From owner-freebsd-security@FreeBSD.ORG Mon Mar 29 15:41:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7811416A4CE; Mon, 29 Mar 2004 15:41:30 -0800 (PST) Received: from postman.arcor.de (postman2.arcor-online.net [151.189.0.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1E0E43D39; Mon, 29 Mar 2004 15:41:29 -0800 (PST) (envelope-from eikemeier@fillmore-labs.com) Received: from fillmore.dyndns.org (port-212-202-51-138.reverse.qsc.de [212.202.51.138]) (authenticated bits=0)i2TNfSko017738 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 30 Mar 2004 01:41:28 +0200 (MEST) Received: from [172.16.0.2] (helo=fillmore-labs.com) by fillmore.dyndns.org with esmtp (Exim 4.30; FreeBSD) id 1B86Ni-000OZR-7v; Tue, 30 Mar 2004 01:41:26 +0200 Message-ID: <4068B425.1070607@fillmore-labs.com> Date: Tue, 30 Mar 2004 01:41:25 +0200 From: Oliver Eikemeier Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/ MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <20040329224011.GA94303@madman.celabo.org> In-Reply-To: <20040329224011.GA94303@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit User-Agent: KMail/1.5.9 cc: FreeBSD Security Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2004 23:41:30 -0000 Jacques A. Vidrine wrote: > Speaking of pkg_add, I was thinking it might make sense to add hooks > to these utilities, either in the form of loading dynamic objects or > just invoking shell scripts. It seems that knu@ would be able to > use these for portupgrade, we could use them for portaudit and VuXML > related items, and power users could use them to invent their own > local uses. But, that's a discussion for ports@ I guess. Hooks would be nice, but I guess we should have something in the base, or at least let sysinstall install it by default before adding other packages. > Personally, I was quite pleased with the way that you have it set up: > if users install portaudit, then they will be warned daily about ports > that they have installed; and attempting to build the port results in > much the same thing as FORBIDDEN. > > (I guess I could have some misunderstanding, though.) No, that is precisely the idea: marking a port in portaudit results in much the same thing as FORBIDDEN, so the criteria to add a package to the portaudit database is excatly the same as marking a port as FORBIDDEN because of security reasons. > Without portaudit, we have the current situation. The only ports > marked FORBIDDEN are those where someone believed that problems are > serious enough to mark it so. This should be the same with portaudit, even on past revisions of the ports: The only port added in the portaudit database should be those where someone believed that problems are serious enough to mark it so. To cite portaudit(1): "If you have a vulnerable package installed, you are advised to update or deinstall it immediately." > I often mail folks when I enter their port into VuXML. I intend to > automate this nagging, but just haven't gotten around to it yet. What is the point in not marking those port as FORBIDDEN? It is easy to remove (so you don't romp over port maintainers, like just committing the fix, which might be done differently), gives maintainers time to analyze the issue without piecing together a quick fix and prevents the vulnerable version from being installed. In my eyes this benefits maintainers (who have to fix these issues anyways, but have more room to do so) as well as users (which normally do not want to use vulnerable ports, especially since exploits get more popular every day), or do I make a mistake here? >>Since you are the FreeBSD Security Officer, you are the ultimate authority >>what issues are serious. > > I'm just a guy. The Security Team are just more guys (but very > helpful and clueful ones--- thanks guys!!). We want and need > coordination with the ports maintainers: they (should) have a level > of expertise with their particular applications that we simply cannot > have for the 10,000+ ports. I totally agree, although this doesn't conflict with the sentence above. > Not to mention, ports maintainers can be touchy. As can we all :-) I can understand this in the case of functional changes to the port, things that could have been done differently. A FORBIDDEN line could only be removed, whether you like it or not. And if the port maintainer believes that the vulnerability doesn't exist, (s)he could remove the entry from the VuXML file, or set the severity to minor, so backing out from a FORBIDDEN is easy too. Of course I don't like to maintain a vulnerable port... ;P >>It seems like there are criteria that have consequences (marking >>a port FORBIDDEN or not), please note this somewhere in the VuXML >>document. > > I'd like to take a step before committing myself (and any would-be > VuXML contributor) into assigning a severity to every issue. If > there is rough consensus from the ports community (committers and > maintainers) that any documented security issue is grounds enough to > mark a port FORBIDDEN, then we'll follow the policy that (entry in > VuXML document) == (port must be marked FORBIDDEN). > > This seems to be your stance, and I do not think it is unreasonable. > Although I made the comment earlier that I don't share the opinion, it > is nonetheless attractive because it is simple :-) I can live with both. Either VuXML contains only entries that are so serious that a port should be marked FORBIDDEN, or it contains additional entries that are not of this importance and are marked as such. The decision how severe an issue is has already be made with every commit to the VuXML document (by marking the affected ports as FORBIDDEN or not), it is only not documented. This is just a question of a clearly stated policy, not about assigning a severity - that is already done. -Oliver