Date: Thu, 13 Jul 2000 18:42:22 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Frank Tobin <ftobin@uiuc.edu> Cc: security@FreeBSD.ORG Subject: Re: Two kinds of advisories? Message-ID: <Pine.BSF.4.21.0007131826350.13660-100000@freefall.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0007131902540.62151-100000@srh0902.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Jul 2000, Frank Tobin wrote:
> Kris Kennaway, at 13:44 -0700 on Thu, 13 Jul 2000, wrote:
>
> > "Ports" is already in the subject. If someone doesn't know what "Ports"
> > means, how will changing the advisory numbering make any difference?
>
> Because management won't know what "Ports" means, but will make decisions
> about the use of FreeBSD irregardless of whether the advisory is really
> for FreeBSD.
Turn this to your advantage: we acknowledge and fix our security bugs in
public, and those in software we ship, regardless of how embarrassing they
may be, because we care about the security of our users. The majority of
these holes are also present in other OSes, many of whom do not bother to
ackowledge them (as) publically.
This is already apparent from the "FreeBSD only: NO" in most of the 33
advisories this year, but it's not professional to name the other
platforms explicitly (besides the fact that we can't always be sure, as I
learned once the hard way when I overestimated the severity of a NetBSD
vulnerability).
In other words, this is an advocacy issue, not one which can be magically
fixed by cramming more into the subject line of advisories. I'm not one to
blow my own horn, but it's the kind of thing which might make a good
article or two to get this point across to the world and provide something
to point to when people make that claim.
As long as I'm the one writing these advisories I'm not going to do
anything to make them less visible to the wider community - I want it to
be known that a) FreeBSD fixes its security vulnerabilities and tells
people when we do, and b) there is an awful lot of bad code out there
which hurts *EVERYONE*, not just FreeBSD.
I see myself as providing a service to a larger community than just
FreeBSD users here precisely because these advisories are widely
distributed, and (compared to what other vendors produce) more informative
- in fact I've gotten feedback from people who don't even use FreeBSD who
have been impressed by this.
I am trying to build FreeBSD's reputation as an OS which takes security
damn seriously, and so far I think I've had at least moderate success.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007131826350.13660-100000>