Date: Sat, 15 Jun 2019 18:42:28 +0000 From: Alexey Dokuchaev <danfe@freebsd.org> To: Adam Weinberger <adamw@freebsd.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r504132 - head/security/vuxml Message-ID: <20190615184227.GA14704@FreeBSD.org> In-Reply-To: <CAP7rwcjB9moLnEwzUcn0EhfKpF%2BdDvAObY0O8XJOn0V4HXByYA@mail.gmail.com> References: <201906131841.x5DIfuSb069885@repo.freebsd.org> <20190615151247.GA24087@FreeBSD.org> <CAP7rwcjB9moLnEwzUcn0EhfKpF%2BdDvAObY0O8XJOn0V4HXByYA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote: > On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote: > > ... > > I've seen people say that in some distributions, default packages > > were not affected because their maintainers deliberately disable > > modelines, e.g. in Debian [and Gentoo] > > Their default packages ARE affected. If your car explodes in 6th gear, > you can't say your car isn't affected because it starts up in first. > Whether they're enabled or disabled by default, the package is still > vulnerable. Adam, sorry, I shouldn't have said that their packages aren't affected. Apparently I didn't make myself clear enough, let me try again: Do we package Vim/NeoVim with modelines enabled by default? I think it's generally a good idea to turn potentially dangerous features, esp. with an earlier history of security/resource vulnerabilities, off by default -- it does not make packages less vulnerable, but leaves one extra potential attack door closed rather than opened. ./danfe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190615184227.GA14704>