From owner-cvs-all Mon Feb 5 0:34:55 2001 Delivered-To: cvs-all@freebsd.org Received: from xor.obsecurity.org (adsl-64-165-226-40.dsl.lsan03.pacbell.net [64.165.226.40]) by hub.freebsd.org (Postfix) with ESMTP id 2444737B698; Mon, 5 Feb 2001 00:34:30 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 1477566D72; Mon, 5 Feb 2001 00:34:11 -0800 (PST) Date: Mon, 5 Feb 2001 00:34:10 -0800 From: Kris Kennaway To: Jeremy Lea , Kris Kennaway , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/x11/XFree86-aoutlibs pkg-req Message-ID: <20010205003410.A25761@mollari.cthul.hu> References: <200102050808.f1588VM54282@freefall.freebsd.org> <20010205002201.A19536@mollari.cthul.hu> <20010205003004.F8780@shale.csir.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9jxsPFA5p3P2qPhR" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010205003004.F8780@shale.csir.co.za>; from reg@FreeBSD.org on Mon, Feb 05, 2001 at 12:30:04AM -0800 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 05, 2001 at 12:30:04AM -0800, Jeremy Lea wrote: > Hi, >=20 > On Mon, Feb 05, 2001 at 12:22:01AM -0800, Kris Kennaway wrote: > > I'd rather we disallow installation from sysinstall rather than hiding > > the security warnings and let people blow off their own feet. > >=20 > > Better yet, we could fix the security problems by rebuilding the > > binaries with security fixes applied, on the appropriate machine. >=20 > This isn't a problem with security. sysinstall has not run ldconfig > by the time the requirements script is run, so pkg-req doesn't think > that libraries that are really there are. The problem I was referring to is that people who install this package from sysinstall explicitly, or worse, by virtue of it being a dependency, will not see the warning about the potential security problems. This isn't the only case which has been 'fixed' by just overriding the warning, so I'm not happy about the general approach. Until we can fix sysinstall I'd prefer to have these packages unavailable from there. > With regards to the security problems... The distfile I was using has > gone from ftp.xfree86.org, so I'm going to have to find a new distfile > anyway. Looks like I'm going to have to find some spare hardware and > install 2.2.8 on it and build the 3.3.6 port from there. I'm sure you can find a 2.2.8 machine to build on if you ask. Kris --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6fmWCWry0BWjoQKURAkzlAJ4wk2NXXxqar9tUF36hilH3Qy4jowCfXZSP yABsnTsRu1O8YlS6Dc+sZ0k= =p3CQ -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message