Date: Fri, 22 Nov 2002 11:54:33 -0600 (CST) From: "Scott A. Moberly" <smoberly@karamazov.org> To: <gnome@FreeBSD.org> Cc: <freebsd-ports@FreeBSD.org> Subject: Re: SOUP Message-ID: <10240.65.221.169.187.1037987673.squirrel@mail.karamazov.org>
next in thread | raw e-mail | index | archive | help
> On Fri, 2002-11-22 at 12:31, Scott A. Moberly wrote: >> > On Fri, 2002-11-22 at 12:17, Scott A. Moberly wrote: >> >> > On Fri, 2002-11-22 at 10:35, Scott A. Moberly wrote: >> >> >> The SOAP library SOUP is now required throughout the gnome >> >> structure. Given that gtkhtml requires it in the Makefile, but does >> not actually require it. Given the inherent security issues raised with SOAP. I was curious if it can be made optional. It could even be in the negative if you prefer; i.e. >> >> > >> >> > Maybe I've been out of it, but what security issues are we >> talking >> >> about? Can you site references? >> >> > >> >> > Joe >> >> > >> >> >> >> My main complaint lies simply with arbitrary access to data without >> the user (of the process) having direct control. Scary if it moves into root controlled processes. Other issues involve firewall >> slipthrough. Many other reason's can be found... google it with soap and security. >> > >> > I'd like to see some security advisories on this, particularly in >> relation to the one app known to use Soup: Evolution. So far, you are the only one to raise the issue. >> >> Okay... so what you are saying is that i have to wait for something to be broken and have a Security Advisory issued prior to having it optional. The protocol itself is flawed. The company that devised it (Microsoft) has not only warned of the firewall issue it has also issued Security additions (WS-Security) that are patented and thus potentially >> problematic. I would like to avoid the issue before it is raised: pro-active is the market-speak for this I believe. I am not asking the library to be removed; rather given an optional flag. > > If I'm going to flag something as broken due to security, I'd like to have some references for our users to read. Since you're the only one raising this as a concern, I'd like _you_ to find some reputable sources stating what's wrong with the protocol. If you do that, I'll flag it as optional in gtkhtml. > > Joe Understandable... However there are no advisories per say. There has been plenty of discussion regarding the potential abuse (in theory)... An Article on O'Reilly: http://www.xml.com/pub/a/2002/02/27/security-lather.html Microsoft Article on SOAP Security: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service11212001.asp None of this is definative; however, given that there is debate on the issue. I was immediately aware of the problem only because SOAP was brought up and dismissed at my place of business approximately a year ago. Dismissed for the 'possible' security implications and there was no UNIX library yet avaiable. Scott A. Moberly smoberly@karamazov.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10240.65.221.169.187.1037987673.squirrel>