Date: Fri, 29 Sep 2000 20:00:17 -0400 From: "Jonathan M. Slivko" <jmslivko@mindspring.com> To: "Igor Roshchin" <str@giganda.komkon.org>, <kris@FreeBSD.ORG>, <roman@xpert.com> Cc: <security@FreeBSD.ORG> Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <008b01c02a71$6b8938c0$d04379a5@p4f0i0> References: <200009292349.TAA07263@giganda.komkon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I totally agree with that, Igor. My two cents is this: If you remove a port because of it's security concerns, then your robbing the average user the choice between what mail client to use. Also, it's not the job of the FreeBSD development team/patch/security team to weed out all the insecure programs, the responsibility lies mainly on the systems administrator that are going to be dealing with the backlash of their decisions. So, I think that the choice should be there, just let the system administrator read up on pine's security flaws and try to work around them if he truely wants to run it. Just because your thinking of marking it as "dangerous", doesn't mean everyone running FreeBSD is gonna stop using it. If they can't get it from ports, they'll just get the source and install it themselves, regardless. So, we might as well have the patches and fixes for what we can and leave what we, as the freebsd team can't accomplish to the systems administrators, who are ultimately responsible for the action they take. Personally, I run pine on my FreeBSD machines and I am very happy with it. Especially some of the addons are extemely helpful. If you ask my opinion, let pine stay in it's normal state and leave the security and the managment of the machines that run it to the systems administrators, where the responsibilities lie in the first place. Doesn't everyone agree with me on that? -- Jonathan M. Slivko [--------------------------------------------------------------------------- -------------------------------] Jonathan M. Slivko, President & Founder - Linux Mafia Internet Services Phone: (212) 663-1109 - Pager: (917) 388-5304 (24/7) Webpage: http://www.linux-mafia.net -- "ya gotta pay for protection" [--------------------------------------------------------------------------- -------------------------------] ----- Original Message ----- From: "Igor Roshchin" <str@giganda.komkon.org> To: <kris@FreeBSD.ORG>; <roman@xpert.com> Cc: <security@FreeBSD.ORG> Sent: Friday, September 29, 2000 7:49 PM Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) > > > Date: Fri, 29 Sep 2000 15:51:15 -0700 > > From: Kris Kennaway <kris@FreeBSD.ORG> > > Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) > > > > On Sat, Sep 30, 2000 at 02:41:30AM +0200, Roman Shterenzon wrote: > > > > > Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > > > Mutt on the other hand has sgid binary installed.. > > > > I haven't looked at mutt yet - of course, just grepping for functions > > is a poor indicator of the security of a program, but in the case of > > pine it is so blatant (and the authors have a bad enough track record) > > as to leave little doubt there are others which are remotely > > exploitable aside from the currently known exploitable ones. > > > > Kris > > > > From the point of view of a system administrator, who cares about > security of his box and wants to scrutinize the software, > I understand the motion like : "pine [,mutt, ..] is insecure, let's remove it". > > From the point of view of a user who have been using the particular software > (I almost never use pine myself, but I have other preferences as a user) > for [2-7] years, I would not agree with such a [re]action. > I know several users for whom it would be a big problem > (or I should better say, a big effort) to stop using pine, > and move to some other mail agent.. > > Ghm.. with all that said, I am not sure if I want it to be weeded out. > > So, it's again a decision between having a completely secure machine > where nothing can be used and therefore nothing can be done effectively, > or a completely insecure machine with all conveniences at hand. > Probably, for many (or at least some reasonable part) of admins the > optimum is somewhere in between those two extreme cases. > > Now, my suggestion: may be it would be reasonable to leave such > potentially insecure ports in the FreeBSD port collection, > while adding an additional warning in the > install script about this potential danger of these ports/packages... > > Regards, > > Igor > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008b01c02a71$6b8938c0$d04379a5>