From owner-freebsd-security Mon Nov 29 22:51:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 43AD9157AE; Mon, 29 Nov 1999 22:51:38 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id BAA08444; Tue, 30 Nov 1999 01:51:37 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Tue, 30 Nov 1999 01:51:37 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: freebsd-audit@freebsd.org, freebsd-security@freebsd.org Subject: Topics for -security vs. topics for -audit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (for those on -security who missed it for whatever reason (such as it only being announced on -current, and only during Thanksgiving for those US-side people who might have gone on vacation :-), a source code auditing mailing list has been set up for the discussion of reviewing FreeBSD source for security holes, and can be subscribed to by sending "subscribe freebsd-audit" to majordomo@freebsd.org) On with the email: So, I often resent those "you're off-topic" posts sent to mailing lists, but I think there's a need to distinguish the purposes of the -security and -audit mailing lists. My feeling is that -audit is likely to be a code-heavy list--that is, commentary on patches, patching techniques, and lists of files and function references. As such, it's likely to get only cursary reading by those not directly involved in the source code auditing process. On the other hand, -security is a mailing list for general security discussion, including policy issues, regular use, etc. Even in the past two days, we've seen significant discussion that should probably be taking place on -security: selecting a pseudo-random number generator does relate to source code, but it's also an issue our crypto-intense folks should be keeping an eye on, even those that are not into detailed coding. Where to use the pseudo-random number generator becomes more of an auditing issue--places where it should be used, but some approximation is currently used, or where a poor seed is used. The same goes for default conditions for using the prng in network and pid code, etc. This is discussion relevant to a wide audience. As such, I think making the distinction between the list topics is important, and making sure the broad policy issues get fully aired on -security is also important. It's my intent to read both mailing lists, but I can tell you that when my work gets heavy, it'll be diff-heavy messages on -audit that lose out, and -security policy discussions that get my attention. And I don't want to miss the wrong policy discussion that relates to my work :-). This of course raises the specter of cross-posting, but to be honest, I think that's ok on a pair of mailing lists like this, as long as people keep in mind moderation :-). Thanks, Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message