Date: Wed, 22 May 2002 15:03:56 +0200 (CEST) From: Alexander Leidinger <Alexander@Leidinger.net> To: ache@nagual.pp.ru Cc: imp@village.org, bts@babbleon.org, kris@obsecurity.org, ports@FreeBSD.ORG, portmgr@FreeBSD.ORG, core@FreeBSD.ORG Subject: Re: My position on commiters guide 10.4.4 Message-ID: <200205221304.g4MD3ujl001185@Magelan.Leidinger.net> In-Reply-To: <20020522054234.GB93907@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Mai, Andrey A. Chernov wrote: >> Actually, the historical risk of trojan distributions is much higher >> for the same version. The reason that a hacker would prefer that to a >> new version is that a new version is more likely to noticed than >> silently replacing an old version. There have been several incidents >> of this type. It is these sorts of incidents that caused the rules to >> be put into place. > > I know about such facts, but do you have any real statistics comparing > this two variants? I don't think we should play the statistics game here. We know from history about such incidents, and we want to be protected. > When version with _new_ number will appearse, much more people will want > to download/install it then with old version many of them already have. If the author of a program puts in malicious code we can't do anything about it in our actual way of porting applications, but if a third party injects malicious code on a mirror side you will notice it. Either by rule 10.4.4 or by not having an announcement of a new version from the original author (in case the malicious mirror uses a new version number). We are not protected against every possible attack, but we are at least safe against some of them. >> addresses the security concerns. If there's a real reason to update >> the port, then running a diff between the two versions shouldn't be a >> huge deal. You'll need to fetch the new version of the tar.gz file > > It very depends on port size / amount of files. Consider huge port like > XFree86. Or do we apply 10.4.4 to small ports only? Even if we have a huge port which behaves that badly (sorry, I can't name one, and I tried hard to get one), either it's worth the hasle, or it isn't. If it isn't, don't update it. If it is, you want to be sure nobody has injected malicious code. >> An alternative way of dealing with this might be to contact the author >> of the port that did the update to confirm that there was a new >> version created by him and that it was legit. > > Do you try it f.e. few times? It is not so easy as it sounds. Developers > tends to ignore even some functionlaity patches, not say purist > non-functional requests to update number. Yes, life is bad. And because of this we have rule 10.4.4. Bye, Alexander. -- Failure is not an option. It comes bundled with your Microsoft product. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205221304.g4MD3ujl001185>