On 18/02/2016 4:23 AM, Warren Block wrote: > On Thu, 18 Feb 2016, Kubilay Kocak wrote: > >> On 18/02/2016 3:51 AM, Warren Block wrote: >>> On Wed, 17 Feb 2016, Eric van Gyzen wrote: >>> >>>> On 02/17/2016 08:19, Warren Block wrote: >>>>> On Wed, 17 Feb 2016, Kurt Jaeger wrote: >>>>> >>>>>> A short note on the www.freebsd.org website would probably be >>>>>> helpful, >>>>>> as this case will produce a lot of noise. >>>>> >>>>> Maybe a short article like we did for leap seconds? >>>>> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/leap-seconds/article.html >>>>> >>>>> >>>>> >>>> >>>> Articles are permanent, which makes sense for the recurring issue of >>>> leap seconds. This vulnerability is transient, so I would suggest a >>>> news item. >>> >>> Yes, but news items are usually just links. For the amount of >>> information we have so far, an article seems like the easiest way to do >>> this. Or maybe an addition to the security part of the web site? >>> >>> For now, I'll collect the information as just text. >> >> Don't we also want our sec teams to investigate/confirm it anyway, >> independent of how it's communicated? > > Absolutely. > >> If so, doesn't a security advisory (with secteam and/or ports-secteam as >> appropriate) make the most sense here, given the scope of vulnerability >> for base/linux emulation/ports is yet to be completely established and >> is still to be investigated properly? > > Have there been security advisories for unconfirmed or > not-actually-a-problem events before? My impression was that they have > only been announced when a problem exists and action needs to be taken. This "No SA, no problem" pattern is reasonable for default case, and the vast majority of issues. This glibc issue, like heartbleed and others may be sufficiently high-profile to warrant special treatment, even if not in "SA" form. > However, a real problem *does* exist for Linux VMs and applications on > FreeBSD, so it could be addressed that way. A "we are investigating" > advisory right now could do some good, if the protocols allow it. > >> Finally, would users expect a news item, an article or a heads up from >> our security teams for something like this, even in the case where it's >> only a "confirmed we're not affected" ? > > A news item linking to a "it's not us!" advisory would be no problem. > People have to go looking for that. > > Those who are subscribed to the security mailing list will receive those > notices directly, and because those are expected to be problems that > need to be addressed immediately, it might cause some initial > palpitations as if it were an actual problem with FreeBSD. Yup, and let me make clear an out-there-in-the-world distinction between 'an advisory by freebsd security people ' and a FreeBSD "SA" the implementation format. ./koobsReceived on Wed Feb 17 2016 - 17:21:19 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC