From owner-cvs-ports@FreeBSD.ORG  Mon Mar 29 10:53:48 2004
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
Delivered-To: cvs-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 71A5416A4CE; Mon, 29 Mar 2004 10:53:48 -0800 (PST)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F01FC43D46; Mon, 29 Mar 2004 10:53:47 -0800 (PST)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified))
	by gw.celabo.org (Postfix) with ESMTP
	id 82C7C54888; Mon, 29 Mar 2004 12:53:47 -0600 (CST)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id 235AC6D455; Mon, 29 Mar 2004 12:53:47 -0600 (CST)
Date: Mon, 29 Mar 2004 12:53:47 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Message-ID: <20040329185347.GB87233@madman.celabo.org>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Oliver Eikemeier <eikemeier@fillmore-labs.com>,
	Oliver Eikemeier <eik@FreeBSD.org>, ports-committers@FreeBSD.org,
	cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org>
	<20040329163309.GA81526@madman.celabo.org>
	<40686785.7020002@fillmore-labs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40686785.7020002@fillmore-labs.com>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.6i
cc: cvs-ports@FreeBSD.org
cc: ports-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
cc: Oliver Eikemeier <eik@FreeBSD.org>
Subject: Re: cvs commit: ports/multimedia/xine Makefile
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2004 18:53:48 -0000

On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote:
> Jacques A. Vidrine wrote:
>
> >On Sun, Mar 28, 2004 at 03:44:06PM -0800, Oliver Eikemeier wrote:
> >
> >>eik         2004/03/28 15:44:06 PST
> >>
> >> FreeBSD ports repository
> >>
> >> Modified files:
> >>   multimedia/xine      Makefile
> >> Log:
> >> Mark forbidden due to an entry in the VuXML database. Don't
> >> forget to add the version which fixes the issues there.
> >
> >FWIW:
> >
> >I didn't mark this port FORBIDDEN when I added the issue to the
> >database because some issues are not very severe.  For example, this
> >issue has practically no impact on single user systems, and quite
> >possibly no impact on any FreeBSD user anywhere.  Marking the port
> >FORBIDDEN in this case seems extreme.
>
> It's in the official FreeBSD vulnerability database.

The vulnerability database is meant to be comprehensive and
informational.  It is not a policy document.

> >I'd prefer to reserve FORBIDDEN for those cases where the ports
> >present some danger.  Those who want a more strict policy can use
> >portaudit or similar, right?
>
> I guess we have to add a severity tag then, to enable `soft'
> vulnerabilities.  I have an automated script that barks on unmarked
> vulnerabilities, and it can't decide which vulnerability is
> `important'.

Yes, I wanted to avoid this.  Severity is sooo subjective.  I prefer
that people close to the port make the severity judgement--- if the
maintainer or a fellow committer believes the item is severe, then let
them mark it FORBIDDEN.  That is why I said `FWIW' above--- if you
believe it is severe, then please by all means leave it FORBIDDEN.
However, I had the impression that you were marking it only because it
was listed in the VuXML document.

I suppose we could consider a very coarse-grained severity rating, but
I'd rather not.  I guess such a discussion should take place over on
freebsd-security@.

> >> http://people.freebsd.org/~eik/portaudit/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
> >
> >By the way, I'd appreciate it if you'd point to the VuXML site instead
> >(the URLs are `permanent').
> >
> >   http://vuxml.freebsd.org/
> >   http://vuxml.freebsd.org/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
>
> These are generated by the same script that generates the portaudit
> database, so they will never go out of sync.

I'm not sure how to take that response :-)  I'd prefer to use the
permanent FreeBSD URL, which points to the VuXML site which is near
real-time updated and where I'll be focusing browsing experience
enhancements.  Is there something in particular missing? (contributions
welcome!)

Cheers,
-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org