cvs commit: ports/multimedia/xine Makefile
Jacques A. Vidrine
nectar at FreeBSD.org
Tue Mar 30 07:43:02 PST 2004
On Tue, Mar 30, 2004 at 08:25:43AM +0200, Michael Nottebrock wrote:
> Right, and I have no problem with that (I _like_ portaudit :-)). However,
> it seems to me that marking ports FORBIDDEN for security reasons is more or
> less obsoleted (and made redundant) by portaudit/VuXML and committers
> having to hand-scan VuXML for updates and mark ports FORBIDDEN by hand just
> seems like duplicated (and error-prone) work... so maybe it's time to to
> away with marking ports FORBIDDEN for security reasons completely?
Maybe :-)
> Also, what eik says about integrating portaudit into sysinstall (does this
> imply moving portaudit into the base-system at some point?) sounds very
> good to me, but I still don't like security-by-default schemes which can't
> be disabled by flipping a switch. FORBIDDEN ports are an example for this,
> forcing users to hand-edit a port Makefile in order to make it buildable
> (especially when the security issue is really minor or I'm not even
> affected) is just a tad too BOFH-ish for my taste.
Well, a reason I mentioned `hooks' to Oliver is because I have my own
unfinished scheme for managing this issue. It takes a different
approach than portaudit, that I think you'd like. But I don't want to
say more because it is vaporware until release :-)
Basically, any attempt to integrate such vulnerability checking into
pkg_* tools or bsd.port.mk needs to be done so that tools can plug-in.
In that fashion, users have a choice of security policy. The commit of
a `Vulnerability Check' to bsd.port.mk happened under my radar, so I
didn't comment on it at the time. It may or may not be sufficient for
hooks as it is now.
Cheers,
--
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the freebsd-security
mailing list