Walter Parker wrote:> What actual assurance do Debian, Ubuntu, Redhat, and Suse provide that
> their systems are secure? An audit trail of CVE issues fixed, while a
> good start. is hardly a strong assurance that the system is secure.
An important point and thank you for making it Walter. There is no assurance
against zero-day vulnerabilities or vulns that are otherwise not published
(outside of the NSA). That would be absolute security. In the context of
relative security, however, assurance can perhaps be defined as being able to
assume that CVEs released by the NIST, announced by code or other operating
system maintainers or published by researchers or third parties such as
Rapid7 and Tripwire are reflected in vuln.xml (after a reasonable timeframe).
> How much faster must FreeBSD respond for it to join the "security
> assurance" club of the major Linux vendors? Is this a paperwork issue
> or a process issue?
We don't have much insight into the workings of FreeBSD's security teams
so it
appears to be a matter of policy. Would be great if Dag could comment here.
The policies I would most like to know about are transparency-related i.e.,
published security-related procedures, projects and RFCs. Otherwise, what
appears to be lacking is (additional) automation of the process of scanning
CVEs and advisories by other organizations and subsequent prioritization,
review and formatting for publication.
There are several of us interested in contributing towards these goals,
financially, codewise and otherwise, but it is distressingly unclear how.
There are PRs of course, but if, say, someone wanted to contribute
specifically to the process of automating vuln.xml updates or to donate
specifically to the security teams .... Pointers gladly accepted.
Roger