From owner-freebsd-security@FreeBSD.ORG Tue Mar 30 01:13:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF9A816A4CE; Tue, 30 Mar 2004 01:13:18 -0800 (PST) Received: from postman.arcor.de (newsread1.arcor-online.net [151.189.0.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11FC543D45; Tue, 30 Mar 2004 01:13:18 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-51-138.reverse.qsc.de [212.202.51.138]) (authenticated bits=0)i2U9DFck004454 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 30 Mar 2004 11:13:16 +0200 (MEST) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1B8FJ3-000PmM-4h; Tue, 30 Mar 2004 11:13:13 +0200 Message-ID: <40693A28.9000502@fillmore-labs.com> Date: Tue, 30 Mar 2004 11:13:12 +0200 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: Michael Nottebrock References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com> <4068B881.4010304@gmx.net> <20040330045646.GD5998@madman.celabo.org> <406912E7.4040806@gmx.net> In-Reply-To: <406912E7.4040806@gmx.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: "Jacques A. Vidrine" cc: FreeBSD Ports Management Team cc: FreeBSD Security Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 09:13:19 -0000 Michael Nottebrock wrote: > [...] > However, it seems to me that marking ports FORBIDDEN for security > reasons is more or less obsoleted (and made redundant) by > portaudit/VuXML and committers having to hand-scan VuXML for updates and > mark ports FORBIDDEN by hand just seems like duplicated (and > error-prone) work... so maybe it's time to to away with marking ports > FORBIDDEN for security reasons completely? I think portmgr@ is the authority here. CC'ed. > Also, what eik says about integrating portaudit into sysinstall (does > this imply moving portaudit into the base-system at some point?) sounds > very good to me, but I still don't like security-by-default schemes > which can't be disabled by flipping a switch. FORBIDDEN ports are an > example for this, forcing users to hand-edit a port Makefile in order to > make it buildable (especially when the security issue is really minor or > I'm not even affected) is just a tad too BOFH-ish for my taste. Just build the port with NO_IGNORE=yes. To disable portaudit use DISABLE_VULNERABILITIES=yes. A common namespace would be a good thing here, I guess. There is currently no way to turn of warnings selectively (like `read and understood'), I don't know if this would be useful.