From owner-freebsd-security@FreeBSD.ORG Mon Mar 29 16:00:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3336616A4CE; Mon, 29 Mar 2004 16:00:07 -0800 (PST) Received: from meitner.wh.uni-dortmund.de (meitner.wh.Uni-Dortmund.DE [129.217.129.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8AE443D39; Mon, 29 Mar 2004 16:00:06 -0800 (PST) (envelope-from michaelnottebrock@gmx.net) Received: from lofi.dyndns.org (pc2-105.intern.meitner [10.3.12.105]) by meitner.wh.uni-dortmund.de (Postfix) with ESMTP id D0B8D167588; Tue, 30 Mar 2004 02:00:05 +0200 (CEST) Received: from gmx.net (lofi@kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.12.10/8.12.10) with ESMTP id i2U004u7001363 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Mar 2004 02:00:05 +0200 (CEST) (envelope-from michaelnottebrock@gmx.net) Message-ID: <4068B881.4010304@gmx.net> Date: Tue, 30 Mar 2004 02:00:01 +0200 From: Michael Nottebrock User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en, de-de MIME-Version: 1.0 To: Oliver Eikemeier References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com> In-Reply-To: <4068A90A.7000104@fillmore-labs.com> X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig594423963BBD96DDBD6F14E9" X-Virus-Scanned: by amavisd-new cc: "Jacques A. Vidrine" cc: FreeBSD Security Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 00:00:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig594423963BBD96DDBD6F14E9 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Oliver Eikemeier wrote: > Thats a question of sematics. It makes absolutely no sense to add a > package to > the portaudit database when you won't mark the port as FORBIDDEN. To me it makes no sense anymore to mark ports FORBIDDEN for security reasons at all - portaudit uses a centralized source of information, it is much more efficient than cvsup, as you mentioned it's smarter with regard to old versions and it does automated checks via periodic. In short, bye-bye FORBIDDEN, hello portaudit. > The > message > is `do not install this port', and I hope to get support for portaudit into > sysinstall to prevent users with release CDs to install vulnerable ports in > the first place. Currently there is no such thing as `It may be ok to > use this > port if you are careful', if you deem such a feature useful I will look > into > implementing such a feature. I'd deem such a feature quite useful indeed. Actually, the decisionmaking about what is too serious to ignore and what is not could be handed back to the system administrator this way: If VuXML would provide a fine-grained classification of security issues (not by severity, but by type: privilige escalation (incl. root/excl. root), local/remote denial-of-service, buffer-overflow-but-no-exploit-known, etc, etc), users could customize portaudit to forbid access to packages or just warn about them from a set of rules (which would ideally also allow to make exceptions by portname and other criteria - I realise that's quite a wishlist, but since you asked... ;-)). The current behaviour could be provided as default. -- ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --------------enig594423963BBD96DDBD6F14E9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFAaLiEXhc68WspdLARAsV8AJsHcXgr3HBHJLCL1YtUHT0Ct8Lc+wCeO+zw vwbyi3/3j+Pmg1NG5avbUWg= =Ne3G -----END PGP SIGNATURE----- --------------enig594423963BBD96DDBD6F14E9--