From: "Robert Comer" 

> So does a vuln discovered in a language library count as an OS vuln and an
> app vuln or is it just a lib vuln and not count for anything that includes
> it?

That's a tough call as there's lots of different kinds of libraries and I'm
not sure what you mean -- if its a custom library for the app it's an app
bug, if its something like the base os function library then it's an OS and
if it's a compiler specific library, then it's a compiler problem.

> What if I provide a CD (lets call it gOSh) that I market as a web server
OS,
> it includes Linux/Apache/Mysql, does a vuln in mysql count as an OS vuln?

No.  (I like that name for an OS distribution btw. )

> If microsoft does the same thing, NT/IIS/SQLserver does an sqlserver bug
> count as an OS vuln then?

No.

>Ok how about if instead of a web server they have
> a product that includes an optional database based file system, is
sqlserver
> now counted as part of the OS?

Still no.

Now if you were talking about the AS/400, the database is part of the OS,
so it would be an OS problem btw...

> You guys want to call it an OS vuln

Who's you guy's -- I don't want to call it that, nor do I want to call mutt
or GAIM Linux vulnerabilities.

>I'm just calling it a product vuln to
> avoid all this nebulous nonsense.

We agree.

>If it comes as part of the product and
> requires a patch then that product, whatever you call it, has a vuln, up
the
> count by 1.

But mutt and gaim doesn't come with all Linux, so it's still not a Linux
problem.  (It is a distribution problem, I'm not arguing against that.)

> If you guys can't accept that then I'm going to restrict my definition of
NT
> to only what's included in embedded NT and forget all the stuff included
in
> other distributions like pro or server since obviously they aren't part of
> the OS.

We're not restricting Linux to the kernel only, so no way could you go to
that level either.

- Bob Comer



"Geo."  wrote in message
news:402d6ea4$1{at}w3.nls.net...Ok how about if instead of a web server they
have
> a product that includes an optional database based file system, is
sqlserver
> now counted as part of the OS?

> "Robert Comer" 
wrote in message
> news:402cf584$1{at}w3.nls.net...
>
> > In the absolute sense you are right, but that's not what we're
discussing.
> >
> > It does if you're only discussing OS vulnerabilities. 
>
> So does a vuln discovered in a language library count as an OS vuln and an
> app vuln or is it just a lib vuln and not count for anything that includes
> it?
>
> What if I provide a CD (lets call it gOSh) that I market as a web server
OS,
> it includes Linux/Apache/Mysql, does a vuln in mysql count as an OS vuln?
>
> If microsoft does the same thing, NT/IIS/SQLserver does an sqlserver bug
> count as an OS vuln then? >
> You guys want to call it an OS vuln, I'm just calling it a product vuln to
> avoid all this nebulous nonsense. If it comes as part of the product and
> requires a patch then that product, whatever you call it, has a vuln, up
the
> count by 1.
>
> If you guys can't accept that then I'm going to restrict my definition of
NT
> to only what's included in embedded NT and forget all the stuff included
in
> other distributions like pro or server since obviously they aren't part of
> the OS.
>
> Geo.
>
>

--- BBBS/NT v4.01 Flag-5