Date: Sat, 30 Sep 2000 16:16:47 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Jordan Hubbard <jkh@winston.osd.bsdi.com>, Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: Security and FreeBSD, my overall perspective Message-ID: <4.3.2.20000930160153.00b8bc10@207.227.119.2> In-Reply-To: <2973.970342843@winston.osd.bsdi.com> References: <Message from Kris Kennaway <kris@FreeBSD.org> <20000930122217.A51270@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:40 PM 9/30/00 -0700, Jordan Hubbard wrote: > > > (b) Add a new field to the ports infrastructure which indicates > > > level of "trust" the project/security people have in that > > > port. E.g. instead of having one big knob rather off-puttingly > > > labelled 'FORBIDDEN', have a 'TRUST' or 'SECURITY_LEVEL' variable > > > which goes from 1 to 10. Then the ports infrastructure can, if > > > it wishes to, issue warnings of varying severity based on the > > > trust level. > > > > I've thought about this, but it needs someone to implement it, so we > > have to work with existing tools in the meantime. > >I could do this in a couple of hours, including testing. You want the >patches to bsd.port.mk in unidiff or context diff format? ;-) While I like this idea to some extent, there should be a disclaimer and/or be used on ports that have been checked over. The later would help any auditing, but the former would prevent misconceptions should a port with a "10" or just a "high" rating end up with an exploit/advisory. Problem is where to put it or when it should display. Would suggest that it spew out early when making the port or even when doing a 'make fetch' and it's relatives. Both the rating and a line or 2 should pop up. Maybe a "Do you wish to continue?" even. OTOH, considering the perception that problems with 3rd party software lead to the conclusion of (potential) problems with FreeBSD this may have a negative impact should a rating seem optimistic. Overall I think it would help many, but it shouldn't be relied upon as the absolute "truth" of the security of something. That is subject to time and trial. Maybe a scale of 1-5 would make it easier to decide what to rate a port at. To get the highest rating it should have clean code *and* a known good track record. Nothing new should ever get that rating. .02 Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20000930160153.00b8bc10>