Date: Fri, 13 Feb 2004 02:36:28 +0100 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: Ion-Mihai Tetcu <itetcu@apropo.ro> Cc: ports@FreeBSD.org Subject: Re: security issues in Ports and VuXML Message-ID: <402C2A1C.4010202@fillmore-labs.com> In-Reply-To: <20040212173817.7315b7d1@it.buh.cameradicommercio.ro> References: <20040212144522.GB20647@madman.celabo.org> <20040212173817.7315b7d1@it.buh.cameradicommercio.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
Ion-Mihai Tetcu wrote: > On Thu, 12 Feb 2004 08:45:22 -0600 > "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote: > >>Hello Porters! >> >>If you know of security issues for ports that you maintain, >>please make an effort to include those issues in the VuXML file >>(ports/security/vuxml/vuln.xml). You can either use existing entries >>as examples, or if you are completely lost you can just email >>security-team@FreeBSD.org with your information. > > What is the relation between this and ports/security/portaudit which has > been recently added to the ports infrastructure ? Both port deal with known security vulnerabilities in the FreeBSD system: VuXML is a generic database format for the whole system including the base system, portaudit a framework to check if a FreeBSD port is listed in a vulnerability database, including a more stringent version number definition, a database distribution system and checking during install time. As far as I understand the focus of portaudit and VuXML, they are complementing projects. In the current state portaudit uses a simple flat file database since I needed something to start with and wanted a format that is common to port committers (similar to MOVED), but the system is more or less database format agnostic. Because the distribution file is a simple tar file it is easy to distribute the VuXML database along with the flat file database, or even add signatures. If we decide that the VuXML format is better suited for the job than a flat file database it is easy to integrate it into portaudit in the long run, I have to look into security/vuxml to see what is the best way to synchronize the databases. It is great to see security-team@ support for port security auditing, and I like to involve more people in the project. Currently portaudit is in a development and learning phase, and issues I'm working on are: - a better distribution system, e.g. a script that finds the nearest mirror of the database and fetches the file from there, not from a random location, integrating PR 62655. - a checksum system the checks if a new database is available by just fetching a md5 sum or a date and not the whole database, like the way clamav does it. - a push mechanism that informs systems (by email?) that an updated database is available instead of waiting for the next scheduled check. - integration of the system into pkg_add of sysutils/pkg_install-devel - an evaluation if it makes sense to integrate expat based tools in the periodic and bsd.port.mk check, or if it is better to convert to VuXML database for distribution. - a flat file -> VuXML converter. That should be easy. - a VuXML -> flat file converter, to see how it fits into the structure. One thing that can be problematic here is the copyright notice, because it makes most XML tools hard to use. I appreciate every contribution or feedback that helps us to bring portaudit and VuXML to an 1.0 status. That includes keeping ports/security/portaudit/database/auditfile.txt and ports/security/vuxml/vuln.xml up to date, since this is the only way we can test and improve the system to bring it closer to a release status. -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?402C2A1C.4010202>