Date: Tue, 30 Mar 2004 08:24:16 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Michael Nottebrock <michaelnottebrock@gmx.net> Cc: Oliver Eikemeier <eikemeier@fillmore-labs.com> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <20040330142416.GJ10949@lum.celabo.org> In-Reply-To: <406912E7.4040806@gmx.net> References: <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com> <4068B881.4010304@gmx.net> <20040330045646.GD5998@madman.celabo.org> <406912E7.4040806@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 30, 2004 at 08:25:43AM +0200, Michael Nottebrock wrote: > Right, and I have no problem with that (I _like_ portaudit :-)). However, > it seems to me that marking ports FORBIDDEN for security reasons is more or > less obsoleted (and made redundant) by portaudit/VuXML and committers > having to hand-scan VuXML for updates and mark ports FORBIDDEN by hand just > seems like duplicated (and error-prone) work... so maybe it's time to to > away with marking ports FORBIDDEN for security reasons completely? Maybe :-) > Also, what eik says about integrating portaudit into sysinstall (does this > imply moving portaudit into the base-system at some point?) sounds very > good to me, but I still don't like security-by-default schemes which can't > be disabled by flipping a switch. FORBIDDEN ports are an example for this, > forcing users to hand-edit a port Makefile in order to make it buildable > (especially when the security issue is really minor or I'm not even > affected) is just a tad too BOFH-ish for my taste. Well, a reason I mentioned `hooks' to Oliver is because I have my own unfinished scheme for managing this issue. It takes a different approach than portaudit, that I think you'd like. But I don't want to say more because it is vaporware until release :-) Basically, any attempt to integrate such vulnerability checking into pkg_* tools or bsd.port.mk needs to be done so that tools can plug-in. In that fashion, users have a choice of security policy. The commit of a `Vulnerability Check' to bsd.port.mk happened under my radar, so I didn't comment on it at the time. It may or may not be sufficient for hooks as it is now. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040330142416.GJ10949>