From owner-freebsd-security Tue Mar 21 0:40: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id AE1B437BD3E; Tue, 21 Mar 2000 00:39:57 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id CAA76637; Tue, 21 Mar 2000 02:40:22 -0600 (CST) (envelope-from dave) Date: Tue, 21 Mar 2000 02:40:22 -0600 From: Dave McKay To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: ports security advisories.. Message-ID: <20000321024022.A76613@elvis.mu.org> References: <20000320154614.A63670@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.ORG on Mon, Mar 20, 2000 at 02:22:11PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Welp.. I'm convinced. Kris Kennaway (kris@FreeBSD.ORG) wrote: > On Mon, 20 Mar 2000, Dave McKay wrote: >=20 > > Is it really necessary to post the ports security advisories? > > The exploitable programs are not part of the FreeBSD OS, they > > are third party software. I think the proper place for these > > is the Bugtraq mailing list on securityfocus.com. Also to add > > to the arguments, most of the advisories are not FreeBSD > > specific. >=20 > It's true they're not part of FreeBSD, but they're things which FreeBSD > people are quite likely to install. Is a root hole in (e.g.) sendmail any > worse than a root hole in a port you have installed? Both will hurt you > equally much. Suppose we only publicize the "popular" security advisories > - how do we quantify which ports are popular, and what about all the > people who have installed an "unpopular" port? >=20 > IMO, requiring people to wade through bugtraq to read the advisories is > too much to ask. Personally, I think receiving a security advisory (on > average) every few weeks is not much of a burden at all on most people's > mailboxes (especially since you can just scan through the headers and say > "hmm, mtr..nope, haven't installed it.." ), but if there was > enough of a demand we could separate out the ports advisories from the > base system advisories onto another list. >=20 > Kris >=20 > ---- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBONc1dnY8vP7IQ1TlAQGq+AP+OO+g+yAYy7fyJLf+A3B6XMWYx3p5t7c0 k8iIOR9VQNsyfLDMhX8EQVI1ShziHkxAMDmyJINQYXmdHsE2YNKrkMmLfFMl+P79 tYG3Ur+K+z5kOm0SJ8Kef0lQmslHGljxtQOwQijN9pKkZPAAIUWvIvtbEzE0Avk2 vs/4OXBxP64= =bc/b -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message