Date: Sun, 22 Jun 2014 08:40:03 -0400 From: Chris Nehren <cnehren@pobox.com> To: freebsd-security@freebsd.org Subject: Re: Ports tree insecure because of IGNOREFILES+IGNORE Message-ID: <5004359.PqOTrjIgg6@behemoth> In-Reply-To: <a226646bae78ce27377cdfc975c3fd46@openmailbox.org> References: <a226646bae78ce27377cdfc975c3fd46@openmailbox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart9024034.TGMyTBnSM8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Sunday, June 22, 2014 22:31:50 philj@openmailbox.org wrote: > The IGNOREFILES+IGNORE mechanism allows port maintainers to > disable checksum checks. I feel that this mechanism is a stain=20 > on an otherwise fantastic ports system. It reduces user > confidence in security and makes us all sitting ducks for=20 > sophisticated adversaries. Er. There's nothing stopping a port maintainer from saying=20 "Sorry, the distfiles aren't fetchable from the master sites any=20 more, I can host a copy" and then host a malicious distfile. Or=20 doing any number of simpler things to cause a problem. The=20 Project doesn't have the resources to audit every single=20 distfile's code. If you're that paranoid, you're welcome to do=20 so yourself. =2D-=20 Chris Nehren --nextPart9024034.TGMyTBnSM8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABAgAGBQJTps7BAAoJEBHA+GJAM0vPW9MP/1qS+NfB5B21L0n+g9CtG+U7 STG+r5uADq7qWW2+m5As0dTGOyrjYueDkt0AlWXAYxWZAhye0vs9oSgeCgMNSg7V WGkeHT5BxxLKq3rpobracXVA0C7zKbm0Sd40ra36551++CuAlqpjciy0vH85GtnK V/dNOw5ZmU3AD/fV1Zh1oDIpEvzgBzg1OkL2GOOzHTY6aC6iovfINhiaSGJR2Dhw 41AJE/YdaxI3e9ki6kNIzWwYYBXBdvreSI5s8jmSwFE6rxqh6EY+96YIx0rj3tj/ b9R13h9vCsjtmKvjfhXO/S7uIoYhFd7A4TdjaCzUOMMQU3FYlay7huz36PYIFTYO nDa+nOnHzcI3sxy7S9Z1yR1zB/1/ExCHdjzHhlp7dgRg4MKZru4sBmkJSakgdKic 4fvLgBrMe043TI15/z5Moy9RRd1RU5BbqY5be/o+piSDow4wzUOyupH/CZ5lDU6/ UCXz9yM0rOBQAeDLGslJbnurGA5z10fA3ed0+PG91xDSAMucFzRhJ5jT7vP7uCoY JLWLzorOJaaAd1p0RPljQp1tykSuSsIqyqql8lNeL/zbmsmkaSW4H7ZiexUH3oyb mPDZ3pxTBDsPecl6sWer72iaLXB3G8UoIuI8w1NxZ5jYQke+FowS9Rb5tfGWMq5t 9vEC2OQHlylnFhpNQnVi =hte2 -----END PGP SIGNATURE----- --nextPart9024034.TGMyTBnSM8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5004359.PqOTrjIgg6>