Date: Thu, 28 May 2015 10:19:12 -0700 From: Walter Parker <walterp@gmail.com> To: freebsd-security@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) Message-ID: <CAMPTd_Ccdb%2BqgSFoMYqvLdToHLAoEEq9m6YZAONpvf739BKEmw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" <marquis@roble.com> > To: "Mark Felder" <feld@FreeBSD.org> > Cc: freebsd-ports@freebsd.org, freebsd-security@freebsd.org > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: <mailman.91.1432814411.48534.freebsd-security@freebsd.org> > Content-Type: text/plain;charset=iso-8859-1 > >>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >>> OpenBSD server operators) have no assurance that their systems are >>> secure. >> That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the "security assurance" club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMPTd_Ccdb%2BqgSFoMYqvLdToHLAoEEq9m6YZAONpvf739BKEmw>