Date: Sat, 15 Jun 2019 13:04:37 -0600 From: Adam Weinberger <adamw@freebsd.org> To: Alexey Dokuchaev <danfe@freebsd.org> Cc: Adam Weinberger <adamw@freebsd.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r504132 - head/security/vuxml Message-ID: <CAP7rwcgwGNFjyf7LmDvg6-xpZwbkdyQ2PELQkFfRD-90TahvxQ@mail.gmail.com> In-Reply-To: <20190615184227.GA14704@FreeBSD.org> References: <201906131841.x5DIfuSb069885@repo.freebsd.org> <20190615151247.GA24087@FreeBSD.org> <CAP7rwcjB9moLnEwzUcn0EhfKpF%2BdDvAObY0O8XJOn0V4HXByYA@mail.gmail.com> <20190615184227.GA14704@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 15, 2019 at 12:42 PM Alexey Dokuchaev <danfe@freebsd.org> wrote: > > On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote: > > On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote: > > > ... > > > I've seen people say that in some distributions, default packages > > > were not affected because their maintainers deliberately disable > > > modelines, e.g. in Debian [and Gentoo] > > > > Their default packages ARE affected. If your car explodes in 6th gear, > > you can't say your car isn't affected because it starts up in first. > > Whether they're enabled or disabled by default, the package is still > > vulnerable. > > Adam, sorry, I shouldn't have said that their packages aren't affected. > Apparently I didn't make myself clear enough, let me try again: > > Do we package Vim/NeoVim with modelines enabled by default? I think > it's generally a good idea to turn potentially dangerous features, esp. > with an earlier history of security/resource vulnerabilities, off by > default -- it does not make packages less vulnerable, but leaves one > extra potential attack door closed rather than opened. I'm not opposed to the idea at all. Modeline is an outstanding feature that, for example, helps us make sure that, for example, bsd.port.mk patches don't show up with leading tabs. It is a wonderful, powerful feature, that absolutely has the potential to be used for substantial evil. That said, having fixed a busted lock doesn't mean that we should board up the front door. If every area of Wordpress with a fixed vulnerability were disabled by default, Wordpress would be a static HTML file. (Both those metaphors are completely hyperbolic, of course.) We will definitely have some confused end-users if we set nomodeline by default, and we'll have to be even more diligent about checking patches for spacing. Alexey, do the benefits of modeline outweigh the risks? Anyone else want to add recommendations here? # Adam -- Adam Weinberger adamw@adamw.org // adamw@FreeBSD.org https://www.adamw.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP7rwcgwGNFjyf7LmDvg6-xpZwbkdyQ2PELQkFfRD-90TahvxQ>