From owner-freebsd-security Thu Jul 13 15:50:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 3FCCC37BC72 for ; Thu, 13 Jul 2000 15:50:26 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from owp.csus.edu (mail.owp.csus.edu [130.86.232.247]) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id PAA70179; Thu, 13 Jul 2000 15:50:16 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Message-ID: <396E4712.EC5888B@owp.csus.edu> Date: Thu, 13 Jul 2000 15:47:46 -0700 From: Joseph Scott X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Justin Wolf Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Wolf wrote: > > Maybe I missed it in this really long thread somewhere, but why do we have > to say that it concerns FreeBSD at all? If it's a bug/hole in a port, it > has nothing to do with FreeBSD except for the fact that the user MAY have > installed this port, which of course comes from a third party, but was > compiled by the FreeBSD organization. This is one of those balancing acts. However, I believe it's important for a couple of reasons. 1. The method that the person recieves the at risk program is from FreeBSD. IE: I installed it from the ports collection. While the software it's self is not developed by FreeBSD, the distribution method is. I imagine this is something similar to Toys'R'Us removing a dangerous toy from their shelves and telling the whole world about it. Toys'R'us didn't make they toy, but there are responsible for making it available to the portion of the public that shops there. 2. The "why didn't I hear about this from you instead of a third party" case. Someone people get upset if it's their uncle who tells them they have a security hole instead of the vendor that they got the OS from in the first place. > Instead, how about just sending an email from the FreeBSD security > 'organization' stating that a port has a bug/hole in it. No one assumes > that CERT or BUGTRAQ have any security holes, but the products they alert > about do. I think this type of advisory would provide the same > information within a context that removes FreeBSD proper of having any > connotation of holes itself. This also allows the complete removal of > 'FreeBSD' in the subject all together. It's difficult to say if removing it altogether is really a benefit or not. One way to look at it is that this gives FreeBSD additional coverage. If someone reads that additional coverage incorrectly then you know have an oppertunity to correct them and provide additional details/info about FreeBSD. > > Flame on, -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message