Date: Tue, 30 Mar 2004 02:00:01 +0200 From: Michael Nottebrock <michaelnottebrock@gmx.net> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: FreeBSD Security <security@FreeBSD.org> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <4068B881.4010304@gmx.net> In-Reply-To: <4068A90A.7000104@fillmore-labs.com> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig594423963BBD96DDBD6F14E9 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Oliver Eikemeier wrote: > Thats a question of sematics. It makes absolutely no sense to add a > package to > the portaudit database when you won't mark the port as FORBIDDEN. To me it makes no sense anymore to mark ports FORBIDDEN for security reasons at all - portaudit uses a centralized source of information, it is much more efficient than cvsup, as you mentioned it's smarter with regard to old versions and it does automated checks via periodic. In short, bye-bye FORBIDDEN, hello portaudit. > The > message > is `do not install this port', and I hope to get support for portaudit into > sysinstall to prevent users with release CDs to install vulnerable ports in > the first place. Currently there is no such thing as `It may be ok to > use this > port if you are careful', if you deem such a feature useful I will look > into > implementing such a feature. I'd deem such a feature quite useful indeed. Actually, the decisionmaking about what is too serious to ignore and what is not could be handed back to the system administrator this way: If VuXML would provide a fine-grained classification of security issues (not by severity, but by type: privilige escalation (incl. root/excl. root), local/remote denial-of-service, buffer-overflow-but-no-exploit-known, etc, etc), users could customize portaudit to forbid access to packages or just warn about them from a set of rules (which would ideally also allow to make exceptions by portname and other criteria - I realise that's quite a wishlist, but since you asked... ;-)). The current behaviour could be provided as default. -- ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --------------enig594423963BBD96DDBD6F14E9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFAaLiEXhc68WspdLARAsV8AJsHcXgr3HBHJLCL1YtUHT0Ct8Lc+wCeO+zw vwbyi3/3j+Pmg1NG5avbUWg= =Ne3G -----END PGP SIGNATURE----- --------------enig594423963BBD96DDBD6F14E9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4068B881.4010304>