Date: Fri, 29 Sep 2000 19:49:18 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: kris@FreeBSD.ORG, roman@xpert.com Cc: security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <200009292349.TAA07263@giganda.komkon.org> In-Reply-To: <20000929155115.A6456@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Fri, 29 Sep 2000 15:51:15 -0700 > From: Kris Kennaway <kris@FreeBSD.ORG> > Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) > > On Sat, Sep 30, 2000 at 02:41:30AM +0200, Roman Shterenzon wrote: > > > Perhaps I'll move to mutt, the same command gives only 92 occurrences :) > > Mutt on the other hand has sgid binary installed.. > > I haven't looked at mutt yet - of course, just grepping for functions > is a poor indicator of the security of a program, but in the case of > pine it is so blatant (and the authors have a bad enough track record) > as to leave little doubt there are others which are remotely > exploitable aside from the currently known exploitable ones. > > Kris > From the point of view of a system administrator, who cares about security of his box and wants to scrutinize the software, I understand the motion like : "pine [,mutt, ..] is insecure, let's remove it". From the point of view of a user who have been using the particular software (I almost never use pine myself, but I have other preferences as a user) for [2-7] years, I would not agree with such a [re]action. I know several users for whom it would be a big problem (or I should better say, a big effort) to stop using pine, and move to some other mail agent.. Ghm.. with all that said, I am not sure if I want it to be weeded out. So, it's again a decision between having a completely secure machine where nothing can be used and therefore nothing can be done effectively, or a completely insecure machine with all conveniences at hand. Probably, for many (or at least some reasonable part) of admins the optimum is somewhere in between those two extreme cases. Now, my suggestion: may be it would be reasonable to leave such potentially insecure ports in the FreeBSD port collection, while adding an additional warning in the install script about this potential danger of these ports/packages... Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009292349.TAA07263>