From owner-freebsd-security Sat Sep 30 14:21: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id F229D37B503; Sat, 30 Sep 2000 14:21:06 -0700 (PDT) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id QAA05936; Sat, 30 Sep 2000 16:21:00 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-83.max1.wa.cyberlynk.net(207.227.118.83) by peak.mountin.net via smap (V1.3) id sma005934; Sat Sep 30 16:20:56 2000 Message-Id: <4.3.2.20000930160153.00b8bc10@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sat, 30 Sep 2000 16:16:47 -0500 To: Jordan Hubbard , Kris Kennaway From: "Jeffrey J. Mountin" Subject: Re: Security and FreeBSD, my overall perspective Cc: security@FreeBSD.ORG In-Reply-To: <2973.970342843@winston.osd.bsdi.com> References: <20000930122217.A51270@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:40 PM 9/30/00 -0700, Jordan Hubbard wrote: > > > (b) Add a new field to the ports infrastructure which indicates > > > level of "trust" the project/security people have in that > > > port. E.g. instead of having one big knob rather off-puttingly > > > labelled 'FORBIDDEN', have a 'TRUST' or 'SECURITY_LEVEL' variable > > > which goes from 1 to 10. Then the ports infrastructure can, if > > > it wishes to, issue warnings of varying severity based on the > > > trust level. > > > > I've thought about this, but it needs someone to implement it, so we > > have to work with existing tools in the meantime. > >I could do this in a couple of hours, including testing. You want the >patches to bsd.port.mk in unidiff or context diff format? ;-) While I like this idea to some extent, there should be a disclaimer and/or be used on ports that have been checked over. The later would help any auditing, but the former would prevent misconceptions should a port with a "10" or just a "high" rating end up with an exploit/advisory. Problem is where to put it or when it should display. Would suggest that it spew out early when making the port or even when doing a 'make fetch' and it's relatives. Both the rating and a line or 2 should pop up. Maybe a "Do you wish to continue?" even. OTOH, considering the perception that problems with 3rd party software lead to the conclusion of (potential) problems with FreeBSD this may have a negative impact should a rating seem optimistic. Overall I think it would help many, but it shouldn't be relied upon as the absolute "truth" of the security of something. That is subject to time and trial. Maybe a scale of 1-5 would make it easier to decide what to rate a port at. To get the highest rating it should have clean code *and* a known good track record. Nothing new should ever get that rating. .02 Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message