Date: Wed, 7 Sep 2011 15:53:15 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ports@FreeBSD.ORG, ertr1013@student.uu.se, peterjeremy@acm.org Subject: Re: sysutils/cfs Message-ID: <201109071353.p87DrFS1046072@lurza.secnetix.de> In-Reply-To: <20110907115508.GA95119@owl.midgard.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Erik Trulsson wrote: > On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote: > > On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov <stas@FreeBSD.org> wrote: > > > What about requiring that the ports deprecated should be either broken > > > or have known published vulnerabilties for a long period of > > > time (say 6 months) for the start? > > > > This might be reasonable for broken ports but ports with known > > vulnerabilities should either be fixed or removed promptly. > > That depends somewhat on the exact nature of the vulnerability. > Depending on how the port is used a given vulnerability might not > be a problem. (E.g. if a port has a vulnerability which allows a local > user to become root, then it is a problem for multi-user systems with > untrusted users, but for a system which only has a single user or only > trusted users it would not be a significant problem.) > > If a port can be used safely despite existing vulnerabilities it is not > at all clear it need to be removed quickly even if it is not fixed. > > (Marking it FORBIDDEN so potential users are warned about known > problems is another thing.) I tend to agree with Erik here. In my opinion, the important thing is to let the user know about the problem, so the *user* can make an educated decision instead of having ports committers force the decision upon all users. There are many examples of security problems that might not affect all users. Users might also decide to take the risk, especially if the software in question provides a unique feature that is essential to the user and cannot be replaced. Appropriate measures can be taken to contain the risk, such as running the software inside a jail or VM. The question is how to inform the user in a reasonable and reliable way. I think ports-mgmt/portaudit already does a very good job, but it is optional, and I guess that many (maybe even most) "non-expert" users don't install it or don't even know about it. It might be a good idea to make portaudit a mandatory part of the ports framework and enable it by default. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Documentation is like sex; when it's good, it's very, very good, and when it's bad, it's better than nothing." -- Dick Brandon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109071353.p87DrFS1046072>