From owner-freebsd-security  Thu Jul 13 15:47:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250])
	by hub.freebsd.org (Postfix) with ESMTP id 5C3EC37BC25
	for <security@FreeBSD.ORG>; Thu, 13 Jul 2000 15:47:30 -0700 (PDT)
	(envelope-from jjwolf@bleeding.com)
Received: from localhost (jjwolf@localhost)
	by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id PAA38758
	for <security@FreeBSD.ORG>; Thu, 13 Jul 2000 15:47:30 -0700 (PDT)
Date: Thu, 13 Jul 2000 15:47:30 -0700 (PDT)
From: Justin Wolf <jjwolf@bleeding.com>
To: security@FreeBSD.ORG
Subject: Re: Displacement of Blame[tm]
In-Reply-To: <Pine.NEB.3.96L.1000713182841.73877B-100000@fledge.watson.org>
Message-ID: <Pine.BSF.4.21.0007131541050.38638-100000@neo.bleeding.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Except that we specifically modify ports to fit our environment
> ...

Ah, I didn't realize any changes beyond just making it compile werre
made.  In the case of 'mrg' I would hold that FreeBSD had the bug, not
mrg, so therefore it doesn't really apply to this thread.  

I'm all for encouraging the value-add side of FBSD.  I've been a proponent
of it for many years and have seen it slip in favor to Linux due to the
preceived "It's hard to use, it's not supported" reputation it has.  So I
wouldn't recommend pulling ports, but would instead, as you suggest,
better educate the users to the liability of installing pre-compiled 3rd
party software.  Not that RTFM has ever worked in the past, but...

> Let's see -- we could just release software advisories for other people's
> software without discussing the relationship with FreeBSD, and appear just
> like the attention-grabbing pseudo-legitimate security organizations out
> there, or we could take responsibility for software we prepare, integrate,
> and distribute.

I didn't say we shouldn't take responsibility for things which are
obviously due to FBSD's work.  I was talking under the context that the
fault was with the base code and had nothing to do with FBSD at all - the
case where EVERY instance of the software had the same problem under ANY
OS.  This is still providing an advisory service to our users, and
simultaneously doesn't provide anti-FBSD fodder for the less educated.

Anyway... I think this is starting to deviate from the initial problem.

-Justin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message