Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Aug 2002 21:21:41 +0200
From:      Jens Rehsack <rehsack@liwing.de>
To:        Mark Murray <mark@grondar.za>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Administrivia: Discussion - Making this list subscriber-only
Message-ID:  <3D6BD145.C1991051@liwing.de>
References:  <3D6BBF89.F3A028@liwing.de> <200208271849.g7RInvl5022584@grimreaper.grondar.org>

next in thread | previous in thread | raw e-mail | index | archive | help


Mark Murray wrote:
> 
> > > How will that stop off-topic chatter?
> >
> > Never. But neither your way does. I'm subscribed and I answer to your
> > off-topic post. So we both are the off-topic chatters you want stop.
> > Sure?
> 
> :-)
> 
> I am conducting this discussion under the "Administrativia" flag, so
> while it may be off-topic, it is of indirect-but-important relevance
> to the list.
>
> This is a focussed discussion that will cease abruptly when a conclusion
> is reached (hopefully!).
> 
> > > > This allows to post validated senders only but keeps freedom to all
> > > > people who wants post.
> > >
> > > _Less_ freedom is actually needed. It is precisely that freedom which
> > > has allowed the list to become a question-and-answer (or HOWTO) list
> > > that has dropped the signal value so badly.
> >
> > Pardon, but IMHO this list is read by "security experts". So if I have
> > a security related question, I ask here. I'm a good developer, I have
> > many knowledge 'bout secure programming and know to protect my box
> > enough for stupids. But one the one hand there're many people who have
> > much less knowledge to security than me and on the other hand a lot
> > of guru's to me.
> 
> Most of the real FreeBSD security experts avoid this list (or treat it
> as a "scan-only" list). The reason for this is the treatment of the
> list as "newbie questions welcome". That is not the original purpose
> of the list.

But it's a public list with sponsors from industry and persons...

> > What I want to say with that: What is a stupid question to me or not
> > security related ot sth. else may important to others with other kind
> > of thoughts. What a sort of guys we'll be if we judge 'bout the security
> > relate of a posting?
> 
> Fair question (if I understand you correctly).
> Relevant:
> o Policy issues
> o Security bug details or fixes to security holes.
> o Experience of effective defences, including documentation of known
>   problems.
> o Interesting security-related code.
> ... etc.



> Off-topic:
> o Any common sysadmin task.

May be ok, may not. Depends on the "common" of the task. If it's "so"
common, someone could add it to FAQ or handbook, couldn't someone?

> o "Which should I use FOO, or BAR?"

I have seen many question like "Should I you ipfilter pr ipfirewall?",
and those questions really have some reason:
a) Neither IPFilter nor IPFirewall is really good documented.
   It tooks a lot of expirience and "wisdom" to know hints for use
   in special situations.
   But - in that case - there should be a "security-questions" list.
b) Very less people knows that both filters could coexists.

> o Any topic which is more relevant to another list.

Who decides that? On which rules? I think, a collective reply with the
right list could help more.

> o Spam, or replies to spam.

This could be managed using
a) spam filter for list (what would be done already)
b) spam filter (rtbl) at your gateway
c) auth-requests on first post

> ... etc.

> > So I cannot follow your way to close this list. If you want have a private
> > list, why you don't found your own one?
> 
> I don't want a private list. I want a high-signal freebsd-specific one.

So a good thing would be a security-questions list. Newbies can ask there
and the "high-signal" R.I.P. Sounds a little bit ok to me...

But: if someone found the list address, (s)he had read some manual before.
So there's a place where some rules could be noted...

> > > Depends on the "end". Here I mean a dramatic drop in newbie questions
> >
> > Who decides what's a newbie question an what's not? You? Me? Santa Claus?
> > And everyone started on a small ground... - that's the way.
> 
> There are places for newbie questions. This is not it. The list

Not for newbie-security-related. When I was new I was happy 'bout security-list.

> sort-of evolved towards this, and as this happened, the guru-factor
> droppeed, and the question-factor rose. The list is now a low-signal
> duplicate of -questions/-newbies.

That's not really true, but I see, what you mean. But if you ask me for
my real oppinion: Add all things you don't wanted ask anymore to the
faq/doc/handbook and (let) commit it. So in 6 month those things aren't
asked anymore...
It's a more friendly way ...

> > > and a consequent increase in the technical content/discussion
> > > ratio. I also hope to attract back the security gurus, and thus
> > > further improve the signal content.
> >
> > This will not work. Let me explain what I believe what such a list
> > is for:  I think, some people found a list for security related
> > discussions to make it much easier to help each other. Over the
> > month and years to original guru's are getting better and better
> > while the quality of the list in in everyone's mouth. So some more
> > guys and girls are subscribing to participate one every hint and a
> > lot of stressed people are just asking sth. and discuss just a small
> > (personal preferred) problem, an idea, sth. else.
> 
> -Questions is a "help-each-other" list. So is USENET. We don't need
> any more, and unfortunately over time some folks have gotten used
> to this status quo. This may seem harsh, but such folks have a
> little unlearning to deal with. Sorry! :-)

I think that -question is a freebsd related "help-each-other" list.
An security related one is missed at the moment. Remember: the usenet
has many categories, too.

> > And some of the guru's get bored, but many new guru candidates
> > subscribed, helped, talked and - sometimes - chatted 'bout security (I
> > remember an obfuscation discusion not long ago).
> 
> That fact that some time in the past, this may have worked for individuals
> is, erm, unfortunate. I can go to extremes ("Theft works for robbers" etc),
> but I think you may understand me if I say the means does not justify
> the ends.
>
> > So in my opinion this list is good just as is. If you are much more
> > expirienced and wiser so you have two choices. Go away to a wisdom /
> > guru list or stay (what we all prefer) and let us have part of your
> > wisdom.
> 
> You are welcome to stay, you are welcome to read. Pleas understand that
> I don't want you to go naway; I want you to accept a higher signal ratio,
> and nI want you to not (unwittingly) contribute to the noise :-)

Of course, but please understand me if I say: let the other ones follow us.
But I think (after that discussion) a -security-questions is necessary.
Using force is not solution for the world, just for small numbers of people.
Give 'em a chance.

> > I do not want defend idiots, but - please - there is a difference
> > between newbie (what I could be in the eyes of many) and idiots /
> > torks.
> 
> Lets not get extreme - we mostly agree. Lets see how this initiative
> pans out.

Agreed.

> M
> --
> o       Mark Murray
> \_
> O.\_    Warning: this .sig is umop ap!sdn

-- 
L     i  W     W     W  i                 Jens Rehsack
L        W     W     W
L     i   W   W W   W   i  nnn    gggg    LiWing IT-Services
L     i    W W   W W    i  n  n  g   g
LLLL  i     W     W     i  n  n  g   g    Friesenstraße 2
                                  gggg    06112 Halle
                                     g
                                 g   g
Tel.:  +49 - 3 45 - 5 17 05 91    ggg     e-Mail: <rehsack@liwing.de>
Fax:   +49 - 3 45 - 5 17 05 92            http://www.liwing.de/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D6BD145.C1991051>