On Tue, Mar 30, 2004 at 08:25:43AM +0200, Michael Nottebrock wrote: > Right, and I have no problem with that (I _like_ portaudit :-)). However, > it seems to me that marking ports FORBIDDEN for security reasons is more or > less obsoleted (and made redundant) by portaudit/VuXML and committers > having to hand-scan VuXML for updates and mark ports FORBIDDEN by hand just > seems like duplicated (and error-prone) work... so maybe it's time to to > away with marking ports FORBIDDEN for security reasons completely? Maybe :-) > Also, what eik says about integrating portaudit into sysinstall (does this > imply moving portaudit into the base-system at some point?) sounds very > good to me, but I still don't like security-by-default schemes which can't > be disabled by flipping a switch. FORBIDDEN ports are an example for this, > forcing users to hand-edit a port Makefile in order to make it buildable > (especially when the security issue is really minor or I'm not even > affected) is just a tad too BOFH-ish for my taste. Well, a reason I mentioned `hooks' to Oliver is because I have my own unfinished scheme for managing this issue. It takes a different approach than portaudit, that I think you'd like. But I don't want to say more because it is vaporware until release :-) Basically, any attempt to integrate such vulnerability checking into pkg_* tools or bsd.port.mk needs to be done so that tools can plug-in. In that fashion, users have a choice of security policy. The commit of a `Vulnerability Check' to bsd.port.mk happened under my radar, so I didn't comment on it at the time. It may or may not be sufficient for hooks as it is now. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"