Date: Thu, 13 Jul 2000 14:12:42 -0700 From: Bengt Richter <bokr@accessone.com> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <3.0.5.32.20000713141242.0093fbc0@mail.accessone.com> In-Reply-To: <Pine.NEB.3.96L.1000713153609.71313A-100000@fledge.watson.o rg> References: <4.3.2.7.2.20000713132400.04b73af0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 15:42 2000-07-13 -0400 Robert Watson wrote: [...] >Here's a recent sample: > >Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd > >What information could we add here that would improve things? Teaching >someone the distinction between "FreeBSD Ports Security Advisory" and >"FreeBSD Security Advisory" should not be that difficult, as the >distinction between the base system and ports is important. The >difference manifests in degree of support, integration with the base >system, security auditing level, and install/update mechanism. >Understanding that distinction is essentialy to day-to-day management of >the system. The advisory is careful to identify precisely the software >that is vulnerable, how to tell if you are vulnerable, and available >fixes, work-arounds, etc. I'm not sure we can really ask much more. > (1) How about some simple categorization in the subject line, e.g., Subject: FreeBSD Ports(SysUtil) Security Advisory: FreeBSD-SA-00:29.wu-ftpd vs Subject: FreeBSD Ports(Game) Security Advisory: FreeBSD-SA-...some-game etc. (2) Also, perhaps s/Ports/Optional Port/ to reinforce the idea that ports are not a part of FreeBSD per se (and that a particular advisory is talking about a particular port in the singular), for the panic-prone folks described, who don't get to the disclaimer etc. before it's too late. (3) If you want to get fancy, add tagged lines in the advisory itself tailored for automatic extraction and (safe :) use in facilitating scripted verification of whether the receiving system had the vulnerable software installed, or had the problem patched and fixed. With system log entry, and optional email emitted about the check performed. Seems like an SA-Evaluation daemon job, acting on emails filtered to it? Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20000713141242.0093fbc0>