From owner-freebsd-ports Fri Nov 22 9:34: 5 2002 Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17D1137B401; Fri, 22 Nov 2002 09:34:04 -0800 (PST) Received: from mail.karamazov.org (h162-040-089-010.adsl.navix.net [162.40.89.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C132043EAA; Fri, 22 Nov 2002 09:33:54 -0800 (PST) (envelope-from smoberly@karamazov.org) Received: from karamazov.org (mail.karamazov.org [10.0.0.11]) by mail.karamazov.org (8.12.6/8.12.6) with SMTP id gAMHXjua077259; Fri, 22 Nov 2002 11:33:45 -0600 (CST) (envelope-from smoberly@karamazov.org) From: "Scott A. Moberly" Received: from 65.221.169.187 (SquirrelMail authenticated user smoberly) by mail.karamazov.org with HTTP; Fri, 22 Nov 2002 11:33:45 -0600 (CST) Message-ID: <6131.65.221.169.187.1037986425.squirrel@mail.karamazov.org> Date: Fri, 22 Nov 2002 11:33:45 -0600 (CST) Subject: Re: SOUP To: X-Priority: 3 Importance: Normal Cc: X-Mailer: SquirrelMail (version 1.2.8) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Fri, 2002-11-22 at 12:17, Scott A. Moberly wrote: >> > On Fri, 2002-11-22 at 10:35, Scott A. Moberly wrote: >> >> The SOAP library SOUP is now required throughout the gnome >> structure. Given that gtkhtml requires it in the Makefile, but does not actually require it. Given the inherent security issues raised with SOAP. I was curious if it can be made optional. It could even be in the negative if you prefer; i.e. >> > >> > Maybe I've been out of it, but what security issues are we talking >> about? Can you site references? >> > >> > Joe >> > >> >> My main complaint lies simply with arbitrary access to data without the user (of the process) having direct control. Scary if it moves into root controlled processes. Other issues involve firewall >> slipthrough. Many other reason's can be found... google it with soap and security. > > I'd like to see some security advisories on this, particularly in relation to the one app known to use Soup: Evolution. So far, you are the only one to raise the issue. Okay... so what you are saying is that i have to wait for something to be broken and have a Security Advisory issued prior to having it optional. The protocol itself is flawed. The company that devised it (Microsoft) has not only warned of the firewall issue it has also issued Security additions (WS-Security) that are patented and thus potentially problematic. I would like to avoid the issue before it is raised: pro-active is the market-speak for this I believe. I am not asking the library to be removed; rather given an optional flag. Scott A. Moberly smoberly@karamazov.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message