From owner-freebsd-ports@FreeBSD.ORG  Fri Nov 23 13:37:44 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 89C07BC5
 for <freebsd-ports@freebsd.org>; Fri, 23 Nov 2012 13:37:44 +0000 (UTC)
 (envelope-from mazhe@alkumuna.eu)
Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10])
 by mx1.freebsd.org (Postfix) with ESMTP id BF82E8FC13
 for <freebsd-ports@freebsd.org>; Fri, 23 Nov 2012 13:37:41 +0000 (UTC)
Received: from yggdrasil.alkumuna.eu (unknown
 [IPv6:2a01:e35:8a74:6e70:232:36ff:fe5c:3a87])
 by smtp1-g21.free.fr (Postfix) with ESMTP id 2095E940170
 for <freebsd-ports@freebsd.org>; Fri, 23 Nov 2012 14:37:36 +0100 (CET)
Received: from freedom.alkumuna.eu ([192.168.10.100]) (authenticated bits=0)
 by yggdrasil.alkumuna.eu (8.14.5/8.14.5) with ESMTP id qANDbZdh019376
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <freebsd-ports@freebsd.org>; Fri, 23 Nov 2012 14:37:35 +0100 (CET)
 (envelope-from mazhe@alkumuna.eu)
Date: Fri, 23 Nov 2012 14:37:35 +0100
From: Matthieu Volat <mazhe@alkumuna.eu>
To: freebsd-ports@freebsd.org
Subject: Re: Opera vulnerability, marked forbidden instead of update?
Message-Id: <20121123143735.90c91a7d81dc73c39764bcd8@alkumuna.eu>
In-Reply-To: <50AF3B4B.9030704@freebsd.org>
References: <20121123092631.3b0aff2f0902e02098c273b4@alkumuna.eu>
 <50AF3B4B.9030704@freebsd.org>
X-Mailer: Sylpheed 3.3.0 (GTK+ 2.24.10; amd64-portbld-freebsd9.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2012 13:37:44 -0000

On Fri, 23 Nov 2012 09:00:59 +0000
Matthew Seaman <matthew@freebsd.org> wrote:

> On 23/11/2012 08:26, Matthieu Volat wrote:
> > I've noticed that www/opera was marked FORBIDDEN because of a security hole:
> > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
> > 
> > The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it.
> > 
> > I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed.
> > 
> > I've bumped the versions in the Makefile
> > OPERA_VER?=     12.11
> > OPERA_BUILD?=   1661
> > and made a `make makesum reinstall`, there was no apparent problem.
> 
> Marking a port 'FORBIDDEN' is a quick response measure that can be done
> without having to worry about time consuming testing the of port and so
> forth.  It's an interim measure taken to ensure that users do not
> unwittingly install software with known vulnerabilities.
> 
> Yes, updating the port to a non-vulnerable version is the ideal
> response, but that may not be possible to do straight away.  You've
> sketched out the first couple of steps a port maintainer would take, but
> that 'there was no apparent problem' statement would need to be backed
> up by some more rigorous testing before a maintainer would feel
> confident in committing the update.
> 
> 	Cheers,
> 
> 	Matthew
> _______________________________________________
> freebsd-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" 

Hello and thanks for the explanation,

Cheers,

-- 
Matthieu Volat <mazhe@alkumuna.eu>