On Thu, 18 Feb 2016, Kubilay Kocak wrote: > On 18/02/2016 3:51 AM, Warren Block wrote: >> On Wed, 17 Feb 2016, Eric van Gyzen wrote: >> >>> On 02/17/2016 08:19, Warren Block wrote: >>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote: >>>> >>>>> A short note on the www.freebsd.org website would probably be helpful, >>>>> as this case will produce a lot of noise. >>>> >>>> Maybe a short article like we did for leap seconds? >>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html >>>> >>>> >>> >>> Articles are permanent, which makes sense for the recurring issue of >>> leap seconds. This vulnerability is transient, so I would suggest a >>> news item. >> >> Yes, but news items are usually just links. For the amount of >> information we have so far, an article seems like the easiest way to do >> this. Or maybe an addition to the security part of the web site? >> >> For now, I'll collect the information as just text. > > Don't we also want our sec teams to investigate/confirm it anyway, > independent of how it's communicated? Absolutely. > If so, doesn't a security advisory (with secteam and/or ports-secteam as > appropriate) make the most sense here, given the scope of vulnerability > for base/linux emulation/ports is yet to be completely established and > is still to be investigated properly? Have there been security advisories for unconfirmed or not-actually-a-problem events before? My impression was that they have only been announced when a problem exists and action needs to be taken. However, a real problem *does* exist for Linux VMs and applications on FreeBSD, so it could be addressed that way. A "we are investigating" advisory right now could do some good, if the protocols allow it. > Finally, would users expect a news item, an article or a heads up from > our security teams for something like this, even in the case where it's > only a "confirmed we're not affected" ? A news item linking to a "it's not us!" advisory would be no problem. People have to go looking for that. Those who are subscribed to the security mailing list will receive those notices directly, and because those are expected to be problems that need to be addressed immediately, it might cause some initial palpitations as if it were an actual problem with FreeBSD.Received on Wed Feb 17 2016 - 16:23:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC