Greetings, I'm a little curious about the way FORBIDDEN knob is used in ports system. Traditionally, we use it to mark a port which have known security issue, with the new vuxml mechanism, are we still doing the same thing when necessary? Or, only the "critical" ones, for example, remote exploitable buffer overruns, etc? If the second assumption (only critical ones are marked FORBIDDEN) is true, then what's our criteria of what should be marked FORBIDDEN or not? Say, how serious a bug should be before a port is marked FORBIDDEN? Someone who knows about these things please clarify this. Thanks in advance! Cheers, -- Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040503/7fab79bc/attachment.bin
Jacques A. Vidrine
2004-May-02 12:36 UTC
What's our current policy on ports FORBIDDEN knob?
On Mon, May 03, 2004 at 01:29:10AM +0800, Xin LI wrote:> Greetings, > > I'm a little curious about the way FORBIDDEN knob is used in ports system. > Traditionally, we use it to mark a port which have known security issue, > with the new vuxml mechanism, are we still doing the same thing when > necessary? Or, only the "critical" ones, for example, remote exploitable > buffer overruns, etc? > > If the second assumption (only critical ones are marked FORBIDDEN) > is true, then what's our criteria of what should be marked FORBIDDEN > or not? Say, how serious a bug should be before a port is marked > FORBIDDEN? > > Someone who knows about these things please clarify this. Thanks in advance!The VuXML document is used to record practically all security issues, large or small. FORBIDDEN is more subjective. Personally, I mark a port FORBIDDEN if I believe it presents immediate danger to users. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org