Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Mar 2004 02:00:01 +0200
From:      Michael Nottebrock <michaelnottebrock@gmx.net>
To:        Oliver Eikemeier <eikemeier@fillmore-labs.com>
Cc:        FreeBSD Security <security@FreeBSD.org>
Subject:   Re: cvs commit: ports/multimedia/xine Makefile
Message-ID:  <4068B881.4010304@gmx.net>
In-Reply-To: <4068A90A.7000104@fillmore-labs.com>
References:  <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig594423963BBD96DDBD6F14E9
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Oliver Eikemeier wrote:

> Thats a question of sematics. It makes absolutely no sense to add a 
> package to
> the portaudit database when you won't mark the port as FORBIDDEN.

To me it makes no sense anymore to mark ports FORBIDDEN for security reasons 
at all - portaudit uses a centralized source of information, it is much more 
efficient than cvsup, as you mentioned it's smarter with regard to old 
versions and it does automated checks via periodic.

In short, bye-bye FORBIDDEN, hello portaudit.

> The 
> message
> is `do not install this port', and I hope to get support for portaudit into
> sysinstall to prevent users with release CDs to install vulnerable ports in
> the first place. Currently there is no such thing as `It may be ok to 
> use this
> port if you are careful', if you deem such a feature useful I will look 
> into
> implementing such a feature.

I'd deem such a feature quite useful indeed. Actually, the decisionmaking 
about what is too serious to ignore and what is not could be handed back to 
the system administrator this way: If VuXML would provide a fine-grained 
classification of security issues (not by severity, but by type: privilige 
escalation (incl. root/excl. root), local/remote denial-of-service, 
buffer-overflow-but-no-exploit-known, etc, etc), users could customize 
portaudit to forbid access to packages or just warn about them from a set of 
rules (which would ideally also allow to make exceptions by portname and other 
criteria - I realise that's quite a wishlist, but since you asked... ;-)).

The current behaviour could be provided as default.

-- 
    ,_,   | Michael Nottebrock               | lofi@freebsd.org
  (/^ ^\) | FreeBSD - The Power to Serve     | http://www.freebsd.org
    \u/   | K Desktop Environment on FreeBSD | http://freebsd.kde.org

--------------enig594423963BBD96DDBD6F14E9
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQFAaLiEXhc68WspdLARAsV8AJsHcXgr3HBHJLCL1YtUHT0Ct8Lc+wCeO+zw
vwbyi3/3j+Pmg1NG5avbUWg=
=Ne3G
-----END PGP SIGNATURE-----

--------------enig594423963BBD96DDBD6F14E9--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4068B881.4010304>