From owner-freebsd-security@FreeBSD.ORG Mon Mar 29 22:25:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D48D16A4CE; Mon, 29 Mar 2004 22:25:46 -0800 (PST) Received: from meitner.wh.uni-dortmund.de (meitner.wh.Uni-Dortmund.DE [129.217.129.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id C01AD43D41; Mon, 29 Mar 2004 22:25:45 -0800 (PST) (envelope-from michaelnottebrock@gmx.net) Received: from lofi.dyndns.org (pc2-105.intern.meitner [10.3.12.105]) by meitner.wh.uni-dortmund.de (Postfix) with ESMTP id D33F1167588; Tue, 30 Mar 2004 08:25:44 +0200 (CEST) Received: from gmx.net (kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.12.10/8.12.10) with ESMTP id i2U6PhG2007077 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Mar 2004 08:25:43 +0200 (CEST) (envelope-from michaelnottebrock@gmx.net) Message-ID: <406912E7.4040806@gmx.net> Date: Tue, 30 Mar 2004 08:25:43 +0200 From: Michael Nottebrock User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en, de-de MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com> <4068B881.4010304@gmx.net> <20040330045646.GD5998@madman.celabo.org> In-Reply-To: <20040330045646.GD5998@madman.celabo.org> X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF31C483BAD65430945D97BEB" X-Virus-Scanned: by amavisd-new cc: FreeBSD Security cc: Oliver Eikemeier Subject: Re: cvs commit: ports/multimedia/xine Makefile X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 06:25:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF31C483BAD65430945D97BEB Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Jacques A. Vidrine wrote: > It so happens that in the past month or so there has been quite a > discussion on a closed vendor security list (mostly large Linux > distros + some UNIX vendors) regarding severity rating systems. > It's really hard, and it's really subjective. CVE does not assign > severity, largely because they do not feel that it is part of their > role. Attempts to create systems such as you describe (types of > vulnerabilities) have bogged down: some of the better thought out > proposals result in 4-6 dimensions. Okay, that's quite impossible then. > The only reasonable option for the security conscious (IMHO), is to > avoid applications with *any* reported security issues until one has > read and understood that issue. This is pretty close to what Oliver's > portaudit does (I think). Right, and I have no problem with that (I _like_ portaudit :-)). However, it seems to me that marking ports FORBIDDEN for security reasons is more or less obsoleted (and made redundant) by portaudit/VuXML and committers having to hand-scan VuXML for updates and mark ports FORBIDDEN by hand just seems like duplicated (and error-prone) work... so maybe it's time to to away with marking ports FORBIDDEN for security reasons completely? Also, what eik says about integrating portaudit into sysinstall (does this imply moving portaudit into the base-system at some point?) sounds very good to me, but I still don't like security-by-default schemes which can't be disabled by flipping a switch. FORBIDDEN ports are an example for this, forcing users to hand-edit a port Makefile in order to make it buildable (especially when the security issue is really minor or I'm not even affected) is just a tad too BOFH-ish for my taste. -- ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --------------enigF31C483BAD65430945D97BEB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFAaRLnXhc68WspdLARAgwJAKCQ2fTsCFuPaY3uvBXdFNgyac5KsgCff7FE mstC+3p3nc1ugfrm8If3ymc= =gkuU -----END PGP SIGNATURE----- --------------enigF31C483BAD65430945D97BEB--