Re: cvs commit: ports/multimedia/xine Makefile

From: Michael Nottebrock (michaelnottebrock_at_gmx.net)
Date: 03/30/04

  • Next message: Oliver Eikemeier: "Re: cvs commit: ports/multimedia/xine Makefile" 
    Date: Tue, 30 Mar 2004 02:00:01 +0200
To: Oliver Eikemeier <eikemeier@fillmore-labs.com>

    Oliver Eikemeier wrote:

    > Thats a question of sematics. It makes absolutely no sense to add a
    > package to
    > the portaudit database when you won't mark the port as FORBIDDEN.

    To me it makes no sense anymore to mark ports FORBIDDEN for security reasons
    at all - portaudit uses a centralized source of information, it is much more
    efficient than cvsup, as you mentioned it's smarter with regard to old
    versions and it does automated checks via periodic.

    In short, bye-bye FORBIDDEN, hello portaudit.

    > The
    > message
    > is `do not install this port', and I hope to get support for portaudit into
    > sysinstall to prevent users with release CDs to install vulnerable ports in
    > the first place. Currently there is no such thing as `It may be ok to
    > use this
    > port if you are careful', if you deem such a feature useful I will look
    > into
    > implementing such a feature.

    I'd deem such a feature quite useful indeed. Actually, the decisionmaking
    about what is too serious to ignore and what is not could be handed back to
    the system administrator this way: If VuXML would provide a fine-grained
    classification of security issues (not by severity, but by type: privilige
    escalation (incl. root/excl. root), local/remote denial-of-service,
    buffer-overflow-but-no-exploit-known, etc, etc), users could customize
    portaudit to forbid access to packages or just warn about them from a set of
    rules (which would ideally also allow to make exceptions by portname and other
    criteria - I realise that's quite a wishlist, but since you asked... ;-)).

    The current behaviour could be provided as default. 

    -- 
    ,_,   | Michael Nottebrock               | lofi@freebsd.org
  (/^ ^\) | FreeBSD - The Power to Serve     | http://www.freebsd.org
    \u/   | K Desktop Environment on FreeBSD | http://freebsd.kde.org

  • Next message: Oliver Eikemeier: "Re: cvs commit: ports/multimedia/xine Makefile"

    Relevant Pages

    • Re: cvs commit: ports/multimedia/xine Makefile
      ... the point is that portaudit is designed to ... >>enforce local policy based on the VuXML document. ... >>goes into the VuXML document should cause the corresponding port to be ... >>Just like I do not mark every port with any security issue FORBIDDEN, ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... >>if users install portaudit, then they will be warned daily about ports ... > the portaudit database is excatly the same as marking a port as ... entering an issue into the FreeBSD VuXML document. ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... The criteria for marking a port ... The problem here is that the portaudit database is generated from the ... VuXML document, and the criteria to add a package to the portaudit ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... an informal document is useless for portaudit. ... > enforce local policy based on the VuXML document. ... > goes into the VuXML document should cause the corresponding port to be ... Since you are the FreeBSD Security Officer, ...
      (FreeBSD-Security)
    • Re: portupgrade refusin to upgrade a port .. when it shouldnt imho
      ... Then the port should install. ... Its only not vulnerable if you unselect the quicktime codec. ... vulnerability is in the quicktime codec. ... forbid installation with Quicktime stuff enabled was added. ...
      (freebsd-questions)