Date: Mon, 29 Mar 2004 12:53:47 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: Oliver Eikemeier <eik@FreeBSD.org> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <20040329185347.GB87233@madman.celabo.org> In-Reply-To: <40686785.7020002@fillmore-labs.com> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote: > Jacques A. Vidrine wrote: > > >On Sun, Mar 28, 2004 at 03:44:06PM -0800, Oliver Eikemeier wrote: > > > >>eik 2004/03/28 15:44:06 PST > >> > >> FreeBSD ports repository > >> > >> Modified files: > >> multimedia/xine Makefile > >> Log: > >> Mark forbidden due to an entry in the VuXML database. Don't > >> forget to add the version which fixes the issues there. > > > >FWIW: > > > >I didn't mark this port FORBIDDEN when I added the issue to the > >database because some issues are not very severe. For example, this > >issue has practically no impact on single user systems, and quite > >possibly no impact on any FreeBSD user anywhere. Marking the port > >FORBIDDEN in this case seems extreme. > > It's in the official FreeBSD vulnerability database. The vulnerability database is meant to be comprehensive and informational. It is not a policy document. > >I'd prefer to reserve FORBIDDEN for those cases where the ports > >present some danger. Those who want a more strict policy can use > >portaudit or similar, right? > > I guess we have to add a severity tag then, to enable `soft' > vulnerabilities. I have an automated script that barks on unmarked > vulnerabilities, and it can't decide which vulnerability is > `important'. Yes, I wanted to avoid this. Severity is sooo subjective. I prefer that people close to the port make the severity judgement--- if the maintainer or a fellow committer believes the item is severe, then let them mark it FORBIDDEN. That is why I said `FWIW' above--- if you believe it is severe, then please by all means leave it FORBIDDEN. However, I had the impression that you were marking it only because it was listed in the VuXML document. I suppose we could consider a very coarse-grained severity rating, but I'd rather not. I guess such a discussion should take place over on freebsd-security@. > >> http://people.freebsd.org/~eik/portaudit/fde53204-7ea6-11d8-9645-0020ed76ef5a.html > > > >By the way, I'd appreciate it if you'd point to the VuXML site instead > >(the URLs are `permanent'). > > > > http://vuxml.freebsd.org/ > > http://vuxml.freebsd.org/fde53204-7ea6-11d8-9645-0020ed76ef5a.html > > These are generated by the same script that generates the portaudit > database, so they will never go out of sync. I'm not sure how to take that response :-) I'd prefer to use the permanent FreeBSD URL, which points to the VuXML site which is near real-time updated and where I'll be focusing browsing experience enhancements. Is there something in particular missing? (contributions welcome!) Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040329185347.GB87233>