On Sun, Dec 31, 2006 at 02:18:54PM +0100, Antoine Jacoutot wrote:
> On Fri, 29 Dec 2006, Joachim Schipper wrote:
> >I'll try to give it a spin tomorrow, but I find it hard to reconcile the
> >above with
> >http://marc.theaimsgroup.com/?l=openbsd-ports&m=116722882621269&w=2
> >(Marc Espie (espie@) says he is 'shuddering about what a full scale
> >audit would reveal'). Even if you disagree with Marc, wouldn't it be a
> >good idea to have some warning somewhere - perhaps in a SECURITY file?
>
> While I totally understand Marc's comment, he just wonders "what a full
> scale audit would reveal"... maybe nothing!
> By the way, this is true for other ports too.
> For info, the daemon cannot be run at root. It is a small software so it
> shouldn't be to hard to audit if people want to.
Oh, it's certainly not the only port with questionable security - but
remember that Ethereal was pulled from the tree explicitly for its lack
of security, and also note that something like php or ImageMagick -
which are useful, but not as secure as one might like - doesn't have a
MESSAGE boasting that it is the next big security revolution.
Also, sorry for the slow reaction on the first post - it got stuck on my
laptop, that'll teach me to mess around with Postfix without restoring
the settings later. And sorry for this slow message - I'd promised to
test it earlier, and it's already committed (it builds fine, FWIW).
Joachim
