From owner-freebsd-security Tue Aug 27 13: 3:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10EA937B494 for ; Tue, 27 Aug 2002 13:03:07 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id 023F043F5B for ; Tue, 27 Aug 2002 13:02:08 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020827195512.6124.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Tue, 27 Aug 2002 12:55:12 PDT Date: Tue, 27 Aug 2002 12:55:12 -0700 (PDT) From: twig les Subject: Re: Ports are insecure? To: Erick Mechler , David Olbersen Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020827170508.GI90157@techometer.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the view that 'more ports = less security' has to do with the idea that if you don't need, don't install it (or with non-BSD systems...uninstall it). Almost any program has the potential to be a security hole, so if you need to run BIND, just run BIND and ssh, not AIM and FTP etc.... In this sense it's not a ports issue, but rather an overall approach (one that most vendors still ignore). --- Erick Mechler wrote: > :: I read (in this list I think) that somebody was > of the opinion that > :: every port installed decreases the security of a > machine. > > I'm not sure I would go that far, but I would say > that for every network > port you have open, the amount of admin time does > increase. In a way it > does make it more insecure, but only if you don't > keep up with security > upgrades, patches, etc. > > :: How exactly does that work? Is this based in the > idea that nearly > :: anybody can contribute a port, but the core > system is reviewed by a > :: team? > > Not just anybody can contribute to a FreeBSD port > entry; the commit still > has to be done by an authorized committer. However, > it's true that just > about anybody's software package can become a port, > so if you just blindly > start installing ports, you might, on rare > occasions, install a piece of > software that's been trojaned (take the recent > OpenSSH trojan for example). > > I hope (maybe) this addressed some of your questions > :) If you have more > questions about the ports system, I'd check out the > relevant section of the > Handbook: > > http://www.freebsd.org/doc/handbook/ports.html > > Cheers - Erick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message