Date: Thu, 13 Jul 2000 15:47:46 -0700 From: Joseph Scott <joseph.scott@owp.csus.edu> To: Justin Wolf <jjwolf@bleeding.com> Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <396E4712.EC5888B@owp.csus.edu> References: <Pine.BSF.4.21.0007131337260.38269-100000@neo.bleeding.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Justin Wolf wrote: > > Maybe I missed it in this really long thread somewhere, but why do we have > to say that it concerns FreeBSD at all? If it's a bug/hole in a port, it > has nothing to do with FreeBSD except for the fact that the user MAY have > installed this port, which of course comes from a third party, but was > compiled by the FreeBSD organization. This is one of those balancing acts. However, I believe it's important for a couple of reasons. 1. The method that the person recieves the at risk program is from FreeBSD. IE: I installed it from the ports collection. While the software it's self is not developed by FreeBSD, the distribution method is. I imagine this is something similar to Toys'R'Us removing a dangerous toy from their shelves and telling the whole world about it. Toys'R'us didn't make they toy, but there are responsible for making it available to the portion of the public that shops there. 2. The "why didn't I hear about this from you instead of a third party" case. Someone people get upset if it's their uncle who tells them they have a security hole instead of the vendor that they got the OS from in the first place. > Instead, how about just sending an email from the FreeBSD security > 'organization' stating that a port has a bug/hole in it. No one assumes > that CERT or BUGTRAQ have any security holes, but the products they alert > about do. I think this type of advisory would provide the same > information within a context that removes FreeBSD proper of having any > connotation of holes itself. This also allows the complete removal of > 'FreeBSD' in the subject all together. It's difficult to say if removing it altogether is really a benefit or not. One way to look at it is that this gives FreeBSD additional coverage. If someone reads that additional coverage incorrectly then you know have an oppertunity to correct them and provide additional details/info about FreeBSD. > > Flame on, -- Joseph Scott joseph.scott@owp.csus.edu Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?396E4712.EC5888B>