Date: Sat, 30 Sep 2000 12:40:43 -0700 From: Jordan Hubbard <jkh@winston.osd.bsdi.com> To: Kris Kennaway <kris@FreeBSD.org> Cc: "Brian F. Feldman" <green@FreeBSD.org>, Roman Shterenzon <roman@xpert.com>, security@FreeBSD.org Subject: Re: Security and FreeBSD, my overall perspective Message-ID: <2973.970342843@winston.osd.bsdi.com> In-Reply-To: Message from Kris Kennaway <kris@FreeBSD.org> of "Sat, 30 Sep 2000 12:22:17 PDT." <20000930122217.A51270@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Okay, quick show of hands. How many people blindly trusted pine before > this week? How many people would pick up a copy of fsdb(8) and/or > ipfw(8) and feel blindly confident they know how to use it properly > without screwing themselves up? Well, just to set the record straight, I've never even used pine. I use mh-e. :) I was talking more about our desired policy for dealing with these situations in the present and future, something for which pine is merely an example. > > (b) Add a new field to the ports infrastructure which indicates > > level of "trust" the project/security people have in that > > port. E.g. instead of having one big knob rather off-puttingly > > labelled 'FORBIDDEN', have a 'TRUST' or 'SECURITY_LEVEL' variable > > which goes from 1 to 10. Then the ports infrastructure can, if > > it wishes to, issue warnings of varying severity based on the > > trust level. > > I've thought about this, but it needs someone to implement it, so we > have to work with existing tools in the meantime. I could do this in a couple of hours, including testing. You want the patches to bsd.port.mk in unidiff or context diff format? ;-) > Waitasec, what do you mean "start"? FreeBSD is basically the only > operating system project which *is* auditing this kind of code I was reacting to green's assertion that nobody, in fact, had the time or inclination to do anything of the sort. If he's maligned your efforts by making such claims then I guess we both owe you an apology for understimating the amount of work which has actually been going into auditing. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2973.970342843>