From owner-svn-ports-head@freebsd.org Sat Jun 15 19:04:55 2019 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AABA315CD7C0 for ; Sat, 15 Jun 2019 19:04:55 +0000 (UTC) (envelope-from adamw@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FC9C87634 for ; Sat, 15 Jun 2019 19:04:55 +0000 (UTC) (envelope-from adamw@freebsd.org) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: adamw/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 149A3FFD2 for ; Sat, 15 Jun 2019 19:04:55 +0000 (UTC) (envelope-from adamw@freebsd.org) Received: by mail-wm1-f48.google.com with SMTP id s3so5470566wms.2 for ; Sat, 15 Jun 2019 12:04:55 -0700 (PDT) X-Gm-Message-State: APjAAAVYsowDAJuCxBFaO5710aXHD1Pe19j56UsGrIIDtldhDNeqJ8tN 8vsSPEf0Kyq7IVqgo0GXux0JWJcF0mJM9V4uemvm0A== X-Google-Smtp-Source: APXvYqxih6K/5c0r6nNG8Mt2oo6/uqzga/WliFsokBtuI5vMIciZzsp8AHISeocKoJEYZCndnPvWoODvNalR8LzjKuQ= X-Received: by 2002:a1c:7217:: with SMTP id n23mr12646874wmc.47.1560625493793; Sat, 15 Jun 2019 12:04:53 -0700 (PDT) MIME-Version: 1.0 References: <201906131841.x5DIfuSb069885@repo.freebsd.org> <20190615151247.GA24087@FreeBSD.org> <20190615184227.GA14704@FreeBSD.org> In-Reply-To: <20190615184227.GA14704@FreeBSD.org> From: Adam Weinberger Date: Sat, 15 Jun 2019 13:04:37 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r504132 - head/security/vuxml To: Alexey Dokuchaev Cc: Adam Weinberger , ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4FC9C87634 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.988,0] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jun 2019 19:04:55 -0000 On Sat, Jun 15, 2019 at 12:42 PM Alexey Dokuchaev wrote: > > On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote: > > On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote: > > > ... > > > I've seen people say that in some distributions, default packages > > > were not affected because their maintainers deliberately disable > > > modelines, e.g. in Debian [and Gentoo] > > > > Their default packages ARE affected. If your car explodes in 6th gear, > > you can't say your car isn't affected because it starts up in first. > > Whether they're enabled or disabled by default, the package is still > > vulnerable. > > Adam, sorry, I shouldn't have said that their packages aren't affected. > Apparently I didn't make myself clear enough, let me try again: > > Do we package Vim/NeoVim with modelines enabled by default? I think > it's generally a good idea to turn potentially dangerous features, esp. > with an earlier history of security/resource vulnerabilities, off by > default -- it does not make packages less vulnerable, but leaves one > extra potential attack door closed rather than opened. I'm not opposed to the idea at all. Modeline is an outstanding feature that, for example, helps us make sure that, for example, bsd.port.mk patches don't show up with leading tabs. It is a wonderful, powerful feature, that absolutely has the potential to be used for substantial evil. That said, having fixed a busted lock doesn't mean that we should board up the front door. If every area of Wordpress with a fixed vulnerability were disabled by default, Wordpress would be a static HTML file. (Both those metaphors are completely hyperbolic, of course.) We will definitely have some confused end-users if we set nomodeline by default, and we'll have to be even more diligent about checking patches for spacing. Alexey, do the benefits of modeline outweigh the risks? Anyone else want to add recommendations here? # Adam -- Adam Weinberger adamw@adamw.org // adamw@FreeBSD.org https://www.adamw.org