Date: Tue, 30 Mar 2004 00:54:02 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: Michael Nottebrock <michaelnottebrock@gmx.net> Cc: FreeBSD Security <security@freebsd.org> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <4068A90A.7000104@fillmore-labs.com> In-Reply-To: <4068A0AF.2090807@gmx.net> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Nottebrock wrote: > > Essentially this means that I should not automatically add every entry > > of the VuXML document to the portaudit database, since being listed there > > means `do not use this port', which is the equivalent to `FORBIDDEN'. > > Why? I mean, seriously, if I choose to install portaudit and portaudit's > presence prevents me from installing ports that's okay, but enforcing > this even when I _don't_ want to use portaudit it's not, IMHO. I guess you mix up things here. We are talking about semantics. Marking a port FORBIDDEN if it has a security vulnerability has nothing to do with portaudit. If you have an current ports tree and update your ports every time a new version is available, you don't need portaudit. > Actually, > I always thought portaudit was all about providing a way of making ports > off-limits _without_ CVS being involved. Exactly that is the point: you can mark ports FORBIDDEN retroactively, which means versions that are now longer current, or on systems where there is no (current) ports tree (like on release CDs), or the ports are not updated immediately. > So I agree with Jacques here, > portaudit and FORBIDDEN should remain separate. Thats a question of sematics. It makes absolutely no sense to add a package to the portaudit database when you won't mark the port as FORBIDDEN. The message is `do not install this port', and I hope to get support for portaudit into sysinstall to prevent users with release CDs to install vulnerable ports in the first place. Currently there is no such thing as `It may be ok to use this port if you are careful', if you deem such a feature useful I will look into implementing such a feature. -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4068A90A.7000104>