> Date: Wed, 27 May 2015 14:35:41 -0700 > From: "Roger Marquis" <marq...@roble.com> > To: "Mark Felder" <f...@freebsd.org> > Cc: freebsd-po...@freebsd.org, freebsd-security@freebsd.org > Subject: Re: New pkg audit / vuln.xml failures (php55, unzoo) > Message-ID: <mailman.91.1432814411.48534.freebsd-secur...@freebsd.org> > Content-Type: text/plain;charset=iso-8859-1 > >>> * operators of FreeBSD servers (unlike Debian, Ubuntu, RedHat, Suse and >>> OpenBSD server operators) have no assurance that their systems are >>> secure. >>
That's an interesting definition of security assurance. The existence or quicker updating of a list of insecure packages does not make a system secure. It aids in the auditing of the security of the system, which is not the same thing as actually having a secure system. Standard logic says that lack of evidence does not prove non-existence. What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that their systems are secure? An audit trail of CVE issues fixed, while a good start. is hardly a strong assurance that the system is secure. How much faster must FreeBSD respond for it to join the "security assurance" club of the major Linux vendors? Is this a paperwork issue or a process issue? Walter _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"