reporter on deadline seeks comment about reported security bug
gesbbb at yahoo.com
Tue Sep 15 18:13:20 UTC 2009
On Tue, 15 Sep 2009 13:18:29 -0400
Bill Moran <wmoran at potentialtech.com> wrote:
> On Tue, 15 Sep 2009 13:03:50 -0400
> Jerry <gesbbb at yahoo.com> wrote:
> > On Tue, 15 Sep 2009 11:13:31 -0400
> > Bill Moran <wmoran at potentialtech.com> wrote:
> > > In response to Jerry <gesbbb at yahoo.com>:
> > >
> > > >
> > > > I usually discover security problems with updates I receive from
> > > > <http://www.us-cert.gov/>. Aren't FreeBSD security problems
> > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > dark to known security problems is not a serviceable protocol.
> > >
> > > Because releasing security advisories before there is a fix
> > > available is not responsible use of the information, and (as is
> > > being discussed) the fix is still in the works.
> > I disagree. If I have a medical problem, or what ever, I expect to
> > be informed of it. The fact that there is no known cure, fix, etc.
> > is immaterial, if in fact not grossly negligent.
> This is a stupid and non-relevant comparison. A better comparison
> would be if I realized that you'd left your car door unlocked in a
> less than safe neighborhood. Would you rather I told you discreetly,
> or just started shouting it out loud to the neighborhood? Wait, I
> know the answer, if I see _your_ car unlocked, I'll just start
The fact is, that you do in fact notify me. Keeping important security
information secret benefits no one, except for possibly those
responsible for the problem to begin with who do not want the
knowledge of the problem to become public. A multitude of software,
such as Mozilla, publish known security holes in their software.
The ramifications of allowing a user to actively use a piece of
software when a known bug/exploit/etc. exists within it is grossly
> > Being keep ignorant of a
> > security problem is as foolish a theory as "Security through
> > Obscurity".
> No, it's not. And I don't even want to hear your ill-fitting
> metaphor for how you arrived at that conclusion.
> > I find the <http://www.us-cert.gov/> updates invaluable. The fact
> > that apparently FBSD does not encompass them I find discomforting.
> You're missing the fact that FreeBSD's security issues _are_ listed
> there, when appropriate.
> Your obvious ignorance of how things operate absolves you of any right
> to complain.
> > BTW, please do not CC: me. I am subscribe to the list and do not
> > need multiple copies of the same post.
> Whine me a river, for crying out loud. List policy on this list
> since the Dawn of Time has been to CC the list and the poster. I'm
> not going to check with everyone on the list to see if they're
> subscribed or not. Don't like it? Get off the list.
I just check the FreeBSD list web page,
failed to find any indication that CC:ing was the desired posting
response. In fact, except for a few, perhaps one or two others, I am
not aware of any perpetual CC:'s on this list. Then again, I doubt that
they feel as threatened when their beliefs are questioned. Perhaps you
should seek professional help for your anger issues.
Now, if you don't like that, "KISS MY ASS".
gesbbb at yahoo.com
If it doesn't smell yet, it's pretty fresh.
Dave Johnson, on dead seagulls
More information about the freebsd-questions