From owner-freebsd-vuxml@FreeBSD.ORG Mon Aug 23 14:18:25 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1707E16A4CE; Mon, 23 Aug 2004 14:18:25 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C782243D3F; Mon, 23 Aug 2004 14:18:24 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 178AC5486E; Mon, 23 Aug 2004 09:18:24 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 22936-10; Mon, 23 Aug 2004 09:18:13 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 555A654861; Mon, 23 Aug 2004 09:18:13 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 081DF6D468; Mon, 23 Aug 2004 09:18:03 -0500 (CDT) Date: Mon, 23 Aug 2004 09:18:03 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040823141803.GN27355@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040822213232.GE17478@madman.celabo.org> <272AEBD2-F486-11D8-8CAA-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <272AEBD2-F486-11D8-8CAA-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes Subject: Re: making optional X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 14:18:25 -0000 On Sun, Aug 22, 2004 at 11:56:42PM +0200, Oliver Eikemeier wrote: > Jacques A. Vidrine wrote: > 60 (in words: sixty) entries in portaudit have the description `Please > contact the FreeBSD Security Team for more information'. There are > references, so when you care to add a quote, feel free, in fact this > might be a job for the security team. You can frown on them as often as > you like, the question is whether you just want to have an optional > entry as an easy to spot sign that an editor is needed, or > if you prefer to search for

and similar constructs. I'm not sure what you are talking about. I don't see any such entries in VuXML ... but you said `portaudit' so maybe you are talking about your personal database? > >However, I must admit that I have some doubt the value of the > > date in any case. What I'd really like to hear are some > >arguments for keeping it or getting rid of it! I think it is useful > >information of itself to many reading VuXML content, and that combined > >with it provides a good metric about our response time. But I > >could be overestimating the value of it, and if it somehow puts people > >off to need to provide this information, then maybe it loses. > > Oviously we have a different opinion what is useful here. I expect most > users to be simple consumers, not security researchers. They need > information about the serverity of a vulnerability, and maybe > remote/local exploitability, whoever cares about the discovery date > could check the references. Often I find the discovery date > entertaining, but not useful. So I'll take that as a vote for not keeping it (). Such a change (dropping required content) would need to take place in a `major' update e.g. VuXML 2.0. We'll revisit it then, maybe someone else will add some opinions before then. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org