svn commit: r504132 - head/security/vuxml
Alexey Dokuchaev
danfe at freebsd.org
Sat Jun 15 18:42:28 UTC 2019
On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote:
> On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote:
> > ...
> > I've seen people say that in some distributions, default packages
> > were not affected because their maintainers deliberately disable
> > modelines, e.g. in Debian [and Gentoo]
>
> Their default packages ARE affected. If your car explodes in 6th gear,
> you can't say your car isn't affected because it starts up in first.
> Whether they're enabled or disabled by default, the package is still
> vulnerable.
Adam, sorry, I shouldn't have said that their packages aren't affected.
Apparently I didn't make myself clear enough, let me try again:
Do we package Vim/NeoVim with modelines enabled by default? I think
it's generally a good idea to turn potentially dangerous features, esp.
with an earlier history of security/resource vulnerabilities, off by
default -- it does not make packages less vulnerable, but leaves one
extra potential attack door closed rather than opened.
./danfe
More information about the svn-ports-all
mailing list