Date: Thu, 13 Jul 2000 19:44:27 -0400 (EDT) From: Matt Heckaman <matt@ARPA.MAIL.NET> To: Garance A Drosihn <drosih@rpi.edu> Cc: Justin Wolf <jjwolf@bleeding.com>, security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <Pine.BSF.4.21.0007131928190.68696-100000@epsilon.lucida.qc.ca> In-Reply-To: <v04210106b593fd42032f@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jul 2000, Garance A Drosihn wrote: ... : I really don't want to rehash THAT debate. I wouldn't mind a little : brain-storming to see if we can come up with a better format for the : subjects, but I don't want to start back at square one and debate : every aspect of this all over again. In fact, the main reason I : haven't wanted to ask about the format of subjects was because I was : afraid we WOULD end up debating the entire topic all over again. I don't think the debate is really about whether we should do advisories or not, I think all would agree that advisories are good. The question is how to hammer it into the general public's heads that it's not a FreeBSD hole per se? Take this wu-ftpd exploit, it's hit just about everyone, and what two names do I see beyond anything else? RedHat & FreeBSD. As if no one else was effected by it. I realize it's most likely a losing battle to try to change that kind of mentality, but I can't help being somewhat bothered by it. I guess it's doubtful that changing the subjects would fix anything, though I do think it could use a little work, per my last mail. I sometimes wonder if making the field that says "FreeBSD specific: [YES|NO]" a little more prominent wouldn't hurt... Personally, I love advisories about ports, keeps me from accidently missing some exploit that I hit 'D' too quickly over when topic-scanning, and in several cases, various environment modifications have rendered the exploit unusable on FreeBSD. That's great! Though, I wonder why we send FreeBSD-Port specific advisories out to a forum like bugtraq, where the non-FreeBSD users will say "Huh? Port?" or "FreeBSD root!" - I would hope that those who use FreeBSD track -security? Or more to the point, why would a FreeBSD user track a list like bugtraq but NOT -security? It's almost like saying "I care about general security, but who cares about the security of the OS I use". Now, since I'm sure someone else will do it, I'll debunk myself by replying, "Well, they could simply know that all FreeBSD advisories will end up on bugtraq, so there is no need for the extra -security traffic". I suppose that would work for some, but it doesn't work for me. Just an opinion though. I have my views on how they should look and be handled, but I think this is a no-win situation for all involved that will just end up making Jordan's fingers hurt more. : --- : Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu : Senior Systems Programmer or drosih@rpi.edu : Rensselaer Polytechnic Institute * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5blRcdMMtMcA1U5ARAtU9AJ4jRRfq+4hizfoLc1++akiQ7OEbvwCbBRFd FyDaNF4DV6XQix08EVl/qFI= =ahxN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007131928190.68696-100000>