Date: Tue, 27 Aug 2002 21:21:41 +0200 From: Jens Rehsack <rehsack@liwing.de> To: Mark Murray <mark@grondar.za> Cc: freebsd-security@freebsd.org Subject: Re: Administrivia: Discussion - Making this list subscriber-only Message-ID: <3D6BD145.C1991051@liwing.de> References: <3D6BBF89.F3A028@liwing.de> <200208271849.g7RInvl5022584@grimreaper.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote:
>
> > > How will that stop off-topic chatter?
> >
> > Never. But neither your way does. I'm subscribed and I answer to your
> > off-topic post. So we both are the off-topic chatters you want stop.
> > Sure?
>
> :-)
>
> I am conducting this discussion under the "Administrativia" flag, so
> while it may be off-topic, it is of indirect-but-important relevance
> to the list.
>
> This is a focussed discussion that will cease abruptly when a conclusion
> is reached (hopefully!).
>
> > > > This allows to post validated senders only but keeps freedom to all
> > > > people who wants post.
> > >
> > > _Less_ freedom is actually needed. It is precisely that freedom which
> > > has allowed the list to become a question-and-answer (or HOWTO) list
> > > that has dropped the signal value so badly.
> >
> > Pardon, but IMHO this list is read by "security experts". So if I have
> > a security related question, I ask here. I'm a good developer, I have
> > many knowledge 'bout secure programming and know to protect my box
> > enough for stupids. But one the one hand there're many people who have
> > much less knowledge to security than me and on the other hand a lot
> > of guru's to me.
>
> Most of the real FreeBSD security experts avoid this list (or treat it
> as a "scan-only" list). The reason for this is the treatment of the
> list as "newbie questions welcome". That is not the original purpose
> of the list.
But it's a public list with sponsors from industry and persons...
> > What I want to say with that: What is a stupid question to me or not
> > security related ot sth. else may important to others with other kind
> > of thoughts. What a sort of guys we'll be if we judge 'bout the security
> > relate of a posting?
>
> Fair question (if I understand you correctly).
> Relevant:
> o Policy issues
> o Security bug details or fixes to security holes.
> o Experience of effective defences, including documentation of known
> problems.
> o Interesting security-related code.
> ... etc.
> Off-topic:
> o Any common sysadmin task.
May be ok, may not. Depends on the "common" of the task. If it's "so"
common, someone could add it to FAQ or handbook, couldn't someone?
> o "Which should I use FOO, or BAR?"
I have seen many question like "Should I you ipfilter pr ipfirewall?",
and those questions really have some reason:
a) Neither IPFilter nor IPFirewall is really good documented.
It tooks a lot of expirience and "wisdom" to know hints for use
in special situations.
But - in that case - there should be a "security-questions" list.
b) Very less people knows that both filters could coexists.
> o Any topic which is more relevant to another list.
Who decides that? On which rules? I think, a collective reply with the
right list could help more.
> o Spam, or replies to spam.
This could be managed using
a) spam filter for list (what would be done already)
b) spam filter (rtbl) at your gateway
c) auth-requests on first post
> ... etc.
> > So I cannot follow your way to close this list. If you want have a private
> > list, why you don't found your own one?
>
> I don't want a private list. I want a high-signal freebsd-specific one.
So a good thing would be a security-questions list. Newbies can ask there
and the "high-signal" R.I.P. Sounds a little bit ok to me...
But: if someone found the list address, (s)he had read some manual before.
So there's a place where some rules could be noted...
> > > Depends on the "end". Here I mean a dramatic drop in newbie questions
> >
> > Who decides what's a newbie question an what's not? You? Me? Santa Claus?
> > And everyone started on a small ground... - that's the way.
>
> There are places for newbie questions. This is not it. The list
Not for newbie-security-related. When I was new I was happy 'bout security-list.
> sort-of evolved towards this, and as this happened, the guru-factor
> droppeed, and the question-factor rose. The list is now a low-signal
> duplicate of -questions/-newbies.
That's not really true, but I see, what you mean. But if you ask me for
my real oppinion: Add all things you don't wanted ask anymore to the
faq/doc/handbook and (let) commit it. So in 6 month those things aren't
asked anymore...
It's a more friendly way ...
> > > and a consequent increase in the technical content/discussion
> > > ratio. I also hope to attract back the security gurus, and thus
> > > further improve the signal content.
> >
> > This will not work. Let me explain what I believe what such a list
> > is for: I think, some people found a list for security related
> > discussions to make it much easier to help each other. Over the
> > month and years to original guru's are getting better and better
> > while the quality of the list in in everyone's mouth. So some more
> > guys and girls are subscribing to participate one every hint and a
> > lot of stressed people are just asking sth. and discuss just a small
> > (personal preferred) problem, an idea, sth. else.
>
> -Questions is a "help-each-other" list. So is USENET. We don't need
> any more, and unfortunately over time some folks have gotten used
> to this status quo. This may seem harsh, but such folks have a
> little unlearning to deal with. Sorry! :-)
I think that -question is a freebsd related "help-each-other" list.
An security related one is missed at the moment. Remember: the usenet
has many categories, too.
> > And some of the guru's get bored, but many new guru candidates
> > subscribed, helped, talked and - sometimes - chatted 'bout security (I
> > remember an obfuscation discusion not long ago).
>
> That fact that some time in the past, this may have worked for individuals
> is, erm, unfortunate. I can go to extremes ("Theft works for robbers" etc),
> but I think you may understand me if I say the means does not justify
> the ends.
>
> > So in my opinion this list is good just as is. If you are much more
> > expirienced and wiser so you have two choices. Go away to a wisdom /
> > guru list or stay (what we all prefer) and let us have part of your
> > wisdom.
>
> You are welcome to stay, you are welcome to read. Pleas understand that
> I don't want you to go naway; I want you to accept a higher signal ratio,
> and nI want you to not (unwittingly) contribute to the noise :-)
Of course, but please understand me if I say: let the other ones follow us.
But I think (after that discussion) a -security-questions is necessary.
Using force is not solution for the world, just for small numbers of people.
Give 'em a chance.
> > I do not want defend idiots, but - please - there is a difference
> > between newbie (what I could be in the eyes of many) and idiots /
> > torks.
>
> Lets not get extreme - we mostly agree. Lets see how this initiative
> pans out.
Agreed.
> M
> --
> o Mark Murray
> \_
> O.\_ Warning: this .sig is umop ap!sdn
--
L i W W W i Jens Rehsack
L W W W
L i W W W W i nnn gggg LiWing IT-Services
L i W W W W i n n g g
LLLL i W W i n n g g Friesenstraße 2
gggg 06112 Halle
g
g g
Tel.: +49 - 3 45 - 5 17 05 91 ggg e-Mail: <rehsack@liwing.de>
Fax: +49 - 3 45 - 5 17 05 92 http://www.liwing.de/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D6BD145.C1991051>