Date: Mon, 20 Mar 2000 14:22:11 -0800 (PST) From: Kris Kennaway <kris@FreeBSD.org> To: Dave McKay <dave@mu.org> Cc: freebsd-security@freebsd.org Subject: Re: ports security advisories.. Message-ID: <Pine.BSF.4.21.0003201414580.11659-100000@freefall.freebsd.org> In-Reply-To: <20000320154614.A63670@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 20 Mar 2000, Dave McKay wrote:
> Is it really necessary to post the ports security advisories?
> The exploitable programs are not part of the FreeBSD OS, they
> are third party software. I think the proper place for these
> is the Bugtraq mailing list on securityfocus.com. Also to add
> to the arguments, most of the advisories are not FreeBSD
> specific.
It's true they're not part of FreeBSD, but they're things which FreeBSD
people are quite likely to install. Is a root hole in (e.g.) sendmail any
worse than a root hole in a port you have installed? Both will hurt you
equally much. Suppose we only publicize the "popular" security advisories
- how do we quantify which ports are popular, and what about all the
people who have installed an "unpopular" port?
IMO, requiring people to wade through bugtraq to read the advisories is
too much to ask. Personally, I think receiving a security advisory (on
average) every few weeks is not much of a burden at all on most people's
mailboxes (especially since you can just scan through the headers and say
"hmm, mtr..nope, haven't installed it.." <delete>), but if there was
enough of a demand we could separate out the ports advisories from the
base system advisories onto another list.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003201414580.11659-100000>