sysutils/cfs

Oliver Fromme olli at lurza.secnetix.de
Wed Sep 7 13:53:38 UTC 2011 

Erik Trulsson wrote:
 > On Wed, Sep 07, 2011 at 09:37:07PM +1000, Peter Jeremy wrote:
 > > On 2011-Sep-06 23:30:04 -0700, Stanislav Sedov <stas at FreeBSD.org> wrote:
 > > > What about requiring that the ports deprecated should be either broken
 > > > or have known published vulnerabilties for a long period of
 > > > time (say 6 months) for the start?
 > > 
 > > This might be reasonable for broken ports but ports with known
 > > vulnerabilities should either be fixed or removed promptly.
 > 
 > That depends somewhat on the exact nature of the vulnerability.
 > Depending on how the port is used a given vulnerability might not
 > be a problem. (E.g. if a port has a vulnerability which allows a local
 > user to become root, then it is a problem for multi-user systems with
 > untrusted users, but for a system which only has a single user or only
 > trusted users it would not be a significant problem.)
 > 
 > If a port can be used safely despite existing vulnerabilities it is not
 > at all clear it need to be removed quickly even if it is not fixed.
 > 
 > (Marking it FORBIDDEN so potential users are warned about known
 > problems is another thing.)

I tend to agree with Erik here.

In my opinion, the important thing is to let the user know
about the problem, so the *user* can make an educated decision
instead of having ports committers force the decision upon
all users.

There are many examples of security problems that might not
affect all users.  Users might also decide to take the risk,
especially if the software in question provides a unique
feature that is essential to the user and cannot be replaced.
Appropriate measures can be taken to contain the risk, such
as running the software inside a jail or VM.

The question is how to inform the user in a reasonable and
reliable way.  I think ports-mgmt/portaudit already does a
very good job, but it is optional, and I guess that many
(maybe even most) "non-expert" users don't install it or
don't even know about it.  It might be a good idea to make
portaudit a mandatory part of the ports framework and enable
it by default.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"Documentation is like sex; when it's good, it's very, very good,
and when it's bad, it's better than nothing."
        -- Dick Brandon

More information about the freebsd-ports mailing list