Any reason why portaudit and its associated infrastructure was not announced to this list or security-notifications? I recently discovered it, and discovered the feature was added to bsd.port.mk in the beginning of feburary. Seeing as the security officer apparently (without announcement) no longer issues security notices (SNs) for ports, I am assuming that portaudit has replaced SNs entirely, and that we should rely on that for ports operational security? I'm not subscribed to -ports, -questions, or -current, which were apparently where the portaudit introduction discussions took place. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/
On Wed, Mar 17, 2004 at 02:00:51AM -0500, Peter C. Lai wrote:> Any reason why portaudit and its associated infrastructure was not announced to > this list or security-notifications? I recently discovered it, and discovered > the feature was added to bsd.port.mk in the beginning of feburary. Seeing as > the security officer apparently (without announcement) no longer issues > security notices (SNs) for ports, I am assuming that portaudit has replaced > SNs entirely, and that we should rely on that for ports operational security? > I'm not subscribed to -ports, -questions, or -current, which were apparently > where the portaudit introduction discussions took place.VuXML is the new mechanism for documenting security issues in ports. It has not been `announced' because it is still at an experimental stage. portaudit is one tool that reads the FreeBSD VuXML document, and is well- suited for automated checking. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Peter C. Lai wrote:> Any reason why portaudit and its associated infrastructure was not announced to > this list or security-notifications?Sorry, I wasn't subscribed to security@ until recently, so I didn't though of announcing portaudit on this list.> I recently discovered it, and discovered > the feature was added to bsd.port.mk in the beginning of feburary. Seeing as > the security officer apparently (without announcement) no longer issues > security notices (SNs) for ports, I am assuming that portaudit has replaced > SNs entirely, and that we should rely on that for ports operational security? > [...]I'm sorry there has been so much confusion about portaudit. portaudit is fully functional, so it should be pretty realiable if used on your systems, but here are still some issues I want to straighten out before having an 1.0 release and doing an official announcement: - documented proxy handling - more tunable parameters - a start script for workstations which do not run periodic(8) scripts - maybe add some auditing code to pkg_add I hope to finish these Real Soon Now(tm), and will post an announcement then. Thanks for you heads-up Oliver
On Wed, Mar 17, 2004 at 02:00:51AM -0500, Peter C. Lai wrote: <snip>> Seeing as > the security officer apparently (without announcement) no longer issues > security notices (SNs) for ports<snip> is this true? no more advisories concerning ports? thx, t.