From owner-freebsd-security@FreeBSD.ORG Mon Aug 4 16:13:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DCF137B416 for ; Mon, 4 Aug 2003 16:13:38 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76CC443FA3 for ; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 57AAE1524D; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 56C6115247 for ; Mon, 4 Aug 2003 16:13:37 -0700 (PDT) Date: Mon, 4 Aug 2003 16:13:37 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030804210016.GB10339@madman.celabo.org> Message-ID: <20030804160226.R88481@fubar.adept.org> References: <200308040004.h7404VVL030671@freefall.freebsd.org> <20030804101130.GA51954@cirb503493.alcatel.com.au> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804085018.GA24017@rz-ewok.rz.uni-karlsruhe.de> <3F2E1B42.8BDE2215@grosbein.pp.ru> <20030804210016.GB10339@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 23:13:38 -0000 On Mon, 4 Aug 2003, Jacques A. Vidrine wrote: > > May I suggest that in future, when a release is not vulnerable due to > > code rewrites or similar, this fact be explicitly mentioned. IMHO, > > it's far better to err on the side of caution when dealing with > > security issues. That's true, but I can also see KISS. If you add more data than absolutely needed, confusion may also arise. I'm not defending either viewpoint (or saying that'd occur in this case), just pointing out possible motivations for the current format. > I think that if one takes the `Affects' lines (and the rest of the > advisory) at face value, without second-guessing, that it is crystal > clear what versions of FreeBSD are affected. But of course I would > :-) By now I would have hoped something as crucial as security advisories for well-accepted operating systems would be fairly standardized. Of course, some "vendor customization" is to be expected/needed, but is it flame bait to ask "What do all the big boys do?" By that, I simply mean, how are the advisories for things like Solaris, IRIX, HP-UX, etc. handled? Wouldn't it behoove everyone if advisories were as "familiar" as possible? Along those lines, I'd expect to see similar field labels, content, etc. If that's just plain silly, it wouldn't be the first time my expectations were wrong... But it does seem like fairly common sense. -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!