From owner-freebsd-ports@FreeBSD.ORG  Wed Jul 16 00:55:17 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 725B2899;
 Wed, 16 Jul 2014 00:55:17 +0000 (UTC)
Received: from nskntqsrv02p.mx.bigpond.com (nskntqsrv02p.mx.bigpond.com
 [61.9.168.234]) by mx1.freebsd.org (Postfix) with ESMTP id B4B4F28E4;
 Wed, 16 Jul 2014 00:55:16 +0000 (UTC)
Received: from nskntcmgw08p ([61.9.169.168]) by nskntmtas05p.mx.bigpond.com
 with ESMTP
 id <20140716003645.VAFF19653.nskntmtas05p.mx.bigpond.com@nskntcmgw08p>;
 Wed, 16 Jul 2014 00:36:45 +0000
Received: from hermes.heuristicsystems.com.au ([121.210.107.100])
 by nskntcmgw08p with BigPond Outbound
 id Socl1o00829zwdD01oclBo; Wed, 16 Jul 2014 00:36:45 +0000
X-Authority-Analysis: v=2.0 cv=D6DF24tj c=1 sm=1
 a=SEJ2iDwVkb98DYvesvueMw==:17 a=FOfJmfHOgUsA:10 a=UmLzE9Xn15UA:10
 a=IkcTkHD0fZMA:10 a=GHIR_BbyAAAA:8 a=q56oFxeYAAAA:8 a=G54AlWtYdcltG_0tBgYA:9
 a=QEXdDO2ut3YA:10 a=XRFJwnNJPgsA:10 a=SEJ2iDwVkb98DYvesvueMw==:117
Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0)
 by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id s6G0bthi013893
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Wed, 16 Jul 2014 10:37:56 +1000 (EST)
 (envelope-from dewayne.geraghty@heuristicsystems.com.au)
Message-ID: <53C5C8D9.6090602@heuristicsystems.com.au>
Date: Wed, 16 Jul 2014 10:35:37 +1000
From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bryan Drewery <bdrewery@freebsd.org>, =?UTF-8?B?UmVuw6kgTGFkYW4=?=
 <rene@freebsd.org>, "ports@freebsd.org Ports" <ports@freebsd.org>
Subject: Re: marking vulnerable ports forbidden?
References: <CADL2u4gw7VSvuYwk_N26QnrOCyBd71=-R9U225372vYPEVz=Bw@mail.gmail.com>
 <53C5A1C5.90707@FreeBSD.org>
In-Reply-To: <53C5A1C5.90707@FreeBSD.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2014 00:55:17 -0000


On 16/07/2014 7:48 AM, Bryan Drewery wrote:
> On 7/15/2014 7:45 AM, René Ladan wrote:
>> Hi,
>>
>> according to Freshports [1] there are currently 24 vulnerable ports not
>> marked as forbidden.
>> How about checking this list on a regular basis and marking such ports and
>> forbidden and optionally as deprecated? This would inform users not using
>> vuxml earlier about vulnerabilities.
>>
>> [1] http://www.freshports.org/ports-vulnerable.php
>>
>> Regards,
>> René
>> _______________________________________________
> Do take it case-by-case though. Doing this wipes out most Linux ports
> IIRC. Some of the vulns documented are not worthy of a FORBIDDEN.
>
Good point Bryan.  I've added this to my /usr/ports/Mk/bsd.port.mk to
accomodate an ability to choose and make my own informed decision.  It
might be worthy of adoption:

--- /usr/ports/Mk/bsd.port.mk.orig2     2014-07-16 10:28:19.000000000 +1000
+++ /usr/ports/Mk/bsd.port.mk   2014-07-16 10:28:31.000000000 +1000
@@ -3036,7 +3036,7 @@
 .if !defined(TRYBROKEN)
 IGNORE=                is marked as broken on ${ARCH}: ${BROKEN_${ARCH}}
 .endif
-.elif defined(FORBIDDEN)
+.elif defined(FORBIDDEN) && !defined(NO_IGNORE_FORBIDDEN)
 IGNORE=                is forbidden: ${FORBIDDEN}
 .endif

The use of NO_IGNORE is far too course, so NO_IGNORE_FORBIDDEN is a
compromise. :)