Date: Fri, 14 Jul 2000 12:00:52 +0100 From: David Pick <D.M.Pick@qmw.ac.uk> To: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <E13D3DA-0006b1-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Fri, 14 Jul 2000 12:38:27 %2B0200." <20000714123827.A64184@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Fri 2000-07-14 (11:21), David Pick wrote: > > > On Fri 2000-07-14 (10:53), David Pick wrote: > > > > A little shorter: > > > > <port> FreeBSD Port Security Advisory <advisory number> > > > > > > This will still be counted by automated advisory things, which was one > > > of the stated problems. > > > > Depends on how they classify the text; if they use only the first > > word then this statement is true. > > I don't think you understand. The stated problem is that people are > automatically counting advisories based on false assumptions. Agreed. If we are *really* worried about that we need to make sure that the word FreeBSD doesn't appear at all. If we also want to make the messages interpretable by humans, perhaps we could replace the word "FreeBSD" by "F r e e B S D" (or some similar modification). But some people (at least) have "stated" that the problem is managers (who I think we have to admit are human, not machines) see subject lines that makes them think there's a problem with FreeBSD itself, and who then don't allow the techies in their organisation to use FreeBSD "because it's got lots of security problems". <snip> > See above. See above. > Existing advisories have: > > FreeBSD Ports Security Advisory: FreeBSD-SA-00:26.popper > > If people are going to make false assumptions, then they're going to do > so. They _can_ be shown that "FreeBSD Ports" is not a base system > problem as easily as we can shown them that "FreeBSD Port of <port>" or > "mumble: FreeBSD Port Advisory" is not in the base system. > > Your suggestion that "FreeBSD Port of <port>: Security Advisory" is just > as likely to get misunderstood as being a security problem with only the > software on FreeBSD, or in the porting procedure to FreeBSD. Currently, > we can either acknowledge that people who don't care to understand will > never understand, or we can obscure our topics more and more to get past > the latest person who didn't care to understand. I think we have two problems here, probably mutually incompatible: 1) Automatic classification "systems" 2) Clarity for human readers. If we are to be clear about what the advisory covers for our human readership, we *have* to include both the port name and the word "FreeBSD" (whatever actual language we employ). If we want to avoid counting "systems" with broken classification schemes, we *have* to avoid using the word "FreeBSD". > > But I suspect no form of words will satisy everyone. Perhaps after a > > few more people have put their heads above the parapet and actually > > made suggestions an election would be in order. > > Elections on mailing lists don't work. How long do you wait? c48 hours. > Who is > your electorate? Anyone who votes within the time limit. > People who want the status quo generally don't vote. Unless it's specifically included as one option in the election. > People will subscribe from the list. And so forth. OK. No election. We can all start shouting instead. Or agree not to shout at the poor, beleagured, Security Officer when he makes a unilateral decision. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13D3DA-0006b1-00>