Date: Mon, 23 Aug 2004 09:18:03 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: Tom Rhodes <trhodes@FreeBSD.org> Subject: Re: making <description> optional Message-ID: <20040823141803.GN27355@madman.celabo.org> In-Reply-To: <272AEBD2-F486-11D8-8CAA-00039312D914@fillmore-labs.com> References: <20040822213232.GE17478@madman.celabo.org> <272AEBD2-F486-11D8-8CAA-00039312D914@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Aug 22, 2004 at 11:56:42PM +0200, Oliver Eikemeier wrote: > Jacques A. Vidrine wrote: > 60 (in words: sixty) entries in portaudit have the description `Please > contact the FreeBSD Security Team for more information'. There are > references, so when you care to add a quote, feel free, in fact this > might be a job for the security team. You can frown on them as often as > you like, the question is whether you just want to have an optional > <description> entry as an easy to spot sign that an editor is needed, or > if you prefer to search for <p/> and similar constructs. I'm not sure what you are talking about. I don't see any such entries in VuXML ... but you said `portaudit' so maybe you are talking about your personal database? > >However, I must admit that I have some doubt the value of the > ><discovery> date in any case. What I'd really like to hear are some > >arguments for keeping it or getting rid of it! I think it is useful > >information of itself to many reading VuXML content, and that combined > >with <entry> it provides a good metric about our response time. But I > >could be overestimating the value of it, and if it somehow puts people > >off to need to provide this information, then maybe it loses. > > Oviously we have a different opinion what is useful here. I expect most > users to be simple consumers, not security researchers. They need > information about the serverity of a vulnerability, and maybe > remote/local exploitability, whoever cares about the discovery date > could check the references. Often I find the discovery date > entertaining, but not useful. So I'll take that as a vote for not keeping it (<discovery>). Such a change (dropping required content) would need to take place in a `major' update e.g. VuXML 2.0. We'll revisit it then, maybe someone else will add some opinions before then. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040823141803.GN27355>