Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Mar 2004 21:50:48 +0200
From:      Oliver Eikemeier <eikemeier@fillmore-labs.com>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.org>
Cc:        ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/multimedia/xine Makefile
Message-ID:  <40687E18.9060907@fillmore-labs.com>
In-Reply-To: <20040329185347.GB87233@madman.celabo.org>
References:  <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine wrote:

> On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote:
> 
>>Jacques A. Vidrine wrote:
>>
>>>On Sun, Mar 28, 2004 at 03:44:06PM -0800, Oliver Eikemeier wrote:
>>>
>>>>eik         2004/03/28 15:44:06 PST
>>>>
>>>>FreeBSD ports repository
>>>>
>>>>Modified files:
>>>>  multimedia/xine      Makefile
>>>>Log:
>>>>Mark forbidden due to an entry in the VuXML database. Don't
>>>>forget to add the version which fixes the issues there.
>>>
>>>FWIW:
>>>
>>>I didn't mark this port FORBIDDEN when I added the issue to the
>>>database because some issues are not very severe.  For example, this
>>>issue has practically no impact on single user systems, and quite
>>>possibly no impact on any FreeBSD user anywhere.  Marking the port
>>>FORBIDDEN in this case seems extreme.
>>
>>It's in the official FreeBSD vulnerability database.
> 
> The vulnerability database is meant to be comprehensive and
> informational.  It is not a policy document.

I guess it is supposed to be processed by automated tools? It needs a
clearly defined policy, an informal document is useless for portaudit.

>>>I'd prefer to reserve FORBIDDEN for those cases where the ports
>>>present some danger.  Those who want a more strict policy can use
>>>portaudit or similar, right?
>>
>>I guess we have to add a severity tag then, to enable `soft'
>>vulnerabilities.  I have an automated script that barks on unmarked
>>vulnerabilities, and it can't decide which vulnerability is
>>`important'.
> 
> Yes, I wanted to avoid this.  Severity is sooo subjective.  I prefer
> that people close to the port make the severity judgement--- if the
> maintainer or a fellow committer believes the item is severe, then let
> them mark it FORBIDDEN.  That is why I said `FWIW' above--- if you
> believe it is severe, then please by all means leave it FORBIDDEN.
> However, I had the impression that you were marking it only because it
> was listed in the VuXML document.

Sure. Severity is subjective, and I'm not in the position to decide what
is considered severe enough to advise people to not use it.

The security team are the people who should judge which vulnerabilites are
severe enough to issue a warning, not the users. That is what they are there
for. Users can ignore advisories if they decide to do so.

FORBIDDEN is black-and-white, like an entry in the VuXML database is. FORBIDDEN
means: do not install this port, or you are on your own. What is the meaning of
an entry in the VuXML database?

You could argue that xine port isn't vulnerable if both scripts aren't used.
OTOH, why are they installed in the first place? It is simple to fix the port:
don't install these scripts.

> I suppose we could consider a very coarse-grained severity rating, but
> I'd rather not.  I guess such a discussion should take place over on
> freebsd-security@.

Follow-up to security@ then.

>>>>http://people.freebsd.org/~eik/portaudit/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
>>>
>>>By the way, I'd appreciate it if you'd point to the VuXML site instead
>>>(the URLs are `permanent').
>>>
>>>  http://vuxml.freebsd.org/
>>>  http://vuxml.freebsd.org/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
>>
>>These are generated by the same script that generates the portaudit
>>database, so they will never go out of sync.
>
> I'm not sure how to take that response :-)  I'd prefer to use the
> permanent FreeBSD URL, which points to the VuXML site which is near
> real-time updated and where I'll be focusing browsing experience
> enhancements.  Is there something in particular missing? (contributions
> welcome!)

No, but the former URLs are permanent too, have
  <http://people.freebsd.org/~eik/portaudit/1ed556e6-734f-11d8-868e-000347dd607f.html>;
which is mentioned in
  <http://www.freebsd.org/cgi/mid.cgi?db=mid&id=200403111145.i2BBjQfa088098@repoman.freebsd.org>,
are guaranteed to be synchronized with the portaudit database and contain
the same information. I have to generate them anyway, so what's the point?

-Oliver



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40687E18.9060907>