Date: Fri, 29 Sep 2000 17:26:44 -0700 From: Kris Kennaway <kris@FreeBSD.org> To: "Jonathan M. Slivko" <jmslivko@mindspring.com> Cc: Igor Roshchin <str@giganda.komkon.org>, kris@FreeBSD.ORG, roman@xpert.com, security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <20000929172644.C6456@freefall.freebsd.org> In-Reply-To: <008b01c02a71$6b8938c0$d04379a5@p4f0i0>; from jmslivko@mindspring.com on Fri, Sep 29, 2000 at 08:00:17PM -0400 References: <200009292349.TAA07263@giganda.komkon.org> <008b01c02a71$6b8938c0$d04379a5@p4f0i0>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 29, 2000 at 08:00:17PM -0400, Jonathan M. Slivko wrote: > If you remove a port because of it's security concerns, then your robbing > the average user the choice between what mail client to use. Also, it's not > the job of the FreeBSD development team/patch/security team to weed out all > the insecure programs, the responsibility lies mainly on the systems Yes it is. Allowing the user to install insecure software only leaves them with a false sense of security and the feeling of betrayal when they get exploited through it. > administrator that are going to be dealing with the backlash of their > decisions. So, I think that the choice should be there, just let the system > administrator read up on pine's security flaws and try to work around them > if he truely wants to run it. They can't be worked around, it's pine itself which is the problem. Again, the system administrator who doesn't know about vulnerabilities with a program is unwittingly wide open for attack. I don't find that acceptable, especially when thats software that comes from the FreeBSD ports collection. > Just because your thinking of marking it as "dangerous", doesn't > mean everyone running FreeBSD is gonna stop using it. If they can't > get it from ports, they'll just get the source and install it > themselves, regardless. So, we might as well have the patches and > fixes for what we can and leave what we, as the freebsd team can't > accomplish to the systems administrators, who are ultimately > responsible for the action they take. Personally, I run pine on my > FreeBSD machines and I am very happy with it. Especially some of the > addons are extemely helpful. It should be a wilful, informed decision to go out and install something on your machine which makes it vulnerable to a security hole. I'm not about to compromise the security of FreeBSD installations by leaving the pine ports able to be installed with no warning. What I probably will do is the same thing I've done with a number of other terminally-insecure-but-useful ports, stick a Big Scary Warning on the front of it which users must agree to before it will install. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe@alum.mit.edu> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000929172644.C6456>