From owner-freebsd-chat  Thu Jul 25 23:57:06 1996
Return-Path: owner-chat
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA03035
          for chat-outgoing; Thu, 25 Jul 1996 23:57:06 -0700 (PDT)
Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA03028
          for <FreeBSD-chat@FreeBSD.org>; Thu, 25 Jul 1996 23:57:05 -0700 (PDT)
From: obrien@cs.ucdavis.edu
Received: from kongur (kongur.cs.ucdavis.edu) by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6)
	id AA04531; Thu, 25 Jul 96 23:57:02 PDT
Received: by kongur (SMI-8.6/UCDCS.SECLAB.Solaris2-2.0)
	id XAA15249; Thu, 25 Jul 1996 23:57:57 -0700
Message-Id: <199607260657.XAA15249@kongur>
Subject: Cert's mis-opinions
To: FreeBSD-chat@FreeBSD.org (FreeBSD misc chating list)
Date: Thu, 25 Jul 1996 23:57:56 -0700 (PDT)
X-Pgp-Fingerprint: B7 4D 3E E9 11 39 5F A3  90 76 5D 69 58 D9 98 7A
X-Pgp-Keyid: 34F9F9D5
X-Mailer: ELM [version 2.4 PL24 ME8b]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-chat@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

This is from CERT's choose_operating_sys (info.cert.org:/pub/tech_tips):


    Freely-Available vs. Commercial Software

    [..snip..]

    If you select freely available OS versions and don't have the
    resources to maintain software in-house, it's important to know that
    you could be placing your site at a high risk of compromise. This
    risk can exist because your site will not be receiving security
    patches on a regular basis from a vendor (or third party). In cases
    where intruders are exploiting a vulnerability, operating system
    vendors may have analyzed the vulnerability and released security
    patches for their operating systems. On the other hand, sites with
    freely available OS versions but without the expertise to develop and
    install patches may remain at risk from the vulnerability.

Yea, right!  Linux maybe -- FBSD, no!  I've seen more security patches
from FreeBSD, Inc. than I ever have from Sun.  I'd say FreeBSD rivals
*every* commerical vendor out there.  And since FBSD has one distribution
site, you know exactly where to come to for advisories and patches.

Jordan, maybe you could refute this bogus advice from CERT?

-- David    (obrien@cs.ucdavis.edu)