From owner-freebsd-ports@FreeBSD.ORG Mon May 28 20:14:23 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 57964106566C; Mon, 28 May 2012 20:14:23 +0000 (UTC) (envelope-from stephen@missouri.edu) Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu [128.206.184.213]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4028FC08; Mon, 28 May 2012 20:14:23 +0000 (UTC) Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213]) by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id q4SKEKfi034622; Mon, 28 May 2012 15:14:20 -0500 (CDT) (envelope-from stephen@missouri.edu) Message-ID: <4FC3DC9C.4030301@missouri.edu> Date: Mon, 28 May 2012 15:14:20 -0500 From: Stephen Montgomery-Smith User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-Version: 1.0 To: Eitan Adler References: <4FC3B293.6090701@missouri.edu> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: ports-security@freebsd.org, Stephen Montgomery-Smith , freebsd-ports@freebsd.org Subject: Re: math/sage security risk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2012 20:14:23 -0000 On 05/28/2012 01:38 PM, Eitan Adler wrote: > On 28 May 2012 10:14, Stephen Montgomery-Smith wrote: >> After my recent conversations about creating a print/texlive-install port, I >> realize that my math/sage port might have a security risk. This only >> happens if the user selects additional optional packages. But the optional >> packages are downloaded post-fetch. >> >> I'll make some immediate band-aid changes to the port to switch this off, >> but I'll think through the issue in the days to come. > > adding ports-security to cc so we could track the issue > I just committed instructions to the port math/sage telling users how to add the optional packages manually, and explaining the security risk. Please contact me if this is still a problem.