From owner-freebsd-security Tue Aug 27 10: 5:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E86C737B400 for ; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8866043E4A for ; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g7RH59k6057774 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 27 Aug 2002 10:05:09 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g7RH597h057773; Tue, 27 Aug 2002 10:05:09 -0700 (PDT) Date: Tue, 27 Aug 2002 10:05:08 -0700 From: Erick Mechler To: David Olbersen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ports are insecure? Message-ID: <20020827170508.GI90157@techometer.net> References: <20020827165347.GA12522@slickness.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827165347.GA12522@slickness.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: I read (in this list I think) that somebody was of the opinion that :: every port installed decreases the security of a machine. I'm not sure I would go that far, but I would say that for every network port you have open, the amount of admin time does increase. In a way it does make it more insecure, but only if you don't keep up with security upgrades, patches, etc. :: How exactly does that work? Is this based in the idea that nearly :: anybody can contribute a port, but the core system is reviewed by a :: team? Not just anybody can contribute to a FreeBSD port entry; the commit still has to be done by an authorized committer. However, it's true that just about anybody's software package can become a port, so if you just blindly start installing ports, you might, on rare occasions, install a piece of software that's been trojaned (take the recent OpenSSH trojan for example). I hope (maybe) this addressed some of your questions :) If you have more questions about the ports system, I'd check out the relevant section of the Handbook: http://www.freebsd.org/doc/handbook/ports.html Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message