From owner-svn-ports-all@freebsd.org  Sat Jun 15 19:04:55 2019
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD93E15CD7C1
 for <svn-ports-all@mailman.ysv.freebsd.org>;
 Sat, 15 Jun 2019 19:04:55 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5B90787635
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 19:04:55 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: adamw/mail)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 0C7F3FFD0
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 19:04:55 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: by mail-wm1-f53.google.com with SMTP id 207so5473578wma.1
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 12:04:54 -0700 (PDT)
X-Gm-Message-State: APjAAAX9FMYAH4dzn3ARI3S4IK8cMc0ZkGjtSAFbxzv2R8o1kc5axZMk
 iev3GudMRS1BkpXFltmAUKM98VUVMqvOLK/PRMY4yg==
X-Google-Smtp-Source: APXvYqxih6K/5c0r6nNG8Mt2oo6/uqzga/WliFsokBtuI5vMIciZzsp8AHISeocKoJEYZCndnPvWoODvNalR8LzjKuQ=
X-Received: by 2002:a1c:7217:: with SMTP id n23mr12646874wmc.47.1560625493793; 
 Sat, 15 Jun 2019 12:04:53 -0700 (PDT)
MIME-Version: 1.0
References: <201906131841.x5DIfuSb069885@repo.freebsd.org>
 <20190615151247.GA24087@FreeBSD.org>
 <CAP7rwcjB9moLnEwzUcn0EhfKpF+dDvAObY0O8XJOn0V4HXByYA@mail.gmail.com>
 <20190615184227.GA14704@FreeBSD.org>
In-Reply-To: <20190615184227.GA14704@FreeBSD.org>
From: Adam Weinberger <adamw@freebsd.org>
Date: Sat, 15 Jun 2019 13:04:37 -0600
X-Gmail-Original-Message-ID: <CAP7rwcgwGNFjyf7LmDvg6-xpZwbkdyQ2PELQkFfRD-90TahvxQ@mail.gmail.com>
Message-ID: <CAP7rwcgwGNFjyf7LmDvg6-xpZwbkdyQ2PELQkFfRD-90TahvxQ@mail.gmail.com>
Subject: Re: svn commit: r504132 - head/security/vuxml
To: Alexey Dokuchaev <danfe@freebsd.org>
Cc: Adam Weinberger <adamw@freebsd.org>, ports-committers@freebsd.org, 
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 5B90787635
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.99)[-0.993,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jun 2019 19:04:56 -0000

On Sat, Jun 15, 2019 at 12:42 PM Alexey Dokuchaev <danfe@freebsd.org> wrote:
>
> On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote:
> > On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote:
> > > ...
> > > I've seen people say that in some distributions, default packages
> > > were not affected because their maintainers deliberately disable
> > > modelines, e.g. in Debian [and Gentoo]
> >
> > Their default packages ARE affected. If your car explodes in 6th gear,
> > you can't say your car isn't affected because it starts up in first.
> > Whether they're enabled or disabled by default, the package is still
> > vulnerable.
>
> Adam, sorry, I shouldn't have said that their packages aren't affected.
> Apparently I didn't make myself clear enough, let me try again:
>
> Do we package Vim/NeoVim with modelines enabled by default?  I think
> it's generally a good idea to turn potentially dangerous features, esp.
> with an earlier history of security/resource vulnerabilities, off by
> default -- it does not make packages less vulnerable, but leaves one
> extra potential attack door closed rather than opened.

I'm not opposed to the idea at all. Modeline is an outstanding feature
that, for example, helps us make sure that, for example, bsd.port.mk
patches don't show up with leading tabs. It is a wonderful, powerful
feature, that absolutely has the potential to be used for substantial
evil.

That said, having fixed a busted lock doesn't mean that we should
board up the front door. If every area of Wordpress with a fixed
vulnerability were disabled by default, Wordpress would be a static
HTML file. (Both those metaphors are completely hyperbolic, of
course.) We will definitely have some confused end-users if we set
nomodeline by default, and we'll have to be even more diligent about
checking patches for spacing.

Alexey, do the benefits of modeline outweigh the risks? Anyone else
want to add recommendations here?

# Adam


-- 
Adam Weinberger
adamw@adamw.org // adamw@FreeBSD.org
https://www.adamw.org