Date: Fri, 22 Nov 2002 12:01:57 -0600 (CST) From: "Scott A. Moberly" <smoberly@karamazov.org> To: <marcus@marcuscom.com> Cc: <gnome@FreeBSD.org>, <freebsd-ports@FreeBSD.org> Subject: Re: SOUP Message-ID: <11503.65.221.169.187.1037988117.squirrel@mail.karamazov.org> In-Reply-To: <1037987918.326.32.camel@gyros> References: <44542.65.221.169.187.1037979346.squirrel@mail.karamazov.org> <1037984649.326.1.camel@gyros> <3476.65.221.169.187.1037985437.squirrel@mail.karamazov.org> <1037985752.326.20.camel@gyros> <5747.65.221.169.187.1037986268.squirrel@mail.karamazov.org> <1037986478.326.29.camel@gyros> <9352.65.221.169.187.1037987400.squirrel@mail.karamazov.org> <1037987918.326.32.camel@gyros>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Fri, 2002-11-22 at 12:50, Scott A. Moberly wrote: >> > On Fri, 2002-11-22 at 12:31, Scott A. Moberly wrote: >> >> > On Fri, 2002-11-22 at 12:17, Scott A. Moberly wrote: >> >> >> > On Fri, 2002-11-22 at 10:35, Scott A. Moberly wrote: >> >> >> >> The SOAP library SOUP is now required throughout the gnome >> >> >> structure. Given that gtkhtml requires it in the Makefile, but >> does >> >> not actually require it. Given the inherent security issues raised >> with SOAP. I was curious if it can be made optional. It could >> even be in the negative if you prefer; i.e. >> >> >> > >> >> >> > Maybe I've been out of it, but what security issues are we >> >> talking >> >> >> about? Can you site references? >> >> >> > >> >> >> > Joe >> >> >> > >> >> >> >> >> >> My main complaint lies simply with arbitrary access to data >> without >> >> the user (of the process) having direct control. Scary if it moves >> into root controlled processes. Other issues involve firewall >> slipthrough. Many other reason's can be found... google it with >> soap and security. >> >> > >> >> > I'd like to see some security advisories on this, particularly in >> >> relation to the one app known to use Soup: Evolution. So far, you >> are the only one to raise the issue. >> >> >> >> Okay... so what you are saying is that i have to wait for >> something to be broken and have a Security Advisory issued prior to >> having it optional. The protocol itself is flawed. The company >> that devised it (Microsoft) has not only warned of the firewall >> issue it has also issued Security additions (WS-Security) that are >> patented and thus potentially >> >> problematic. I would like to avoid the issue before it is raised: >> pro-active is the market-speak for this I believe. I am not asking >> the library to be removed; rather given an optional flag. >> > >> > If I'm going to flag something as broken due to security, I'd like >> to have some references for our users to read. Since you're the >> only one raising this as a concern, I'd like _you_ to find some >> reputable sources stating what's wrong with the protocol. If you do >> that, I'll flag it as optional in gtkhtml. >> > >> > Joe >> >> Understandable... However there are no advisories per say. There has >> been plenty of discussion regarding the potential abuse (in theory)... >> >> An Article on O'Reilly: >> http://www.xml.com/pub/a/2002/02/27/security-lather.html >> >> Microsoft Article on SOAP Security: >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service11212001.asp >> >> None of this is definative; however, given that there is debate on the >> issue. I was immediately aware of the problem only because SOAP was >> brought up and dismissed at my place of business approximately a year >> ago. >> Dismissed for the 'possible' security implications and there was no >> UNIX >> library yet avaiable. > > Okay, these are reputable sources. I'll do the knob. Thank you kindly --- Scott A. Moberly smoberly@karamazov.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11503.65.221.169.187.1037988117.squirrel>