portaudit wishlist

[Oliver Eikemeier]

[...]
>>>> Yes, I think it is misleading to apply such tags which a user might
>>>> take as an absolute judgement when in fact they just need to read the
>>>> description.
>>>
>>> Not everyone has the time to review every description.  Besides, the
>>> description might be as wrong or misleading as the tags mentioned. If
>>> you say "users have to understand the system fully or they shouldn't 
>>> run
>>> the software" you basically state "FreeBSD is only for experts". I'm
>>> just trying to make some often asked questions machine readable.  For
>>> example when I run portaudit on a server with no users, I might decide
>>> to care for local exploitable vulnerabilities only ever friday, 
>>> while I
>>> have to handle remote exploitable vulnerabilities immediately. This
>>> system is not perfect, but usable. You give users basically no way to
>>> filter the information, which would be a valuable feature. One one 
>>> hand
>>> you state users have to be knowledgeable to run a system, one the 
>>> other
>>> you claim they might take tags `as an absolute judgement'. In this 
>>> case
>>> reading the (possibly wrong) description might not improve anything.
>>
>> Your ``reasoning'' makes me dizzy.
>>
>> Look Oliver, knock yourself out: come up with your own severity rating
>> scheme and implement it.  Stop bugging the security team to do it,
>> I've already explained that we will not at this time.
>
> Ok, back to my own database specification then? We have just a 
> different view on our user base, and I think you fail to address some 
> needs. Not everybody is a purist here, some `just want to have the job 
> done', even when this means to err once or twice.

Thinking a little about it, I believe this should be discussed in a 
place where portaudit users are present, either ports@ or security. 
freebsd-vuxml@ has too few subscribers to get an useful picture of what 
features desired by users are.

-Oliver