From owner-freebsd-security Fri Jul 14 14:58:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [206.40.34.50]) by hub.freebsd.org (Postfix) with ESMTP id D0C6737BB98 for ; Fri, 14 Jul 2000 14:58:24 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [206.40.34.52]) by roble.com with SMTP id OAA10382 for ; Fri, 14 Jul 2000 14:58:27 -0700 (PDT) Date: Fri, 14 Jul 2000 14:58:22 -0700 (PDT) From: Roger Marquis To: security@freebsd.org Subject: Re: Displacement of Blame[tm] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Jul 2000, Brett Glass wrote: > At the very least, we should make sure > that people who try to count bugs automatically by monitoring Bugtraq > posts do not attribute bugs in ported software to FreeBSD. Brett's made an excellent point. It's important to keep in mind that people evaluating operating system security are, by definition, not familiar with that operating system. Usually they are managers and other marginally technical types, not the gurus who read this list (assuming they could find it). Even to the technically semi-literate it is still difficult to distinguish port vulnerabilities with OS vulnerabilities. The FreeBSD moniker is too prominently displayed at the top of each advisory for that. This much is clear from the non-techies I've spoken with. Perhaps what we need are "BSD Port" advisories instead of "FreeBSD" advisories? Shoot the messinger(s) if you wish, but be prepared for the results (i.e., declining customer base). Then again, given the lack of civility displayed in this thread, maybe the OS does have some real weaknesses... -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message