On Sun, Dec 31, 2006 at 02:18:54PM +0100, Antoine Jacoutot wrote: > On Fri, 29 Dec 2006, Joachim Schipper wrote: > >I'll try to give it a spin tomorrow, but I find it hard to reconcile the > >above with > >http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2 > >(Marc Espie (espie@) says he is 'shuddering about what a full scale > >audit would reveal'). Even if you disagree with Marc, wouldn't it be a > >good idea to have some warning somewhere - perhaps in a SECURITY file? > > While I totally understand Marc's comment, he just wonders "what a full > scale audit would reveal"... maybe nothing! > By the way, this is true for other ports too. > For info, the daemon cannot be run at root. It is a small software so it > shouldn't be to hard to audit if people want to.
Oh, it's certainly not the only port with questionable security - but remember that Ethereal was pulled from the tree explicitly for its lack of security, and also note that something like php or ImageMagick - which are useful, but not as secure as one might like - doesn't have a MESSAGE boasting that it is the next big security revolution. Also, sorry for the slow reaction on the first post - it got stuck on my laptop, that'll teach me to mess around with Postfix without restoring the settings later. And sorry for this slow message - I'd promised to test it earlier, and it's already committed (it builds fine, FWIW). Joachim