cvs commit: ports/multimedia/xine Makefile

[Jacques A. Vidrine]

On Tue, Mar 30, 2004 at 01:41:25AM +0200, Oliver Eikemeier wrote:
> Hooks would be nice, but I guess we should have something in the base,
> or at least let sysinstall install it by default before adding other
> packages.

*nod* Hooks fulfill the role either way, but have the advantage of
allowing alternatives.

> >Personally, I was quite pleased with the way that you have it set up:
> >if users install portaudit, then they will be warned daily about ports
> >that they have installed; and attempting to build the port results in
> >much the same thing as FORBIDDEN.
> >
> >(I guess I could have some misunderstanding, though.)
> 
> No, that is precisely the idea: marking a port in portaudit results in
> much the same thing as FORBIDDEN, so the criteria to add a package to
> the portaudit database is excatly the same as marking a port as
> FORBIDDEN because of security reasons.

That doesn't logically follow.  The criteria for marking a port
FORBIDDEN is (currently) quite different than the criteria for
entering an issue into the FreeBSD VuXML document.  I didn't in
particular create VuXML to replace FORBIDDEN--- although I don't
object if that is what folks want.

> >Without portaudit, we have the current situation.  The only ports
> >marked FORBIDDEN are those where someone believed that problems are
> >serious enough to mark it so.
> 
> This should be the same with portaudit, even on past revisions of the
> ports: The only port added in the portaudit database should be those
> where someone believed that problems are serious enough to mark it so.
> 
> To cite portaudit(1):
> 
> "If you have a vulnerable package installed, you are advised to update or
> deinstall it immediately."

OK, I think I understand your viewpoint.  I believe you are asking for
some connection to be made between VuXML and FORBIDDEN.  But portaudit
doesn't *in fact* have anything to do with that policy.  portaudit is
*in fact* a tool for implementing an alternate policy.

In other words, you can't equate portaudit's policy with the FreeBSD
Ports Collection's FORBIDDEN policy.  That's begging the question.

> >I often mail folks when I enter their port into VuXML.  I intend to
> >automate this nagging, but just haven't gotten around to it yet.
> 
> What is the point in not marking those port as FORBIDDEN? It is easy to
> remove (so you don't romp over port maintainers, like just committing the
> fix, which might be done differently), gives maintainers time to analyze
> the issue without piecing together a quick fix and prevents the vulnerable
> version from being installed. In my eyes this benefits maintainers (who have
> to fix these issues anyways, but have more room to do so) as well as users
> (which normally do not want to use vulnerable ports, especially since
> exploits get more popular every day), or do I make a mistake here?

What are the advantages of this approach versus automated nagging, and
prudently applying FORBIDDEN?

I've already stated what I think the disadvantages are.

But, of course I'm ready to hear more.

[...]
> >I'd like to take a step before committing myself (and any would-be
> >VuXML contributor) into assigning a severity to every issue.  If
> >there is rough consensus from the ports community (committers and
> >maintainers) that any documented security issue is grounds enough to
> >mark a port FORBIDDEN, then we'll follow the policy that (entry in
> >VuXML document) == (port must be marked FORBIDDEN).
> >
> >This seems to be your stance, and I do not think it is unreasonable.
> >Although I made the comment earlier that I don't share the opinion, it
> >is nonetheless attractive because it is simple :-)
> 
> I can live with both. Either VuXML contains only entries that are so
> serious that a port should be marked FORBIDDEN, or it contains additional
> entries that are not of this importance and are marked as such.

I guess we are at contrapoint.

I specifically do not wish to constrain VuXML entries to only
those which are ``serious'' (by some widely-accepted definition of
`serious').

And I specifically want to avoid assigning severity to entries.  See
my other recent posting for reasons why.

> The decision how severe an issue is has already be made with every commit
> to the VuXML document (by marking the affected ports as FORBIDDEN or not),
> it is only not documented. This is just a question of a clearly stated
> policy, not about assigning a severity - that is already done.

Well, you do have a point.  So, I'm happy with this approach, but also
willing to be convinced that other approaches are better. :-)

Just in case I haven't stated it enough times yet to be clear, I'll do
it once more:
If the community wants all ports that become listed in the VuXML
document to be marked FORBIDDEN--- well, we can arrange that.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org