From owner-freebsd-ports@FreeBSD.ORG Wed Sep 7 13:53:37 2011 Return-Path: Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7ABA1065676 for ; Wed, 7 Sep 2011 13:53:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5F2C98FC13 for ; Wed, 7 Sep 2011 13:53:37 +0000 (UTC) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id p87DrF47046073; Wed, 7 Sep 2011 15:53:30 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id p87DrFS1046072; Wed, 7 Sep 2011 15:53:15 +0200 (CEST) (envelope-from olli) Date: Wed, 7 Sep 2011 15:53:15 +0200 (CEST) Message-Id: <201109071353.p87DrFS1046072@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ports@FreeBSD.ORG, ertr1013@student.uu.se, peterjeremy@acm.org In-Reply-To: <20110907115508.GA95119@owl.midgard.homeip.net> X-Newsgroups: list.freebsd-ports User-Agent: tin/1.9.6-20101126 ("Burnside") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.5 (lurza.secnetix.de [127.0.0.1]); Wed, 07 Sep 2011 15:53:31 +0200 (CEST) Cc: Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2011 13:53:38 -0000 Erik Trulsson wrote: > On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote: > > On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov wrote: > > > What about requiring that the ports deprecated should be either broken > > > or have known published vulnerabilties for a long period of > > > time (say 6 months) for the start? > > > > This might be reasonable for broken ports but ports with known > > vulnerabilities should either be fixed or removed promptly. > > That depends somewhat on the exact nature of the vulnerability. > Depending on how the port is used a given vulnerability might not > be a problem. (E.g. if a port has a vulnerability which allows a local > user to become root, then it is a problem for multi-user systems with > untrusted users, but for a system which only has a single user or only > trusted users it would not be a significant problem.) > > If a port can be used safely despite existing vulnerabilities it is not > at all clear it need to be removed quickly even if it is not fixed. > > (Marking it FORBIDDEN so potential users are warned about known > problems is another thing.) I tend to agree with Erik here. In my opinion, the important thing is to let the user know about the problem, so the *user* can make an educated decision instead of having ports committers force the decision upon all users. There are many examples of security problems that might not affect all users. Users might also decide to take the risk, especially if the software in question provides a unique feature that is essential to the user and cannot be replaced. Appropriate measures can be taken to contain the risk, such as running the software inside a jail or VM. The question is how to inform the user in a reasonable and reliable way. I think ports-mgmt/portaudit already does a very good job, but it is optional, and I guess that many (maybe even most) "non-expert" users don't install it or don't even know about it. It might be a good idea to make portaudit a mandatory part of the ports framework and enable it by default. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Documentation is like sex; when it's good, it's very, very good, and when it's bad, it's better than nothing." -- Dick Brandon