Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Nov 2001 01:09:15 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Anthony Atkielski <anthony@freebie.atkielski.com>
Cc:        "Gary W. Swearingen" <swear@blarg.net>, FreeBSD Questions <freebsd-questions@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG
Subject:   Re: setuid on nethack?
Message-ID:  <20011123010915.A35695@xor.obsecurity.org>
In-Reply-To: <03a801c17399$ba011c30$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:07:42PM %2B0100
References:  <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> <g2vgg2v7vn.gg2@localhost.localdomain> <03a801c17399$ba011c30$0a00000a@atkielski.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Nov 22, 2001 at 10:07:42PM +0100, Anthony Atkielski wrote:
> Alas!  This does not make me feel warm and fuzzy!  It's a good thing I'm not
> installing this at a bank.

If you're going to run software written by Joe Random Coder, there's
always an element of risk.  There's nothing about the FreeBSD ports
collection which increases this risk, and in fact it makes the
situation slightly safer since we check all "spontaneous" changes in
the md5 checksum of a distfile where the distfile changes with no
change in the software version (e.g. once a few years ago someone
broke into the main ftp server for the tcp_wrappers package, and added
backdoor code to it.  The compromised software could not be installed
from the FreeBSD port unless you manually issued an override of the
checksum).

We have also found several isolated instances where software authors
had 'spyware' code which reports details back to the author; these
ports were summarily removed from the ports collection, again making
things safer for the end user.

Thirdly, since you have the source code you are free to examine it for
yourself and evaluate your level of risk according to whichever
criteria you choose.

Kris

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7/hI7Wry0BWjoQKURAthmAKDPgmZbU97GfKlPUnWaYMK1l0jwDQCeJKcn
5DBNwgzvQb/aBI0aYZS09h4=
=QuWq
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011123010915.A35695>