From owner-cvs-ports@FreeBSD.ORG  Mon Mar 29 23:37:18 2004
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
Delivered-To: cvs-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 84F1416A4DA; Mon, 29 Mar 2004 23:37:17 -0800 (PST)
Received: from mail011.syd.optusnet.com.au (mail011.syd.optusnet.com.au
	[211.29.132.65])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9E07443D49; Mon, 29 Mar 2004 23:37:15 -0800 (PST)
	(envelope-from peterjeremy@optushome.com.au)
Received: from server.vk2pj.dyndns.org
	(c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229])
	i2U7ar108110;	Tue, 30 Mar 2004 17:36:54 +1000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org
	[127.0.0.1])i2U7arNa074352;	Tue, 30 Mar 2004 17:36:53 +1000 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i2U7aqg3074351;
	Tue, 30 Mar 2004 17:36:52 +1000 (EST)
	(envelope-from peter)
Date: Tue, 30 Mar 2004 17:36:52 +1000
From: Peter Jeremy <peterjeremy@optushome.com.au>
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Message-ID: <20040330073652.GB74220@server.vk2pj.dyndns.org>
References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org>
	<20040329163309.GA81526@madman.celabo.org>
	<40686785.7020002@fillmore-labs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40686785.7020002@fillmore-labs.com>
User-Agent: Mutt/1.4.2.1i
cc: "Jacques A. Vidrine" <nectar@freebsd.org>
cc: cvs-ports@freebsd.org
cc: cvs-all@freebsd.org
cc: ports-committers@freebsd.org
Subject: Re: cvs commit: ports/multimedia/xine Makefile
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2004 07:37:18 -0000

On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote:
>I guess we have to add a severity tag then, to enable `soft'
>vulnerabilities.  I have an automated script that barks on unmarked
>vulnerabilities, and it can't decide which vulnerability is
>`important'.

Let me offer two (admittedly hypothetical) examples as to why this
can't work:
1) port "foo" has a severe IPv6 vulnerability:  It includes a network
   daemon process which has a bug allowing an attacker to execute
   arbitrary commands as root by sending IPv6 packets.  There's no
   vulnerability for IPv4.  Despite the seriousness of this bug, it
   doesn't affect me because I don't run IPv6 - it's not even compiled
   into my kernel.
2) port "bar" has an apparently trivial vulnerability that only appears
   when a particularly obscure set of configuration options are used.
   I need "bar" with those particular options as part of a business-
   critical application - the vulnerability is critical to me and I
   need to know that I need to avoid the affected versions.

It might be "obvious" that "foo" should be FORBIDDEN and "bar" shouldn't
be but this is precisely the opposite behaviour to what I need.

I can't see any way to automate this.

Peter