> Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" <[email protected]> > To: "Mark Felder" <[email protected]> > Cc: [email protected], [email protected] > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: <[email protected]> > Content-Type: text/plain;charset=iso-8859-1 > >>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >>> OpenBSD server operators) have no assurance that their systems are >>> secure. >>
That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the "security assurance" club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
