From owner-freebsd-ports@FreeBSD.ORG  Mon May 28 20:14:23 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 57964106566C;
	Mon, 28 May 2012 20:14:23 +0000 (UTC)
	(envelope-from stephen@missouri.edu)
Received: from wilberforce.math.missouri.edu (wilberforce.math.missouri.edu
	[128.206.184.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 1B4028FC08;
	Mon, 28 May 2012 20:14:23 +0000 (UTC)
Received: from [127.0.0.1] (wilberforce.math.missouri.edu [128.206.184.213])
	by wilberforce.math.missouri.edu (8.14.5/8.14.5) with ESMTP id
	q4SKEKfi034622; Mon, 28 May 2012 15:14:20 -0500 (CDT)
	(envelope-from stephen@missouri.edu)
Message-ID: <4FC3DC9C.4030301@missouri.edu>
Date: Mon, 28 May 2012 15:14:20 -0500
From: Stephen Montgomery-Smith <stephen@missouri.edu>
User-Agent: Mozilla/5.0 (X11; Linux i686;
	rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Eitan Adler <lists@eitanadler.com>
References: <4FC3B293.6090701@missouri.edu>
	<CAF6rxgk=hfTm6isiJXaBxARhtxUxXKy9zf9nHw3VhPz6os4z9g@mail.gmail.com>
In-Reply-To: <CAF6rxgk=hfTm6isiJXaBxARhtxUxXKy9zf9nHw3VhPz6os4z9g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: ports-security@freebsd.org, Stephen Montgomery-Smith <stephen@freebsd.org>,
	freebsd-ports@freebsd.org
Subject: Re: math/sage security risk
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2012 20:14:23 -0000

On 05/28/2012 01:38 PM, Eitan Adler wrote:
> On 28 May 2012 10:14, Stephen Montgomery-Smith<stephen@missouri.edu>  wrote:
>> After my recent conversations about creating a print/texlive-install port, I
>> realize that my math/sage port might have a security risk.  This only
>> happens if the user selects additional optional packages.  But the optional
>> packages are downloaded post-fetch.
>>
>> I'll make some immediate band-aid changes to the port to switch this off,
>> but I'll think through the issue in the days to come.
>
> adding ports-security to cc so we could track the issue
>

I just committed instructions to the port math/sage telling users how to 
add the optional packages manually, and explaining the security risk.

Please contact me if this is still a problem.