cvs commit: ports/multimedia/xine Makefile
eikemeier at fillmore-labs.com
Mon Mar 29 14:54:07 PST 2004
Michael Nottebrock wrote:
> > Essentially this means that I should not automatically add every entry
> > of the VuXML document to the portaudit database, since being listed there
> > means `do not use this port', which is the equivalent to `FORBIDDEN'.
> Why? I mean, seriously, if I choose to install portaudit and portaudit's
> presence prevents me from installing ports that's okay, but enforcing
> this even when I _don't_ want to use portaudit it's not, IMHO.
I guess you mix up things here. We are talking about semantics.
Marking a port FORBIDDEN if it has a security vulnerability has nothing to
do with portaudit. If you have an current ports tree and update your ports
every time a new version is available, you don't need portaudit.
> I always thought portaudit was all about providing a way of making ports
> off-limits _without_ CVS being involved.
Exactly that is the point: you can mark ports FORBIDDEN retroactively, which
means versions that are now longer current, or on systems where there is no
(current) ports tree (like on release CDs), or the ports are not updated
> So I agree with Jacques here,
> portaudit and FORBIDDEN should remain separate.
Thats a question of sematics. It makes absolutely no sense to add a package to
the portaudit database when you won't mark the port as FORBIDDEN. The message
is `do not install this port', and I hope to get support for portaudit into
sysinstall to prevent users with release CDs to install vulnerable ports in
the first place. Currently there is no such thing as `It may be ok to use this
port if you are careful', if you deem such a feature useful I will look into
implementing such a feature.
More information about the freebsd-security