Date: Fri, 14 Jul 2000 11:51:06 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Brett Glass <brett@lariat.org> Cc: Matt Heckaman <matt@ARPA.MAIL.NET>, security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <20000714115106.A63233@mithrandr.moria.org> In-Reply-To: <4.3.2.7.2.20000713140559.04b7aec0@localhost>; from brett@lariat.org on Thu, Jul 13, 2000 at 02:10:12PM -0600 References: <4.3.2.7.2.20000713120631.04d53b60@localhost> <Pine.BSF.4.21.0007131554460.67970-100000@epsilon.lucida.qc .ca> <4.3.2.7.2.20000713140559.04b7aec0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2000-07-13 (14:10), Brett Glass wrote: > >*sigh* Yeah.. This has been bugging me for a while too. It creates alot of > >misinformation about FreeBSD and makes us look worse than what the truth > >is. Ever go to any of the uhm.. "security" sites and do a search on FreeBSD? > > Yep. You get tons of hits. A recent article also overestimated the > number of security problems in FreeBSD because the person who compiled > the statistics used message headers from Bugtraq and didn't cull the > problems which were due to ports. We have to keep FreeBSD in there. We are not _only_ catering to bugtraq subscribers, automatic advisory counting, and any other form of weirdo out there. We are, possibly primarily, catering to FreeBSD users. If they get: "Security Advisory wu-ftpd" in their mail, and then have to open the mail, and then find out it is about FreeBSD, and then they will read it is about ports, and then work it all out. However, if they see: "FreeBSD Ports Security Advisory: wu-ftpd (FreeBSD-SA.000123123-wuftpd", (or something a bit shorter), then they get all that immediately, and can act upon it. > One way to deal with this problem would be to remove the name FreeBSD > from the header altogether, labeling the effort to report bugs in ports > with some other name. Other ideas? We shouldn't hide our name simply because there are people out there making stupid assumptions. They're going to do their automatic scripts whether we label them as ports, change the format, or do anything but remove the name. Removing our name is not really an option, since it _does_ have something to do with us, and we _do_ want our users to know. Whatever happens, the people doing automated advisory counting will be wrong. If we remove our name, or reformat, our existing users are going to get confused, or not heed the message, or ask "Does this apply to FreeBSD?". In addition, people with automated advisory counting might count advisories sent out to our users, or sent out by a particular address, or any number of algorithms. They're just fooling themselves, and we aren't going to help them by obscuring our subjects. Educate them. Have an established document about these issues. At least locally, FreeBSD has a great reputation for security, and our move to include ports advisories has bolstered our reputation even more. I've used this fact to convince a whole bunch of people and companies to try FreeBSD out during a recent trip to Johannesburg (that's in South Africa, but still a long trip from Cape Town). Obscuring things is going to hamper advocacy, and short-change those people I've convinced to try us out. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000714115106.A63233>