FreeBSD, and if you run FreeBSD,
you'd damn well better read the message. It says "Ports" - it has to do
with the FreeBSD ports collection.
Inside the message, you find a description of the problem. You say,
"Oh, I don't run setuid-emacs-with-gaping-security-hole, so I'm safe."
That's exactly the process that *should* occur. If people immediately
disregard it because it's a ports advisory, they're shooting themselves in
the foot if they run any ports. If they don't, they can be happy and
relax after 3 seconds of reading the advisory.
The label is accurate. Don't fix something that isn't broken.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007131831.MAA23590>