From owner-freebsd-security Thu Jun 3 10:45:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from wopr.caltech.edu (wopr.caltech.edu [131.215.240.222]) by hub.freebsd.org (Postfix) with ESMTP id E847A1555B for ; Thu, 3 Jun 1999 10:45:43 -0700 (PDT) (envelope-from mph@wopr.caltech.edu) Received: (from mph@localhost) by wopr.caltech.edu (8.9.3/8.9.1) id KAA59726; Thu, 3 Jun 1999 10:45:21 -0700 (PDT) (envelope-from mph) Date: Thu, 3 Jun 1999 10:45:21 -0700 From: Matthew Hunt To: Unknow User Cc: Bill Fumerola , freebsd-security@freebsd.org Subject: Re: SSH2 (in FreeBSD-Questions) Message-ID: <19990603104521.I58665@wopr.caltech.edu> References: <375693C1.68C59211@tdnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <375693C1.68C59211@tdnet.com.br>; from Unknow User on Thu, Jun 03, 1999 at 02:40:01PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 03, 1999 at 02:40:01PM +0000, Unknow User wrote: > The problem is that we never now what SUID, port will install! > It happens that other has the same "false sense of security" i have: You smoke crack. How do you know what SUID binaries any software will install? You read the source! You can do exactly the same for the Ports Collection. It's all plain English (or at least plain Makefile) for your perusal. You even get a nice listing of what files were installed, so you can examine them yourself. Most source tarballs do not provide that information. I think you need to learn how the Ports Collection works before you condemn it. You clearly do not understand it all. I also think it's odd that you think we would introduce security risks into software deliberately. I mean, we're the same people who can and do change the rest of FreeBSD. Presumably you trust us to do that right, or have you read all of /usr/src? If I wanted to introduce a security hole, I'd bury it somewhere in the FreeBSD userland, not in ports, to make sure everyone got it. Sheesh. -- Matthew Hunt * UNIX is a lever for the http://www.pobox.com/~mph/ * intellect. -J.R. Mashey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message