Date: Sun, 1 Oct 2000 01:18:38 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: "Jeffrey J. Mountin" <jeff-ml@mountin.net> Cc: security@FreeBSD.ORG Subject: Re: Security and FreeBSD, my overall perspective Message-ID: <200010010518.BAA12179@khavrinen.lcs.mit.edu> In-Reply-To: <4.3.2.20000930160153.00b8bc10@207.227.119.2> References: <Message from Kris Kennaway <kris@FreeBSD.org> <20000930122217.A51270@freefall.freebsd.org> <2973.970342843@winston.osd.bsdi.com> <4.3.2.20000930160153.00b8bc10@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Sat, 30 Sep 2000 16:16:47 -0500, "Jeffrey J. Mountin" <jeff-ml@mountin.net> said: > While I like this idea to some extent, there should be a disclaimer and/or > be used on ports that have been checked over. Let me re-emphasize this. The mere fact that we are putting some effort into auditing some parts of the software we ship with could potentially create legal liability if any potential security problems are missed by the audit. This is true even despite any disclaimers we or the original authors might make, because the legal `footprint' of such disclaimers varies from place to place [1]. That's why it is important that, as FreeBSD becomes more commercially important, *someone* pay for a general-liability insurance policy which could protect the Project from such suits. It is an unfortunate fact of life that those who exercise editorial discretion (``publishers'') can, by omission as much as by commission, attract more legal scrutiny than mere conduits for information. Of course, it's not just security issues that could cause trouble; intellectual-property issues have been a problem in the past (remember xtetris?) and are likely to rise again. We also have to be concerned (although I've seen no evidence that the security team is anything but) that we make absolutely certain that a program really does have a security problem before reporting it as such; getting an advisory wrong could be cause for a lawsuit. -GAWollman [1] That's why the standard consumer-products warranty boilerplate always says something like, ``This warranty gives you specific legal rights, and you may have others which vary from jurisdiction to jurisdiction.'' I am told that Massachusetts is one of those places. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010010518.BAA12179>