Date: Thu, 13 Jul 2000 21:57:15 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Brett Glass <brett@lariat.org>, "Jordan K. Hubbard" <jkh@zippy.osd.bsdi.com> Cc: security@FreeBSD.ORG Subject: Re: Displacement of Blame[tm] Message-ID: <4.3.2.20000713210451.00cf81c0@207.227.119.2> In-Reply-To: <4.3.2.7.2.20000713190150.04b9fc80@localhost> References: <2753.963529551@localhost> <Your message of "Thu, 13 Jul 2000 15:58:35 PDT." <Pine.BSF.4.21.0007131553420.38638-100000@neo.bleeding.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:11 PM 7/13/00 -0600, Brett Glass wrote: >Jordan: > >I can't help it if I bring up thought-provoking (or discussion-provoking) >topics. Those just happen to be the kinds of things I'm interested >in. (Hopefully, this will prove to make me a good organizer for the >conference next week.) I realize that it requires an asbestos suit to >bring up some topics, and that some people who don't like online >brainstorming or vigorous debate may tune out (PHK and DES are two >unfortunate examples of people who have associated me with such things >and therefore have blocked me personally). It's sad, but hey -- they're >free to filter what they read as they see fit. Controversial would be a better term or maybe sensitive. In this case we are talking more about *your* clients and *their* lack of education. In my eyes that is your problem. Perhaps you should explain that they keyword "Ports" means the problem is not FreeBSD specific *and* the port may not be installed in the first place. Then they should learn how to view the list of installed ports. For other advisories that *are* in fact (potential) holes in the OS itself, there may be no reason to do other than say "Oh, OK, but that service is not in use." Frankly I don't understand why one would subscribe their customers to a list for which they, obviously, are not qualified to evaluate and isn't the quality of their systems what they pay you for. It's almost like you want them to 2nd guess you. >Discussion is always important, and there should be more of it in the >various BSD communities. (Witness the paucity of discussion on Daemon >News.... Sigh.) Not flamage, but good discussion. > >The issue at hand here could really have an effect on FreeBSD's reputation >for security, so I hope you'll agree that this thread is worthwhile. In part I agree about the reputation, but if they don't read the complete advisory. What's the use? How in the hell are we going to improve (l)users reading and, more importantly, comprehension skills. THIS has always been an issue for docs and mailing lists. Perhaps in your case you should send out a message or better yet, two messages. One letting them know of this "potential problem" and another to let a client know that you need to upgrade/change to fix a possible security issue. The second is by far a better "value added service" for the clients. Think about a web page or something as well. Also consider charging them for your (wasted) time. As other mention, it will do wonders to reduce the number of "Chicken Little" calls. I'd almost imagine that they call asking or telling about the latest WinBloze virus, which I've strongly discouraged for many years. Hopefully I didn't flame you too bad, but this kind of thread seems to bring everyone out with a different opinion and endless discussion that goes absolutely nowhere. Tends to irk me more on -security than anything. Can't recall if it was mentioned by perhaps a very small change in the subject line: FreeBSD Ports Security Advisory <advisory #>.<port> to Port(s) Security Advisory (FreeBSD) <advisory #>.<port> Note: Even though it is a single port, perhaps keeping it plural will help those that are dumb as a rock to understand that it still is part of the "ports collection." When doing a simple subject sort this means the OS based advisories are not mixed in with the ports. Certainly then the (l)user may not either know how to sort or use a client that can sort. Not to throw another log on the fire... Some of the advisories for the "OS" are really 3rd party software, so the argument with some that since FreeBSD makes changes with the port, however minor, and we alone may be responsible, then the changes made to 3rd party software in src/contrib show that any FreeBSD specific advisory (even if before or after another advisory CERT, BugTraq, or other). How do we glorify these. Is the goal to absolve FreeBSD of blame or what? Sorry, but the allusion to this and the subject get my goat, since too many people don't have the balls to take responsibility and finger-pointing is way of life for many. Thus my change makes it sound like "ports" is another entity, but in fact FreeBSD is taking the time and effort to find and fix problems with 3rd party software when it runs on FreeBSD. It's all a matter of perception and we all know the public is fickle when it comes to PR. Better stop, somehow touched a nerve and sent me off on a rant. Didn't want to add to the static that blossomed on the list in the past few hours, but what the hell. Maybe FreeBSD/BSDi needs a copy editor, but then we might end up with some watered-down drivel that points elsewhere and then moves focus away from the fact that FreeBSD should take credit for working on problems with 3rd party software. Brett, I think you should take a moment and explain this to your clients and sell it as the best thing since sliced bread and one of the reasons for choosing an open source OS, along with the other merits. All that rant aside the addition of "Ports" to the subject was not without notice by me, but then I tend to look at all of them, even if it's for programs that I have not and may never use. The increased number of advisories should also be encouraging. Of course then some will say FreeBSD has more advisories than brand "X" does. One can always then use M$ as an example of how damaging silence can be. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20000713210451.00cf81c0>