Date: Fri, 9 Feb 2001 10:51:13 -0800 From: Linh Pham <linhp@bnj.com> To: Wes Peters <wes@softweyr.com>, freebsd-advocacy@freebsd.org Subject: RE: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_ HERE Message-ID: <CAB52D097F813544B48B145FA9F8EEE488FC43@SCARAB.bnj.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C092C9.4647B440 Content-Type: text/plain I personally think it would take too much manpower and resources to `audit' each and every port that is produce for each of the BSD's. But yes, it is quite funny to see a prankster tripping over his/her/it's own ranting :) -----Original Message----- From: Wes Peters [mailto:wes@softweyr.com] Sent: Friday, February 09, 2001 10:23 To: freebsd-advocacy@freebsd.org Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Some random moron at vws3.interlog.com wrote: > > II. Problem Description > > We normally do not assess security when creating the ports distribution > often allowing anyone to build any program we decide to run in the ports > directory. Recently we have noticed that we can no longer fool users > into thinking because we provide checksumming for the programs, that > they will be secure. > > Unlinke other operating systems and the developers of them who audit > their ports, we feel it is not our problem if someone accessess your > system because we're too lazy to do things right the first time. Which operating systems would this be? http://www.openbsd.org/ports.html Take particular not of the first paragraph in RED text, which says: The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security. Don'tcha just love it when our favorite prankster is too stupid to even effectively joke about the topics he takes on? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-advocacy" in the body of the message ------_=_NextPart_001_01C092C9.4647B440 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: FreeBSD Ports Security Advisory: = FreeBSD-SA-01:INSERT_NUMBER_HERE</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I personally think it would take too much manpower = and resources to `audit' each and every port that is produce for each = of the BSD's. But yes, it is quite funny to see a prankster tripping = over his/her/it's own ranting :)</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Wes Peters [<A = HREF=3D"mailto:wes@softweyr.com">mailto:wes@softweyr.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, February 09, 2001 10:23</FONT> <BR><FONT SIZE=3D2>To: freebsd-advocacy@freebsd.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: FreeBSD Ports Security Advisory:</FONT> <BR><FONT SIZE=3D2>FreeBSD-SA-01:INSERT_NUMBER_HERE</FONT> </P> <BR> <P><FONT SIZE=3D2>Some random moron at vws3.interlog.com wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> II. Problem Description</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> We normally do not assess security when = creating the ports distribution</FONT> <BR><FONT SIZE=3D2>> often allowing anyone to build any program we = decide to run in the ports</FONT> <BR><FONT SIZE=3D2>> directory. Recently we have noticed that we can = no longer fool users</FONT> <BR><FONT SIZE=3D2>> into thinking because we provide checksumming = for the programs, that</FONT> <BR><FONT SIZE=3D2>> they will be secure.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Unlinke other operating systems and the = developers of them who audit</FONT> <BR><FONT SIZE=3D2>> their ports, we feel it is not our problem if = someone accessess your</FONT> <BR><FONT SIZE=3D2>> system because we're too lazy to do things = right the first time.</FONT> </P> <P><FONT SIZE=3D2>Which operating systems would this be?</FONT> </P> <P><FONT SIZE=3D2><A HREF=3D"http://www.openbsd.org/ports.html" = TARGET=3D"_blank">http://www.openbsd.org/ports.html</A></FONT>; </P> <P><FONT SIZE=3D2>Take particular not of the first paragraph in RED = text, which says:</FONT> </P> <P> <FONT SIZE=3D2>The ports = & packages collection does NOT go through the </FONT> <BR> <FONT SIZE=3D2>thorough = security audit that OpenBSD follows. Although we</FONT> <BR> <FONT SIZE=3D2>strive to = keep the quality of the packages collection high, </FONT> <BR> <FONT SIZE=3D2>we just = do not have enough human resources to ensure the</FONT> <BR> <FONT SIZE=3D2>same = level of robustness and security. </FONT> </P> <P><FONT SIZE=3D2>Don'tcha just love it when our favorite prankster is = too stupid to even</FONT> <BR><FONT SIZE=3D2>effectively joke about the topics he takes = on?</FONT> </P> <P><FONT SIZE=3D2>-- </FONT> <BR><FONT = SIZE=3D2> &nb= sp; "Where am I, and what am I doing in this = handbasket?"</FONT> </P> <P><FONT SIZE=3D2>Wes = Peters = = = = Softweyr = LLC</FONT> <BR><FONT = SIZE=3D2>wes@softweyr.com  = ;  = ;  = ; <A = HREF=3D"http://softweyr.com/" = TARGET=3D"_blank">http://softweyr.com/</A></FONT>; </P> <BR> <P><FONT SIZE=3D2>To Unsubscribe: send mail to = majordomo@FreeBSD.org</FONT> <BR><FONT SIZE=3D2>with "unsubscribe freebsd-advocacy" in the = body of the message</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C092C9.4647B440-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-advocacy" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAB52D097F813544B48B145FA9F8EEE488FC43>