Date: Fri, 14 Jul 2000 12:04:22 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Newer advisories (was Re: Two kinds of advisories?) Message-ID: <4.3.2.20000714114005.00b67100@207.227.119.2> In-Reply-To: <Pine.BSF.4.21.0007131826350.13660-100000@freefall.freebsd. org> References: <Pine.BSF.4.21.0007131902540.62151-100000@srh0902.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:42 PM 7/13/00 -0700, Kris Kennaway wrote: Hopefully won't start another wild thread... <guilty> Not really on-topic </guilty> >Turn this to your advantage: we acknowledge and fix our security bugs in >public, and those in software we ship, regardless of how embarrassing they >may be, because we care about the security of our users. The majority of >these holes are also present in other OSes, many of whom do not bother to >ackowledge them (as) publically. Much better than trying to sweep them under the rug. >This is already apparent from the "FreeBSD only: NO" in most of the 33 >advisories this year, but it's not professional to name the other >platforms explicitly (besides the fact that we can't always be sure, as I >learned once the hard way when I overestimated the severity of a NetBSD >vulnerability). It seems I overlooked that addition. Tend to read the 5 sections. >In other words, this is an advocacy issue, not one which can be magically >fixed by cramming more into the subject line of advisories. I'm not one to >blow my own horn, but it's the kind of thing which might make a good >article or two to get this point across to the world and provide something >to point to when people make that claim. > >As long as I'm the one writing these advisories I'm not going to do >anything to make them less visible to the wider community - I want it to >be known that a) FreeBSD fixes its security vulnerabilities and tells >people when we do, and b) there is an awful lot of bad code out there >which hurts *EVERYONE*, not just FreeBSD. > >I see myself as providing a service to a larger community than just >FreeBSD users here precisely because these advisories are widely >distributed, and (compared to what other vendors produce) more informative >- in fact I've gotten feedback from people who don't even use FreeBSD who >have been impressed by this. > >I am trying to build FreeBSD's reputation as an OS which takes security >damn seriously, and so far I think I've had at least moderate success. Of course then the addition of the "FreeBSD only: <yes/no>" should make a subtle, but obvious point should a person stop and think. Those using other OS's may wish to get FreeBSD's advisories just to hear about possible problems with 3rd party software. Perhaps an article should be done up and emphasis made on this. Some general credit should also be given to the authors of 3rd party software that merge in fixes, which then helps advocate open-source in general to push your idea a tad further. That in turn should show that open-source, free software has commercial value. There are exceptions and in recent history the ports list has contained more tidbits of useful info. Best not to mention them. Will say that some on the -ports list have expressed interest in fixing software that the author(s) don't seem to care about. Not that another list is really needed. One just for ports advisories may be a good thing from a PR standpoint. Of course they then need to check out the ports collection and may end up trying out FreeBSD. 8-) Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20000714114005.00b67100>