From owner-freebsd-gnome  Fri Nov 22 10: 2:18 2002
Delivered-To: freebsd-gnome@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 95ADF37B401; Fri, 22 Nov 2002 10:02:16 -0800 (PST)
Received: from mail.karamazov.org (h162-040-089-010.adsl.navix.net [162.40.89.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B932243E88; Fri, 22 Nov 2002 10:02:07 -0800 (PST)
	(envelope-from smoberly@karamazov.org)
Received: from karamazov.org (mail.karamazov.org [10.0.0.11])
	by mail.karamazov.org (8.12.6/8.12.6) with SMTP id gAMI1vua078422;
	Fri, 22 Nov 2002 12:01:57 -0600 (CST)
	(envelope-from smoberly@karamazov.org)
From: "Scott A. Moberly" <smoberly@karamazov.org>
Received: from 65.221.169.187
        (SquirrelMail authenticated user smoberly)
        by mail.karamazov.org with HTTP;
        Fri, 22 Nov 2002 12:01:57 -0600 (CST)
Message-ID: <11503.65.221.169.187.1037988117.squirrel@mail.karamazov.org>
Date: Fri, 22 Nov 2002 12:01:57 -0600 (CST)
Subject: Re: SOUP
To: <marcus@marcuscom.com>
In-Reply-To: <1037987918.326.32.camel@gyros>
References: <44542.65.221.169.187.1037979346.squirrel@mail.karamazov.org>
        <1037984649.326.1.camel@gyros>
        <3476.65.221.169.187.1037985437.squirrel@mail.karamazov.org>
        <1037985752.326.20.camel@gyros>
        <5747.65.221.169.187.1037986268.squirrel@mail.karamazov.org>
        <1037986478.326.29.camel@gyros>
        <9352.65.221.169.187.1037987400.squirrel@mail.karamazov.org>
        <1037987918.326.32.camel@gyros>
X-Priority: 3
Importance: Normal
Cc: <gnome@FreeBSD.org>, <freebsd-ports@FreeBSD.org>
X-Mailer: SquirrelMail (version 1.2.8)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-gnome@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-gnome.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-gnome>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-gnome>
X-Loop: FreeBSD.ORG

> On Fri, 2002-11-22 at 12:50, Scott A. Moberly wrote:
>> > On Fri, 2002-11-22 at 12:31, Scott A. Moberly wrote:
>> >> > On Fri, 2002-11-22 at 12:17, Scott A. Moberly wrote:
>> >> >> > On Fri, 2002-11-22 at 10:35, Scott A. Moberly wrote:
>> >> >> >> The SOAP library SOUP is now required throughout the gnome
>> >> >> structure. Given that gtkhtml requires it in the Makefile, but
>> does
>> >> not actually require it.  Given the inherent security issues raised
>> with SOAP.  I was curious if it can be made optional.  It could
>> even be in the negative if you prefer; i.e.
>> >> >> >
>> >> >> > Maybe I've been out of it, but what security issues are we
>> >> talking
>> >> >> about?  Can you site references?
>> >> >> >
>> >> >> > Joe
>> >> >> >
>> >> >>
>> >> >> My main complaint lies simply with arbitrary access to data
>> without
>> >> the user (of the process) having direct control.  Scary if it moves
>> into root controlled processes.  Other issues involve firewall
>> slipthrough.  Many other reason's can be found...  google it with
>> soap and security.
>> >> >
>> >> > I'd like to see some security advisories on this, particularly in
>> >> relation to the one app known to use Soup: Evolution.  So far, you
>> are the only one to raise the issue.
>> >>
>> >> Okay...  so what you are saying is that i have to wait for
>> something to be broken and have a Security Advisory issued prior to
>> having it optional.  The protocol itself is flawed.  The company
>> that devised it (Microsoft) has not only warned of the firewall
>> issue it has also issued Security additions (WS-Security) that are
>> patented and thus potentially
>> >> problematic.  I would like to avoid the issue before it is raised:
>> pro-active is the market-speak for this I believe.  I am not asking
>> the library to be removed; rather given an optional flag.
>> >
>> > If I'm going to flag something as broken due to security, I'd like
>> to have some references for our users to read.  Since you're the
>> only one raising this as a concern, I'd like _you_ to find some
>> reputable sources stating what's wrong with the protocol.  If you do
>> that, I'll flag it as optional in gtkhtml.
>> >
>> > Joe
>>
>> Understandable...  However there are no advisories per say.  There has
>> been plenty of discussion regarding the potential abuse (in theory)...
>>
>> An Article on O'Reilly:
>> http://www.xml.com/pub/a/2002/02/27/security-lather.html
>>
>> Microsoft Article on SOAP Security:
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service11212001.asp
>>
>> None of this is definative; however, given that there is debate on the
>> issue.  I was immediately aware of the problem only because SOAP was
>> brought up and dismissed at my place of business approximately a year
>> ago.
>>  Dismissed for the 'possible' security implications and there was no
>> UNIX
>> library yet avaiable.
>
> Okay, these are reputable sources.  I'll do the knob.

Thank you kindly

---
Scott A. Moberly
smoberly@karamazov.org




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-gnome" in the body of the message