From owner-freebsd-vuxml@FreeBSD.ORG Mon Aug 23 15:10:07 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA8BE16A4CE; Mon, 23 Aug 2004 15:10:07 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C17743D39; Mon, 23 Aug 2004 15:10:07 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1BzGSS-000Hkm-JY; Mon, 23 Aug 2004 17:10:07 +0200 Date: Mon, 23 Aug 2004 17:10:10 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: "Jacques A. Vidrine" From: Oliver Eikemeier In-Reply-To: <20040823141803.GN27355@madman.celabo.org> Message-Id: <86914F26-F516-11D8-8CAA-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: making optional X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 15:10:08 -0000 Jacques A. Vidrine wrote: > On Sun, Aug 22, 2004 at 11:56:42PM +0200, Oliver Eikemeier wrote: >> Jacques A. Vidrine wrote: >> 60 (in words: sixty) entries in portaudit have the description `Please >> contact the FreeBSD Security Team for more information'. There are >> references, so when you care to add a quote, feel free, in fact this >> might be a job for the security team. You can frown on them as often as >> you like, the question is whether you just want to have an optional >> entry as an easy to spot sign that an editor is needed, >> or >> if you prefer to search for

and similar constructs. > > I'm not sure what you are talking about. I don't see any such entries > in VuXML ... but you said `portaudit' so maybe you are talking about > your personal database? I have a supplementary databases that are as much `personal' as vuxml is. The portaudit text database has been announced and documented as mentioned in a previous discussion. Anyway, I think making the entry optional would be the best solution, but if you prefer a placeholder, we can keep `Please contact the FreeBSD Security Team for more information'. >>> However, I must admit that I have some doubt the value of the >>> date in any case. What I'd really like to hear are some >>> arguments for keeping it or getting rid of it! I think it is useful >>> information of itself to many reading VuXML content, and that combined >>> with it provides a good metric about our response time. But I >>> could be overestimating the value of it, and if it somehow puts people >>> off to need to provide this information, then maybe it loses. >> >> Oviously we have a different opinion what is useful here. I expect most >> users to be simple consumers, not security researchers. They need >> information about the serverity of a vulnerability, and maybe >> remote/local exploitability, whoever cares about the discovery date >> could check the references. Often I find the discovery date >> entertaining, but not useful. > > So I'll take that as a vote for not keeping it (). Such > a change (dropping required content) would need to take place in a > `major' update e.g. VuXML 2.0. We'll revisit it then, maybe someone > else will add some opinions before then. Whatever you like. Simply using dummy values is fine with me. -Oliver