making <description> optional

Oliver Eikemeier eikemeier at fillmore-labs.com
Mon Aug 23 08:10:08 PDT 2004 

Jacques A. Vidrine wrote:

> On Sun, Aug 22, 2004 at 11:56:42PM +0200, Oliver Eikemeier wrote:
>> Jacques A. Vidrine wrote:
>> 60 (in words: sixty) entries in portaudit have the description `Please
>> contact the FreeBSD Security Team for more information'. There are
>> references, so when you care to add a quote, feel free, in fact this
>> might be a job for the security team. You can frown on them as often as
>> you like, the question is whether you just want to have an optional
>> <description> entry as an easy to spot sign that an editor is needed, 
>> or
>> if you prefer to search for <p/> and similar constructs.
>
> I'm not sure what you are talking about.  I don't see any such entries
> in VuXML ... but you said `portaudit' so maybe you are talking about
> your personal database?

I have a supplementary databases that are as much `personal' as vuxml 
is. The portaudit text database has been announced and documented as 
mentioned in a previous discussion. Anyway, I think making the entry 
optional would be the best solution, but if you prefer a placeholder, we 
can keep `Please contact the FreeBSD Security Team for more information'.

>>> However, I must admit that I have some doubt the value of the
>>> <discovery> date in any case.  What I'd really like to hear are some
>>> arguments for keeping it or getting rid of it!  I think it is useful
>>> information of itself to many reading VuXML content, and that combined
>>> with <entry> it provides a good metric about our response time.  But I
>>> could be overestimating the value of it, and if it somehow puts people
>>> off to need to provide this information, then maybe it loses.
>>
>> Oviously we have a different opinion what is useful here. I expect most
>> users to be simple consumers, not security researchers. They need
>> information about the serverity of a vulnerability, and maybe
>> remote/local exploitability, whoever cares about the discovery date
>> could check the references. Often I find the discovery date
>> entertaining, but not useful.
>
> So I'll take that as a vote for not keeping it (<discovery>).  Such
> a change (dropping required content) would need to take place in a
> `major' update e.g. VuXML 2.0.  We'll revisit it then, maybe someone
> else will add some opinions before then.

Whatever you like. Simply using dummy values is fine with me.
-Oliver

More information about the freebsd-vuxml mailing list