Date: Mon, 20 Mar 2000 19:11:21 -0700 From: Warner Losh <imp@village.org> To: Dave McKay <dave@mu.org> Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: ports security advisories.. Message-ID: <200003210211.TAA19792@harmony.village.org> In-Reply-To: Your message of "Mon, 20 Mar 2000 15:46:14 CST." <20000320154614.A63670@elvis.mu.org> References: <20000320154614.A63670@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- In message <20000320154614.A63670@elvis.mu.org> Dave McKay writes: : Is it really necessary to post the ports security advisories? Yes. : The exploitable programs are not part of the FreeBSD OS, they : are third party software. I think the proper place for these : is the Bugtraq mailing list on securityfocus.com. Also to add : to the arguments, most of the advisories are not FreeBSD : specific. But they are part of FreeBSD in the public mind. In order to show FreeBSD's commitment to Security, we must inform the public about all parts of the system that we offer under our name. The FreeBSD ports collection is very much part of FreeBSD, and is very FreeBSD specific[*]. Since we have packaged the sources for people, they have the reasonable expectation that this packaging was done in a safe and secure way. It is passing the buck to say "well, it really wasn't our fault that popper had a bug in it, so we didn't think we needed to tell anybody." It is code we've made available. It is no different than holes in the base OS that we inherited from the 4.4-lite distribution. We could say "well, all BSD derived OSes have this problem, so we'll not tell anybody that we fixed it." They are the same thing, especially in the mind of the users of the system. We want to elevate the security of the entire system to a higher level, and to do that we have to disiminate security information about the system more fully that we've done in the past. I'm sorry that you feel that this step to improve the security of FreeBSD is inappropriate and annoys you. So far I've had only one or two negative comment from the increased level of posting about these problems. Kris has done an excellent job of running down these issues and keeping on top of them. I think he's done the greater community an excellent service by reading bugtraq and other sources of security information and identifying those problems which will negatively impact FreeBSD users and issuing advisories. Keeping up with bugtraq can take a lot of time and effort and Kris' advisories makes this easy. Warner Losh FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBONbaSNxynu/2qPVhAQHC8AQAgDR9qaksAgvfSUG12hRqHJDD+QmBuCtN g7pg3aw/A4Vz3ezu4ythW7zLj04XEnC+5UzCMu6uAmyO+pUWM2CJ3KQQYttm5XAG z+AV0hxpbOe0b003C8f2dFjvDReRBOqiQAZnH264dxVXpllQgQjiRzYkcXNB4r2r pUqxUwYwslA= =xKkJ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003210211.TAA19792>