portaudit wishlist
Oliver Eikemeier
eikemeier at fillmore-labs.com
Mon Aug 23 08:21:18 PDT 2004
[...]
>>>> Yes, I think it is misleading to apply such tags which a user might
>>>> take as an absolute judgement when in fact they just need to read the
>>>> description.
>>>
>>> Not everyone has the time to review every description. Besides, the
>>> description might be as wrong or misleading as the tags mentioned. If
>>> you say "users have to understand the system fully or they shouldn't
>>> run
>>> the software" you basically state "FreeBSD is only for experts". I'm
>>> just trying to make some often asked questions machine readable. For
>>> example when I run portaudit on a server with no users, I might decide
>>> to care for local exploitable vulnerabilities only ever friday,
>>> while I
>>> have to handle remote exploitable vulnerabilities immediately. This
>>> system is not perfect, but usable. You give users basically no way to
>>> filter the information, which would be a valuable feature. One one
>>> hand
>>> you state users have to be knowledgeable to run a system, one the
>>> other
>>> you claim they might take tags `as an absolute judgement'. In this
>>> case
>>> reading the (possibly wrong) description might not improve anything.
>>
>> Your ``reasoning'' makes me dizzy.
>>
>> Look Oliver, knock yourself out: come up with your own severity rating
>> scheme and implement it. Stop bugging the security team to do it,
>> I've already explained that we will not at this time.
>
> Ok, back to my own database specification then? We have just a
> different view on our user base, and I think you fail to address some
> needs. Not everybody is a purist here, some `just want to have the job
> done', even when this means to err once or twice.
Thinking a little about it, I believe this should be discussed in a
place where portaudit users are present, either ports@ or security.
freebsd-vuxml@ has too few subscribers to get an useful picture of what
features desired by users are.
-Oliver
More information about the freebsd-vuxml
mailing list