Re: cvs commit: ports/multimedia/xine Makefile
From: Oliver Eikemeier (eikemeier_at_fillmore-labs.com)
Date: Tue, 30 Mar 2004 17:09:12 +0200 To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
Jacques A. Vidrine wrote:
>>>Personally, I was quite pleased with the way that you have it set up:
>>>if users install portaudit, then they will be warned daily about ports
>>>that they have installed; and attempting to build the port results in
>>>much the same thing as FORBIDDEN.
>>>(I guess I could have some misunderstanding, though.)
>>No, that is precisely the idea: marking a port in portaudit results in
>>much the same thing as FORBIDDEN, so the criteria to add a package to
>>the portaudit database is excatly the same as marking a port as
>>FORBIDDEN because of security reasons.
> That doesn't logically follow. The criteria for marking a port
> FORBIDDEN is (currently) quite different than the criteria for
> entering an issue into the FreeBSD VuXML document. I didn't in
> particular create VuXML to replace FORBIDDEN--- although I don't
> object if that is what folks want.
The problem here is that the portaudit database is generated from the
VuXML document, and the criteria to add a package to the portaudit
database *is* the same as marking a port as FORBIDDEN, so I have the
problem of synchronizing the VuXML document and the portaudit database
I can't have a different policy for portaudit, since the results are
the same. Basically portaudit can replace FORBIDDEN, adding a retroactive
view. There is no problem to add an extra flag if a knowledgeable
user wants to have extra security, but this can't be the default.
>>>Without portaudit, we have the current situation. The only ports
>>>marked FORBIDDEN are those where someone believed that problems are
>>>serious enough to mark it so.
>>This should be the same with portaudit, even on past revisions of the
>>ports: The only port added in the portaudit database should be those
>>where someone believed that problems are serious enough to mark it so.
>>To cite portaudit(1):
>>"If you have a vulnerable package installed, you are advised to update or
>>deinstall it immediately."
> OK, I think I understand your viewpoint. I believe you are asking for
> some connection to be made between VuXML and FORBIDDEN. But portaudit
> doesn't *in fact* have anything to do with that policy. portaudit is
> *in fact* a tool for implementing an alternate policy.
It is not. It hinders you to install vulnerable ports, like FORBIDDEN
does, and notifies you retroactively if a port that should have been
FORBIDDEN is installed. What should be the alternate policy there?
> In other words, you can't equate portaudit's policy with the FreeBSD
> Ports Collection's FORBIDDEN policy. That's begging the question.
Why can't I? I can't do this for the VuXML policy, but I can for
portaudit. The problem here is that VuXML has a policy that makes
it hard for me to integrate into portaudit.
> I specifically do not wish to constrain VuXML entries to only
> those which are ``serious'' (by some widely-accepted definition of
> And I specifically want to avoid assigning severity to entries. See
> my other recent posting for reasons why.
I guess then I have do do a canditate system, where new vulnerabilities
are only added to the portaudit database when they are verified as
being serious. This means going back to a seperate portaudit database,
which is unfortunate.
I might later implement a notification system for issues with lesser
importance, but I see no point in using portaudit to hinder users to
install a certain port if an issue is not deemed to be severe enough
to mark the port as FORBIDDEN.
>>The decision how severe an issue is has already be made with every commit
>>to the VuXML document (by marking the affected ports as FORBIDDEN or not),
>>it is only not documented. This is just a question of a clearly stated
>>policy, not about assigning a severity - that is already done.
> Well, you do have a point. So, I'm happy with this approach, but also
> willing to be convinced that other approaches are better. :-)
> Just in case I haven't stated it enough times yet to be clear, I'll do
> it once more:
> If the community wants all ports that become listed in the VuXML
> document to be marked FORBIDDEN--- well, we can arrange that.
It is your document, you can set the policy. If you want to make it usable
for portaudit, give me either a severity tag with a defined policy whether
the port has to be marked as FORBIDDEN or nor, or add only serious entries.
If certain vulnerabilities are not serious enough to hinder people to
install the port, I see no reason for using portaudit to do so.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"