Re: cvs commit: ports/multimedia/xine Makefile

From: Oliver Eikemeier (eikemeier_at_fillmore-labs.com)
Date: 03/30/04

  • Next message: Oliver Eikemeier: "Re: cvs commit: ports/multimedia/xine Makefile"
    Date: Tue, 30 Mar 2004 17:09:12 +0200
    To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
    
    

    Jacques A. Vidrine wrote:

    >>>Personally, I was quite pleased with the way that you have it set up:
    >>>if users install portaudit, then they will be warned daily about ports
    >>>that they have installed; and attempting to build the port results in
    >>>much the same thing as FORBIDDEN.
    >>>
    >>>(I guess I could have some misunderstanding, though.)
    >>
    >>No, that is precisely the idea: marking a port in portaudit results in
    >>much the same thing as FORBIDDEN, so the criteria to add a package to
    >>the portaudit database is excatly the same as marking a port as
    >>FORBIDDEN because of security reasons.
    >
    > That doesn't logically follow. The criteria for marking a port
    > FORBIDDEN is (currently) quite different than the criteria for
    > entering an issue into the FreeBSD VuXML document. I didn't in
    > particular create VuXML to replace FORBIDDEN--- although I don't
    > object if that is what folks want.

    The problem here is that the portaudit database is generated from the
    VuXML document, and the criteria to add a package to the portaudit
    database *is* the same as marking a port as FORBIDDEN, so I have the
    problem of synchronizing the VuXML document and the portaudit database
    here.

    I can't have a different policy for portaudit, since the results are
    the same. Basically portaudit can replace FORBIDDEN, adding a retroactive
    view. There is no problem to add an extra flag if a knowledgeable
    user wants to have extra security, but this can't be the default.

    >>>Without portaudit, we have the current situation. The only ports
    >>>marked FORBIDDEN are those where someone believed that problems are
    >>>serious enough to mark it so.
    >>
    >>This should be the same with portaudit, even on past revisions of the
    >>ports: The only port added in the portaudit database should be those
    >>where someone believed that problems are serious enough to mark it so.
    >>
    >>To cite portaudit(1):
    >>
    >>"If you have a vulnerable package installed, you are advised to update or
    >>deinstall it immediately."
    >
    > OK, I think I understand your viewpoint. I believe you are asking for
    > some connection to be made between VuXML and FORBIDDEN. But portaudit
    > doesn't *in fact* have anything to do with that policy. portaudit is
    > *in fact* a tool for implementing an alternate policy.

    It is not. It hinders you to install vulnerable ports, like FORBIDDEN
    does, and notifies you retroactively if a port that should have been
    FORBIDDEN is installed. What should be the alternate policy there?

    > In other words, you can't equate portaudit's policy with the FreeBSD
    > Ports Collection's FORBIDDEN policy. That's begging the question.

    Why can't I? I can't do this for the VuXML policy, but I can for
    portaudit. The problem here is that VuXML has a policy that makes
    it hard for me to integrate into portaudit.

    > [...]
    >
    > I specifically do not wish to constrain VuXML entries to only
    > those which are ``serious'' (by some widely-accepted definition of
    > `serious').
    >
    > And I specifically want to avoid assigning severity to entries. See
    > my other recent posting for reasons why.

    I guess then I have do do a canditate system, where new vulnerabilities
    are only added to the portaudit database when they are verified as
    being serious. This means going back to a seperate portaudit database,
    which is unfortunate.

    I might later implement a notification system for issues with lesser
    importance, but I see no point in using portaudit to hinder users to
    install a certain port if an issue is not deemed to be severe enough
    to mark the port as FORBIDDEN.

    >>The decision how severe an issue is has already be made with every commit
    >>to the VuXML document (by marking the affected ports as FORBIDDEN or not),
    >>it is only not documented. This is just a question of a clearly stated
    >>policy, not about assigning a severity - that is already done.
    >
    > Well, you do have a point. So, I'm happy with this approach, but also
    > willing to be convinced that other approaches are better. :-)
    >
    > Just in case I haven't stated it enough times yet to be clear, I'll do
    > it once more:
    > If the community wants all ports that become listed in the VuXML
    > document to be marked FORBIDDEN--- well, we can arrange that.

    It is your document, you can set the policy. If you want to make it usable
    for portaudit, give me either a severity tag with a defined policy whether
    the port has to be marked as FORBIDDEN or nor, or add only serious entries.

    If certain vulnerabilities are not serious enough to hinder people to
    install the port, I see no reason for using portaudit to do so.

    -Oliver

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Oliver Eikemeier: "Re: cvs commit: ports/multimedia/xine Makefile"

    Relevant Pages

    • Re: cvs commit: ports/multimedia/xine Makefile
      ... the point is that portaudit is designed to ... >>enforce local policy based on the VuXML document. ... >>goes into the VuXML document should cause the corresponding port to be ... >>Just like I do not mark every port with any security issue FORBIDDEN, ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... > the portaudit database when you won't mark the port as FORBIDDEN. ... To me it makes no sense anymore to mark ports FORBIDDEN for security reasons ... portaudit to forbid access to packages or just warn about them from a set of ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... we could use them for portaudit and VuXML ... that is precisely the idea: marking a port in portaudit results in ... remove (so you don't romp over port maintainers, ...
      (FreeBSD-Security)
    • Re: cvs commit: ports/multimedia/xine Makefile
      ... >>if users install portaudit, then they will be warned daily about ports ... > the portaudit database is excatly the same as marking a port as ... entering an issue into the FreeBSD VuXML document. ...
      (FreeBSD-Security)
    • Re: ports/126853: ports-mgmt/portaudit: speed up audit of installed packages
      ... For those machines it's relevant whether their build server has ... Once you have the origin of the port, ... What portaudit lacks, is providing the origin along with the installed package ...
      (freebsd-hackers)