New pkg audit / vuln.xml failures (php55, unzoo)
Walter Parker
walterp at gmail.com
Thu May 28 17:19:14 UTC 2015
> Date: Wed, 27 May 2015 14:35:41 -0700
> From: "Roger Marquis" <marquis at roble.com>
> To: "Mark Felder" <feld at FreeBSD.org>
> Cc: freebsd-ports at freebsd.org, freebsd-security at freebsd.org
> Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo)
> Message-ID: <mailman.91.1432814411.48534.freebsd-security at freebsd.org>
> Content-Type: text/plain;charset=iso-8859-1
>
>>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and
>>> OpenBSD server operators) have no assurance that their systems are
>>> secure.
>>
That's an interesting definition of security assurance. The existence
or quicker updating of a list of insecure packages does not make a
system secure. It aids in the auditing of the security of the system,
which is not the same thing as actually having a secure system.
Standard logic says that lack of evidence does not prove
non-existence.
What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that
their systems are secure? An audit trail of CVE issues fixed, while a
good start. is hardly a strong assurance that the system is secure.
How much faster must FreeBSD respond for it to join the "security
assurance" club of the major Linux vendors? Is this a paperwork issue
or a process issue?
Walter
More information about the freebsd-security
mailing list