From owner-freebsd-security@FreeBSD.ORG Mon Mar 29 14:54:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9369216A4CE; Mon, 29 Mar 2004 14:54:07 -0800 (PST) Received: from postman.arcor.de (newsread1.arcor-online.net [151.189.0.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id E64F543D41; Mon, 29 Mar 2004 14:54:06 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-51-138.reverse.qsc.de [212.202.51.138]) (authenticated bits=0)i2TMs5ck019208 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 30 Mar 2004 00:54:05 +0200 (MEST) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1B85dq-000OUh-FZ; Tue, 30 Mar 2004 00:54:02 +0200 Message-ID: <4068A90A.7000104@fillmore-labs.com> Date: Tue, 30 Mar 2004 00:54:02 +0200 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: Michael Nottebrock References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> In-Reply-To: <4068A0AF.2090807@gmx.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: "Jacques A. Vidrine" cc: FreeBSD Security Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2004 22:54:07 -0000 Michael Nottebrock wrote: > > Essentially this means that I should not automatically add every entry > > of the VuXML document to the portaudit database, since being listed there > > means `do not use this port', which is the equivalent to `FORBIDDEN'. > > Why? I mean, seriously, if I choose to install portaudit and portaudit's > presence prevents me from installing ports that's okay, but enforcing > this even when I _don't_ want to use portaudit it's not, IMHO. I guess you mix up things here. We are talking about semantics. Marking a port FORBIDDEN if it has a security vulnerability has nothing to do with portaudit. If you have an current ports tree and update your ports every time a new version is available, you don't need portaudit. > Actually, > I always thought portaudit was all about providing a way of making ports > off-limits _without_ CVS being involved. Exactly that is the point: you can mark ports FORBIDDEN retroactively, which means versions that are now longer current, or on systems where there is no (current) ports tree (like on release CDs), or the ports are not updated immediately. > So I agree with Jacques here, > portaudit and FORBIDDEN should remain separate. Thats a question of sematics. It makes absolutely no sense to add a package to the portaudit database when you won't mark the port as FORBIDDEN. The message is `do not install this port', and I hope to get support for portaudit into sysinstall to prevent users with release CDs to install vulnerable ports in the first place. Currently there is no such thing as `It may be ok to use this port if you are careful', if you deem such a feature useful I will look into implementing such a feature. -Oliver