From owner-freebsd-security Wed Dec 1 22:56:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from leaf.lumiere.net (leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (Postfix) with ESMTP id 63F3F15202 for ; Wed, 1 Dec 1999 22:56:35 -0800 (PST) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.2/8.9.1) id WAA87575; Wed, 1 Dec 1999 22:55:24 -0800 (PST) Date: Wed, 1 Dec 1999 22:55:24 -0800 (PST) From: Jesse To: "Jordan K. Hubbard" Cc: Brock Tellier , Bill Swingle , security@FreeBSD.ORG Subject: Re: [Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] ] In-Reply-To: <36932.944099245@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm not arguing this at all, I'm simply saying that these issues > should be brought up with the 200 or so maintainers of those > suid-programs in ports. The security officer hasn't a prayer of > addressing all of these and the core parts of FreeBSD as well and this > is one of those areas where delegation and "distributed processing" is > a necessity. Issues with ports need to be raised with the appropriate > ports people. Wouldn't it be reasonable, however, to expect the security officer to redirect notifications to the proper maintainers? In most organizations, if you contact the wrong person, they'll pass on your message to the correct one. One might think one of the benefits of having a security officer is not just a person to fix security holes (I doubt that's the job description, anyway), but to help coordinate and assure that the information gets to the right people. Just two cents, --- Jesse To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message