From owner-freebsd-vuxml@FreeBSD.ORG Mon Aug 23 15:21:17 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0E516A4CE; Mon, 23 Aug 2004 15:21:17 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71D0C43D66; Mon, 23 Aug 2004 15:21:17 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from dhcp-10.local ([172.16.0.10]) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.41 (FreeBSD)) id 1BzGdG-000Hmo-G7; Mon, 23 Aug 2004 17:21:16 +0200 Date: Mon, 23 Aug 2004 17:21:20 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: Jacques A.Vidrine From: Oliver Eikemeier In-Reply-To: <941610FA-F515-11D8-8CAA-00039312D914@fillmore-labs.com> Message-Id: <15E125E6-F518-11D8-8CAA-00039312D914@fillmore-labs.com> Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: FreeBSD-vuxml@FreeBSD.org Subject: Re: portaudit wishlist X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 15:21:18 -0000 [...] >>>> Yes, I think it is misleading to apply such tags which a user might >>>> take as an absolute judgement when in fact they just need to read the >>>> description. >>> >>> Not everyone has the time to review every description. Besides, the >>> description might be as wrong or misleading as the tags mentioned. If >>> you say "users have to understand the system fully or they shouldn't >>> run >>> the software" you basically state "FreeBSD is only for experts". I'm >>> just trying to make some often asked questions machine readable. For >>> example when I run portaudit on a server with no users, I might decide >>> to care for local exploitable vulnerabilities only ever friday, >>> while I >>> have to handle remote exploitable vulnerabilities immediately. This >>> system is not perfect, but usable. You give users basically no way to >>> filter the information, which would be a valuable feature. One one >>> hand >>> you state users have to be knowledgeable to run a system, one the >>> other >>> you claim they might take tags `as an absolute judgement'. In this >>> case >>> reading the (possibly wrong) description might not improve anything. >> >> Your ``reasoning'' makes me dizzy. >> >> Look Oliver, knock yourself out: come up with your own severity rating >> scheme and implement it. Stop bugging the security team to do it, >> I've already explained that we will not at this time. > > Ok, back to my own database specification then? We have just a > different view on our user base, and I think you fail to address some > needs. Not everybody is a purist here, some `just want to have the job > done', even when this means to err once or twice. Thinking a little about it, I believe this should be discussed in a place where portaudit users are present, either ports@ or security. freebsd-vuxml@ has too few subscribers to get an useful picture of what features desired by users are. -Oliver