From owner-freebsd-security Thu Jul 13 12:43:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8118B37B8F5 for ; Thu, 13 Jul 2000 12:43:10 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id PAA71708; Thu, 13 Jul 2000 15:42:52 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 13 Jul 2000 15:42:52 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: Susie Ward , security@FreeBSD.ORG Subject: Re: Two kinds of advisories? In-Reply-To: <4.3.2.7.2.20000713132400.04b73af0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > At 01:08 PM 7/13/2000, Susie Ward wrote: > > >If they don't understand it, then maybe you shouldn't be encouraging them to join bugtraq, but I am curious what you'd like to see the subject lines say? > > I think it would help if they listed the name of the PORT first, and > then mentioned something about the FreeBSD security team or port > maintainers finding the problem. Wait, I thought that activity was restricted to application developers, 14-year-old code hackers and attention-starved start-up security companies looking for a quick buck. But seriously. I think the current advisory subject line accurately reflects the situation: we distributed a piece of security-hold-ridden third-party software in the ports collection. As the vehicle by which people got the software, we have a responsibility to notify them of security problems of which we are aware. So "FreeBSD Ports Security Advisory" perfectly reflects this concern. Here's a recent sample: Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd What information could we add here that would improve things? Teaching someone the distinction between "FreeBSD Ports Security Advisory" and "FreeBSD Security Advisory" should not be that difficult, as the distinction between the base system and ports is important. The difference manifests in degree of support, integration with the base system, security auditing level, and install/update mechanism. Understanding that distinction is essentialy to day-to-day management of the system. The advisory is careful to identify precisely the software that is vulnerable, how to tell if you are vulnerable, and available fixes, work-arounds, etc. I'm not sure we can really ask much more. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message