Date: Fri, 29 Sep 2000 17:26:44 -0700 From: Kris Kennaway <kris@FreeBSD.org> To: "Jonathan M. Slivko" <jmslivko@mindspring.com> Cc: Igor Roshchin <str@giganda.komkon.org>, kris@FreeBSD.ORG, roman@xpert.com, security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <20000929172644.C6456@freefall.freebsd.org> In-Reply-To: <008b01c02a71$6b8938c0$d04379a5@p4f0i0>; from jmslivko@mindspring.com on Fri, Sep 29, 2000 at 08:00:17PM -0400 References: <200009292349.TAA07263@giganda.komkon.org> <008b01c02a71$6b8938c0$d04379a5@p4f0i0>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 29, 2000 at 08:00:17PM -0400, Jonathan M. Slivko wrote:
> If you remove a port because of it's security concerns, then your robbing
> the average user the choice between what mail client to use. Also, it's not
> the job of the FreeBSD development team/patch/security team to weed out all
> the insecure programs, the responsibility lies mainly on the systems
Yes it is. Allowing the user to install insecure software only leaves
them with a false sense of security and the feeling of betrayal when
they get exploited through it.
> administrator that are going to be dealing with the backlash of their
> decisions. So, I think that the choice should be there, just let the system
> administrator read up on pine's security flaws and try to work around them
> if he truely wants to run it.
They can't be worked around, it's pine itself which is the
problem. Again, the system administrator who doesn't know about
vulnerabilities with a program is unwittingly wide open for attack. I
don't find that acceptable, especially when thats software that comes
from the FreeBSD ports collection.
> Just because your thinking of marking it as "dangerous", doesn't
> mean everyone running FreeBSD is gonna stop using it. If they can't
> get it from ports, they'll just get the source and install it
> themselves, regardless. So, we might as well have the patches and
> fixes for what we can and leave what we, as the freebsd team can't
> accomplish to the systems administrators, who are ultimately
> responsible for the action they take. Personally, I run pine on my
> FreeBSD machines and I am very happy with it. Especially some of the
> addons are extemely helpful.
It should be a wilful, informed decision to go out and install
something on your machine which makes it vulnerable to a security
hole. I'm not about to compromise the security of FreeBSD
installations by leaving the pine ports able to be installed with no
warning. What I probably will do is the same thing I've done with a
number of other terminally-insecure-but-useful ports, stick a Big
Scary Warning on the front of it which users must agree to before it
will install.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000929172644.C6456>