reporter on deadline seeks comment about reported security bug in FreeBSD

Mel Flynn mel.flynn+fbsd.questions at
Tue Sep 15 18:51:43 UTC 2009

On Tuesday 15 September 2009 20:13:17 Jerry wrote:
> On Tue, 15 Sep 2009 13:18:29 -0400
> Bill Moran <wmoran at> wrote:
> > On Tue, 15 Sep 2009 13:03:50 -0400
> >
> > Jerry <gesbbb at> wrote:
> > > On Tue, 15 Sep 2009 11:13:31 -0400
> > >
> > > Bill Moran <wmoran at> wrote:
> > > > In response to Jerry <gesbbb at>:
> > > > > I usually discover security problems with updates I receive from
> > > > > <>. Aren't FreeBSD security problems
> > > > > reported to their site? If not, why? IMHO, keeping users in the
> > > > > dark to known security problems is not a serviceable protocol.
> > > >
> > > > Because releasing security advisories before there is a fix
> > > > available is not responsible use of the information, and (as is
> > > > being discussed) the fix is still in the works.
> > >
> > > I disagree. If I have a medical problem, or what ever, I expect to
> > > be informed of it. The fact that there is no known cure, fix, etc.
> > > is immaterial, if in fact not grossly negligent.
> >
> > This is a stupid and non-relevant comparison.  A better comparison
> > would be if I realized that you'd left your car door unlocked in a
> > less than safe neighborhood.  Would you rather I told you discreetly,
> > or just started shouting it out loud to the neighborhood?  Wait, I
> > know the answer, if I see _your_ car unlocked, I'll just start
> > shouting.
> The fact is, that you do in fact notify me. Keeping important security
> information secret benefits no one, except for possibly those
> responsible for the problem to begin with who do not want the
> knowledge of the problem to become public. A multitude of software,
> such as Mozilla, publish known security holes in their software.
> The ramifications of allowing a user to actively use a piece of
> software when a known bug/exploit/etc. exists within it is grossly
> negligent.

Please inform yourself properly before assuming you're right. Mozilla does not 
by default publish vulnerabilities before a fix is known. In some cases 
publishing has been delayed by months. The exception is when exploits are 
already in the wild and a work around is available, while a real fix will take 
more work.

This is also why vulnerabilities are typically not disclosed till a fix is 
known, because it does not protect the typical user, but puts him in harms 
way, which is exactly what you don't want.

In theory, if I know the details of this particular exploit, I can patch my 
6.4 machines myself, but more realistically, if developers take all this time 
to come up with a solution that doesn't break functionality the chances that I 
and more casual users can do this are slim. Meanwhile, the exploit will be 
coded into the usual rootkits and internet scanners and casualties will be 
made. That doesn't help anyone.

More information about the freebsd-questions mailing list