Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: tech-security <email@example.com>
From: Ing.,BcA. Ivan Dolezal <firstname.lastname@example.org>
Date: 07/12/2002 16:16:48
> There is a Dant CERT at http://www.dante.net/security/
I am afraid this is not a list dedicated to Socks server Dante, it is
just a security research team of a slowly dying project founded to
connect the national research networks (like CESNET in case of The Czech
> There is a pkg called audit-packages, it provides two programs,
> download-vulnerability-list which downloads the list and
> audit-packages which audits your running system against this list, so
> you get an output it compromised pkgs are found.
Ehm, I didn't formulate my previous e-mail well. I have installed this
package long time ago and I have modified my security.local. My problem
isn't with downloading parsing a text file "vulnerabilities" against a
list of installed packages. I was trying to get an info how
"responsibly" is the information gathered for the text file --
especially for 3rd party software.
> You can have a look at the Database
> and you will see that there are really a lot vulnerabilities listed and a lot
> of sources for that vulnerabilities, like FreeBSD, securityfocus.com
> cert.org and so on.
Well, you can look at them, but the problem is that it means again only that
- the package is "safe" (the vuln's are unknown at the moment),
- or this maintainer of the list didn't receive any notification
about a bug
- or s/he just ignored the message, because the package was
just too minore (an error in Apache is something else than
an error in some Joe Shmoe's script) Genuine CERT.ORG is a good
example. Just compare a database of vuln's at online.securityfocus.com
with a number of advisories issued by CERT...
But my question was different: what mechanism is behind gathering
information for "vulnerabilities" text file? How many people care of it?
On what basis? Are they paid by NetBSD Foundation? Or Wassabi Systems?
Or is it just a chaotic mess?
Also: if a package stays calmly in pkgsrc collection for a suspiciously
long time (this is obviously more an issue of security software,
firewalls than let's say a TeX), does anybody care if it shouldn't be
removed - becuase the package maintainer doesn't care anymore - rather
than making people think they are safe?