Date: Tue, 30 Mar 2004 02:00:01 +0200 From: Michael Nottebrock <michaelnottebrock@gmx.net> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: FreeBSD Security <security@FreeBSD.org> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <4068B881.4010304@gmx.net> In-Reply-To: <4068A90A.7000104@fillmore-labs.com> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <4068A0AF.2090807@gmx.net> <4068A90A.7000104@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig594423963BBD96DDBD6F14E9
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Oliver Eikemeier wrote:
> Thats a question of sematics. It makes absolutely no sense to add a
> package to
> the portaudit database when you won't mark the port as FORBIDDEN.
To me it makes no sense anymore to mark ports FORBIDDEN for security reasons
at all - portaudit uses a centralized source of information, it is much more
efficient than cvsup, as you mentioned it's smarter with regard to old
versions and it does automated checks via periodic.
In short, bye-bye FORBIDDEN, hello portaudit.
> The
> message
> is `do not install this port', and I hope to get support for portaudit into
> sysinstall to prevent users with release CDs to install vulnerable ports in
> the first place. Currently there is no such thing as `It may be ok to
> use this
> port if you are careful', if you deem such a feature useful I will look
> into
> implementing such a feature.
I'd deem such a feature quite useful indeed. Actually, the decisionmaking
about what is too serious to ignore and what is not could be handed back to
the system administrator this way: If VuXML would provide a fine-grained
classification of security issues (not by severity, but by type: privilige
escalation (incl. root/excl. root), local/remote denial-of-service,
buffer-overflow-but-no-exploit-known, etc, etc), users could customize
portaudit to forbid access to packages or just warn about them from a set of
rules (which would ideally also allow to make exceptions by portname and other
criteria - I realise that's quite a wishlist, but since you asked... ;-)).
The current behaviour could be provided as default.
--
,_, | Michael Nottebrock | lofi@freebsd.org
(/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org
\u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org
--------------enig594423963BBD96DDBD6F14E9
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows 2000)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQFAaLiEXhc68WspdLARAsV8AJsHcXgr3HBHJLCL1YtUHT0Ct8Lc+wCeO+zw
vwbyi3/3j+Pmg1NG5avbUWg=
=Ne3G
-----END PGP SIGNATURE-----
--------------enig594423963BBD96DDBD6F14E9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4068B881.4010304>