cvs commit: ports/multimedia/xine Makefile

Jacques A. Vidrine nectar at FreeBSD.org
Mon Mar 29 10:53:48 PST 2004 

On Mon, Mar 29, 2004 at 08:14:29PM +0200, Oliver Eikemeier wrote:
> Jacques A. Vidrine wrote:
>
> >On Sun, Mar 28, 2004 at 03:44:06PM -0800, Oliver Eikemeier wrote:
> >
> >>eik         2004/03/28 15:44:06 PST
> >>
> >> FreeBSD ports repository
> >>
> >> Modified files:
> >>   multimedia/xine      Makefile
> >> Log:
> >> Mark forbidden due to an entry in the VuXML database. Don't
> >> forget to add the version which fixes the issues there.
> >
> >FWIW:
> >
> >I didn't mark this port FORBIDDEN when I added the issue to the
> >database because some issues are not very severe.  For example, this
> >issue has practically no impact on single user systems, and quite
> >possibly no impact on any FreeBSD user anywhere.  Marking the port
> >FORBIDDEN in this case seems extreme.
>
> It's in the official FreeBSD vulnerability database.

The vulnerability database is meant to be comprehensive and
informational.  It is not a policy document.

> >I'd prefer to reserve FORBIDDEN for those cases where the ports
> >present some danger.  Those who want a more strict policy can use
> >portaudit or similar, right?
>
> I guess we have to add a severity tag then, to enable `soft'
> vulnerabilities.  I have an automated script that barks on unmarked
> vulnerabilities, and it can't decide which vulnerability is
> `important'.

Yes, I wanted to avoid this.  Severity is sooo subjective.  I prefer
that people close to the port make the severity judgement--- if the
maintainer or a fellow committer believes the item is severe, then let
them mark it FORBIDDEN.  That is why I said `FWIW' above--- if you
believe it is severe, then please by all means leave it FORBIDDEN.
However, I had the impression that you were marking it only because it
was listed in the VuXML document.

I suppose we could consider a very coarse-grained severity rating, but
I'd rather not.  I guess such a discussion should take place over on
freebsd-security at .

> >> http://people.freebsd.org/~eik/portaudit/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
> >
> >By the way, I'd appreciate it if you'd point to the VuXML site instead
> >(the URLs are `permanent').
> >
> >   http://vuxml.freebsd.org/
> >   http://vuxml.freebsd.org/fde53204-7ea6-11d8-9645-0020ed76ef5a.html
>
> These are generated by the same script that generates the portaudit
> database, so they will never go out of sync.

I'm not sure how to take that response :-)  I'd prefer to use the
permanent FreeBSD URL, which points to the VuXML site which is near
real-time updated and where I'll be focusing browsing experience
enhancements.  Is there something in particular missing? (contributions
welcome!)

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org

More information about the cvs-ports mailing list