From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 14 11:32:24 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1313F16A417 for ; Sat, 14 Oct 2006 11:32:24 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2792143D6D for ; Sat, 14 Oct 2006 11:32:21 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by hu-out-0506.google.com with SMTP id 34so701961hui for ; Sat, 14 Oct 2006 04:32:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=tWMmXExjRmxo0GkoftCn9em8dPNRpmdkC0lBlJCphvFhlwSrdtBNL6Ct1tJ1jN5dUw8Dq1s4MQfmKWLQeuch5sB7hDYByJqVL1+h1gYZN2GLuETzIrVaNaTkeh/NnapkHCXQY/MEEP16elxiWumyt8sSlCkFxCwTJtE6h+q7s4w= Received: by 10.78.201.8 with SMTP id y8mr5096001huf; Sat, 14 Oct 2006 04:32:20 -0700 (PDT) Received: by 10.78.167.16 with HTTP; Sat, 14 Oct 2006 04:32:20 -0700 (PDT) Message-ID: Date: Sat, 14 Oct 2006 15:32:20 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Kris Kennaway" In-Reply-To: <20061014003238.GA6341@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061006215902.GA21109@xor.obsecurity.org> <20061014003238.GA6341@xor.obsecurity.org> X-Google-Sender-Auth: 5d9a782b98a4f043 Cc: hackers@freebsd.org, secteam@freebsd.org Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 11:32:24 -0000 On 10/14/06, Kris Kennaway wrote: > On Fri, Oct 13, 2006 at 05:18:57PM +0400, Andrew Pantyukhin wrote: > > Anyway, maybe portmgr could issue some kind of a policy > > about this. I.e. (1) use {build,run}_depends instead of lib_ > > when you depend on a port providing both shared and > > static libraries, but link statically; (2) make an effort to > > encourage dynamic linking - try to provide only shared > > libs in new ports, remove unused static ones from old > > ones, and so on. > > (1) is just a statement of correct behaviour, no need for a policy > about it (it could be clarified in the porters handbook if needed). > (2) could also be added to the porter's handbook as a recommendation- > I don't think we need a formal proclamation of policy about it. Again, the problem is tracking what ports are affected by vulnerabilities. Making static linking optional will only help if pkgname is changed in a mandatory fashion. Moreover there are ports with mixed linking (afaik, mplayer is one of them). So if we go easy on maintainers, then we should either put sufficient human resources to exploring security issues manually in each particular case, or in absence thereof, act paranoid and mark a lot of ports vulnerable. > P.S. I can provide a list of static binaries in ports if anyone wants > to work on fixing them. It would be great if we could find a way to make a list of what particular libraries each port is statically linked against. Meanwhile, I'll try to ask around as to how they deal with it in other projects. Thanks!