fetch extension - use local filename from content-disposition header

John Baldwin jhb at freebsd.org
Fri Dec 30 05:43:19 PST 2005

On Friday 30 December 2005 03:44 am, Ádám Szilveszter wrote:
> On Pén, December 30, 2005 6:39 am, Barney Wolff wrote:
> > What does the security officer have to say about that, if true?
> You know, there are much bigger problems than that. For example the fact,
> that any vulnerability in fetch(1) or libfetch(3) is a remote root
> compromise candidate on FreeBSD, because the Ports system still insists on
> running it as root by default downloading distfiles from unchecked amd
> potentially unsecure servers all over the Internet. This is the real
> problem, imho. However, when I mentioned this on -security in a thread
> (about trusting trust) all I got back was that it was difficult to make
> sure that all ports build as normal user. Which of course does not explain
> fetching as root at all, but hey.
> Regards and Happy New Year,
> Sz.

I always build ports as myself and only install them as root.  Every once in a 
while I run into a port that needs to have stuff from pre-install moved to 
pre-su-install, but for the most part if works just fine out of the box.

John Baldwin <jhb at FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org

More information about the freebsd-current mailing list