svn commit: r504132 - head/security/vuxml
Adam Weinberger
adamw at freebsd.org
Sat Jun 15 19:04:55 UTC 2019
On Sat, Jun 15, 2019 at 12:42 PM Alexey Dokuchaev <danfe at freebsd.org> wrote:
>
> On Sat, Jun 15, 2019 at 09:41:24AM -0600, Adam Weinberger wrote:
> > On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev wrote:
> > > ...
> > > I've seen people say that in some distributions, default packages
> > > were not affected because their maintainers deliberately disable
> > > modelines, e.g. in Debian [and Gentoo]
> >
> > Their default packages ARE affected. If your car explodes in 6th gear,
> > you can't say your car isn't affected because it starts up in first.
> > Whether they're enabled or disabled by default, the package is still
> > vulnerable.
>
> Adam, sorry, I shouldn't have said that their packages aren't affected.
> Apparently I didn't make myself clear enough, let me try again:
>
> Do we package Vim/NeoVim with modelines enabled by default? I think
> it's generally a good idea to turn potentially dangerous features, esp.
> with an earlier history of security/resource vulnerabilities, off by
> default -- it does not make packages less vulnerable, but leaves one
> extra potential attack door closed rather than opened.
I'm not opposed to the idea at all. Modeline is an outstanding feature
that, for example, helps us make sure that, for example, bsd.port.mk
patches don't show up with leading tabs. It is a wonderful, powerful
feature, that absolutely has the potential to be used for substantial
evil.
That said, having fixed a busted lock doesn't mean that we should
board up the front door. If every area of Wordpress with a fixed
vulnerability were disabled by default, Wordpress would be a static
HTML file. (Both those metaphors are completely hyperbolic, of
course.) We will definitely have some confused end-users if we set
nomodeline by default, and we'll have to be even more diligent about
checking patches for spacing.
Alexey, do the benefits of modeline outweigh the risks? Anyone else
want to add recommendations here?
# Adam
--
Adam Weinberger
adamw at adamw.org // adamw at FreeBSD.org
https://www.adamw.org
More information about the svn-ports-head
mailing list