Date: Thu, 13 Jul 2000 17:04:32 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Matt Heckaman <matt@ARPA.MAIL.NET> Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <Pine.NEB.3.96L.1000713165904.71313D-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.21.0007131615460.68096-100000@epsilon.lucida.qc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Jul 2000, Matt Heckaman wrote: > PORTS-SA:00:XX or whatnot. Keep the FreeBSD and Ports announcements > strictly seperate like that might not be a bad idea. At the very least, it should be FBSD-PORTS-SA:00:XX, as it is our ports collection, not someone elses. And as "ports" and "packages" mean different things in the context of different operating systems, it would be equally deceiving to have people believe the problem was not associated with FreeBSD :-). Besides which, in the past, at least a few of the security problems in the ports collection have had to do with the laziness or sloppiness of the porter: handing out root access to get kvm rights, or handing out kvm rights to get access to things available via sysctl, or just handing out setuid because the program required it under Linux, or for a feature that was only available under Linux anyway. These are advisories about security problems in software distributed with FreeBSD. The nature of the problem is often specific to FreeBSD, as well as the details of it in practice, the fixes, and the work-arounds. Sometimes the security problem is *less* serious on our platform than other platforms. Especially on a list like bugtraq, which is a full disclosure list, it is important to provide all of the pertinent details, and specifically not be ambiguous about whether or not an advisory has to do with FreeBSD. If your friends and clients are worried by the number of advisories coming out of FreeBSD, ask them if they'd feel more comfortable using another operating system where the bugs are well-known in the security (and hacker) communities, but aren't documented or fixed by the OS vendor. In general, for every ports advisory coming out of FreeBSD, you should expect to see an advisory from the software author, as well as from most other BSD and Linux distributions. When you don't, that is a reason for concern. Clearly there are a few exceptions, but it's worth considering, and explaining to people. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000713165904.71313D-100000>