From owner-freebsd-security Sat Sep 12 21:36:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA19485 for freebsd-security-outgoing; Sat, 12 Sep 1998 21:36:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19469; Sat, 12 Sep 1998 21:36:26 -0700 (PDT) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.8/8.8.7) with SMTP id XAA15989; Sat, 12 Sep 1998 23:35:54 -0500 (EST) Date: Sat, 12 Sep 1998 23:35:54 -0500 (EST) From: John Fieber To: Roger Marquis cc: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [topic drift from security to ports; CC: added] On Sat, 12 Sep 1998, Roger Marquis wrote: > For one thing 'make -n install' typically doesn't yield readable > information unless you first 'cd work/*'. 'more pkg/PLIST' is generally more efficient......if the PLIST is accurate. > Secondly, while port A installs under /usr/, port B > installs to /usr/local/etc and port C in /usr/libexec, ... > You can never be sure what is going where and it's a rare > port that can be uninstalled with 'make uninstall'. I have 103 ports installed on my machine now. Not one of them *ever* installed anything in /usr/---I would have noticed right away because my /usr file system is read only. If you find a port that installs something (a) somewhere off limits or (b) somewhere okay but in a bone-headed layout, by all means submit a bug report to the maintainer. Is it better to make ports conform to a strict BSD style file layout or stick with the style native to the software being ported? If I only managed FreeBSD systems, I'd opt for strict BSD but since I manage a number of other platforms I also value cross-platform consistency which may sometimes mean using an un-BSD-like layout. Short of providing multiple layout options in the port, you can't satisfy everyone. A majority of the ports I've installed uninstall pretty cleanly. The most common offense is leaving empty directories around. Again, this is all a volunteer project. If you install a port and spot a problem, submit a patch to the maintainer listed in the makefile! A more frustrating problem for me are ports that are not ${PREFIX} != /usr/local compatible which makes it a hassle to install multiple version of a port or separate ports that have common files. Also, I occasionaly go through phases of liking SysV way of installing things in /opt/, /etc/opt/ and /var/opt/ which a simple 'make PREFIX=/opt/' doesn't really accomplish. > There's also no way to validate all of the source hosts listed in the > Makefile. We've downloaded hacked versions of a port and had to > redownload and recompile when the hack became obvious (through corrupt > syslogs and attempts to grab /pwd.db). Um, that is what the checksums on the distfiles are for. Not a 100% guarantee of not being hacked, but a reasonable defense if you trust the person who made the port. Again, I hope you reported these incidents to the maintainer of the port. -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message