Date: Tue, 30 Mar 2004 08:25:43 +0200 From: Michael Nottebrock <michaelnottebrock@gmx.net> To: "Jacques A. Vidrine" <nectar@freebsd.org> Cc: Oliver Eikemeier <eikemeier@fillmore-labs.com> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <406912E7.4040806@gmx.net> In-Reply-To: <20040330045646.GD5998@madman.celabo.org> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com> <4068B881.4010304@gmx.net> <20040330045646.GD5998@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF31C483BAD65430945D97BEB
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Jacques A. Vidrine wrote:
> It so happens that in the past month or so there has been quite a
> discussion on a closed vendor security list (mostly large Linux
> distros + some UNIX vendors) regarding severity rating systems.
> It's really hard, and it's really subjective. CVE does not assign
> severity, largely because they do not feel that it is part of their
> role. Attempts to create systems such as you describe (types of
> vulnerabilities) have bogged down: some of the better thought out
> proposals result in 4-6 dimensions.
Okay, that's quite impossible then.
> The only reasonable option for the security conscious (IMHO), is to
> avoid applications with *any* reported security issues until one has
> read and understood that issue. This is pretty close to what Oliver's
> portaudit does (I think).
Right, and I have no problem with that (I _like_ portaudit :-)). However, it
seems to me that marking ports FORBIDDEN for security reasons is more or less
obsoleted (and made redundant) by portaudit/VuXML and committers having to
hand-scan VuXML for updates and mark ports FORBIDDEN by hand just seems like
duplicated (and error-prone) work... so maybe it's time to to away with
marking ports FORBIDDEN for security reasons completely?
Also, what eik says about integrating portaudit into sysinstall (does this
imply moving portaudit into the base-system at some point?) sounds very good
to me, but I still don't like security-by-default schemes which can't be
disabled by flipping a switch. FORBIDDEN ports are an example for this,
forcing users to hand-edit a port Makefile in order to make it buildable
(especially when the security issue is really minor or I'm not even affected)
is just a tad too BOFH-ish for my taste.
--
,_, | Michael Nottebrock | lofi@freebsd.org
(/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org
\u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org
--------------enigF31C483BAD65430945D97BEB
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQFAaRLnXhc68WspdLARAgwJAKCQ2fTsCFuPaY3uvBXdFNgyac5KsgCff7FE
mstC+3p3nc1ugfrm8If3ymc=
=gkuU
-----END PGP SIGNATURE-----
--------------enigF31C483BAD65430945D97BEB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?406912E7.4040806>