Date: Tue, 21 Mar 2000 02:36:32 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: freebsd-security@FreeBSD.ORG Cc: Dave McKay <dave@mu.org>, Warner Losh <imp@village.org> Subject: Re: ports security advisories.. Message-ID: <v04210103b4fcceff3193@[128.113.24.47]> In-Reply-To: <4.2.2.20000320202203.03826c60@mail.sentex.net> References: <Message from Dave McKay <dave@mu.org> <20000320154614.A63670@elvis.mu.org> <4.2.2.20000320202203.03826c60@mail.sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 8:33 PM -0500 3/20/00, Mike Tancsa wrote: >>Dave McKay wrote: >> >> > Is it really necessary to post the ports security advisories? >> > The exploitable programs are not part of the FreeBSD OS, they >> > are third party software. >> > >I think its a great and valuable service. There are times when even >bugtraq can be a bit late. [...] Besides, the Ports SAs so far have >been concise, to the point and always potentially relevant. I think >the Ports Security Officer should be congratulated for taking on >such a large and valuable job! Way to go PSO! I also think this is a very valuable service. If someone is running FreeBSD, then it is easier for them to monitor one list of security issues which might effect them, instead of having to join some other list (bugtrak) which will then track bugs of all kinds of things that are NOT relevant to them. Also, by being proactive with an "official freebsd announcement", we will probably see LESS traffic on this list, where everyone reads some bugtrak posting and then rushes over here to repeat it "just in case you're not aware", or to ask freebsd-specific followup questions on the report (such as "the bugtrak report didn't mention freebsd, so does that mean they KNOW it isn't a problem on freebsd, or do they not know so someone here should be looking into it?"). Besides, bugtrak can only say things like "gee, lynx has some bugs, you probably shouldn't run it". the freebsd security report can say "this is so riddled with serious bugs, we are removing it from the ports collection. Sorry for the inconvenience, but we really think this is too serious for anyone to be running it.". Given the thousands of ports for freebsd, I can see the danger of getting buried with port-related security bulletins that will not apply to you (of course, the exact same thing will happen if you DO join bugtrak...). Perhaps we can do something about that? Perhaps the subject should at least say "Port" in it? Maybe subjects of: FreeBSD Security Advisory: Port-SA-00:04.delegate FreeBSD Security Advisory: Port-SA-00:07.mh FreeBSD Security Advisory: Port-SA-00:08.lynx or: FreeBSD Port Advisory: FreeBSD-SA-00:04.delegate FreeBSD Port Advisory: FreeBSD-SA-00:07.mh FreeBSD Port Advisory: FreeBSD-SA-00:08.lynx instead of the current: FreeBSD Security Advisory: FreeBSD-SA-00:04.delegate FreeBSD Security Advisory: FreeBSD-SA-00:07.mh FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx I'm also thinking how we would want to draw the line between things which are part of the "standard system" (even if they are technically a port), and things where the administrator had to explicitly install some port for the security issue to be on their system. (I'm waving my hands vaguely here, as I'm not quite sure what I mean by that...) And at some future time, someone might get ambitious enough to write a filter on the receiving side of the advisories. I might end up getting lots of such bulletins sent to me, but have most of those filtered so only the packages *I* have installed are shown to me at a much higher priority than ones I haven't. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210103b4fcceff3193>