Date: Thu, 28 May 2015 12:59:42 -0700 From: "Roger Marquis" <marquis@roble.com> To: "Walter Parker" <walterp@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) In-Reply-To: <CAMPTd_Ccdb%2BqgSFoMYqvLdToHLAoEEq9m6YZAONpvf739BKEmw@mail.gmail.com> References: <CAMPTd_Ccdb%2BqgSFoMYqvLdToHLAoEEq9m6YZAONpvf739BKEmw@mail.gmail.com>
| previous in thread | raw e-mail | index | archive | help
Walter Parker wrote: > What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that > their systems are secure? An audit trail of CVE issues fixed, while a > good start. is hardly a strong assurance that the system is secure. An important point and thank you for making it Walter. There is no assurance against zero-day vulnerabilities or vulns that are otherwise not published (outside of the NSA). That would be absolute security. In the context of relative security, however, assurance can perhaps be defined as being able to assume that CVEs released by the NIST, announced by code or other operating system maintainers or published by researchers or third parties such as Rapid7 and Tripwire are reflected in vuln.xml (after a reasonable timeframe). > How much faster must FreeBSD respond for it to join the "security > assurance" club of the major Linux vendors? Is this a paperwork issue > or a process issue? We don't have much insight into the workings of FreeBSD's security teams so it appears to be a matter of policy. Would be great if Dag could comment here. The policies I would most like to know about are transparency-related i.e., published security-related procedures, projects and RFCs. Otherwise, what appears to be lacking is (additional) automation of the process of scanning CVEs and advisories by other organizations and subsequent prioritization, review and formatting for publication. There are several of us interested in contributing towards these goals, financially, codewise and otherwise, but it is distressingly unclear how. There are PRs of course, but if, say, someone wanted to contribute specifically to the process of automating vuln.xml updates or to donate specifically to the security teams .... Pointers gladly accepted. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>