From owner-freebsd-audit Sat Dec 4 23:53: 6 1999 Delivered-To: freebsd-audit@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id C24F214EF4; Sat, 4 Dec 1999 23:53:00 -0800 (PST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id JAA15703; Sun, 5 Dec 1999 09:50:25 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199912050750.JAA15703@gratis.grondar.za> To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: Closed list policy? Date: Sun, 05 Dec 1999 09:50:25 +0200 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I was wondering whether it would be smarter to have a closed list policy > here, to prevent just anyone (read: evil people) from subscribing and > getting early notification about vulnerabilities before they're patched > (which may take several days). Obviously we still should have a full > disclosure policy, but it gives ourselves time to fix bugs properly. We are really supposed to be taling about _how_ we do the audit, and results thereof, not the actual details. The dirty details should be on -security, -arch, -current or -security-officer, as appropriate. What should be here is "I have finished foo(1), and it is now clean of all bar/baz/qux problems that I could find.". M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message