From owner-freebsd-security  Thu Jun  3 10:45:50 1999
Delivered-To: freebsd-security@freebsd.org
Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222])
	by hub.freebsd.org (Postfix) with ESMTP id E847A1555B
	for <freebsd-security@freebsd.org>; Thu,  3 Jun 1999 10:45:43 -0700 (PDT)
	(envelope-from mph@wopr.caltech.edu)
Received: (from mph@localhost)
	by wopr.caltech.edu (8.9.3/8.9.1) id KAA59726;
	Thu, 3 Jun 1999 10:45:21 -0700 (PDT)
	(envelope-from mph)
Date: Thu, 3 Jun 1999 10:45:21 -0700
From: Matthew Hunt <mph@astro.caltech.edu>
To: Unknow User <kernel@tdnet.com.br>
Cc: Bill Fumerola <billf@jade.chc-chimes.com>,
	freebsd-security@freebsd.org
Subject: Re: SSH2 (in FreeBSD-Questions)
Message-ID: <19990603104521.I58665@wopr.caltech.edu>
References: <Pine.BSF.3.96.990603133742.8776C-100000@jade.chc-chimes.com> <375693C1.68C59211@tdnet.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <375693C1.68C59211@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:40:01PM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jun 03, 1999 at 02:40:01PM +0000, Unknow User wrote:

> The problem is that we never now what SUID, port will install!
> It happens that other has the same "false sense of security" i have:

You smoke crack.

How do you know what SUID binaries any software will install?  You
read the source!  You can do exactly the same for the Ports Collection.
It's all plain English (or at least plain Makefile) for your perusal.

You even get a nice listing of what files were installed, so you can
examine them yourself.  Most source tarballs do not provide that
information.

I think you need to learn how the Ports Collection works before you
condemn it.  You clearly do not understand it all.

I also think it's odd that you think we would introduce security
risks into software deliberately.  I mean, we're the same people who
can and do change the rest of FreeBSD.  Presumably you trust us to
do that right, or have you read all of /usr/src?  If I wanted to
introduce a security hole, I'd bury it somewhere in the FreeBSD
userland, not in ports, to make sure everyone got it.  Sheesh.

-- 
Matthew Hunt <mph@astro.caltech.edu> * UNIX is a lever for the
http://www.pobox.com/~mph/           * intellect. -J.R. Mashey


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message