tech-security: Re: Dante; what exactly are security mechanisms of pkgsrc?

Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: tech-security <tech-security@netbsd.org>
From: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
List: tech-security
Date: 07/12/2002 16:16:48

Hello,


> There is a Dant CERT at http://www.dante.net/security/


I am afraid this is not a list dedicated to Socks server Dante, it is 
just a security research team of a slowly dying project founded to 
connect the national research networks (like CESNET in case of The Czech 
Republic).

> There is a pkg called audit-packages, it provides two programs,
> download-vulnerability-list which downloads the list and
> audit-packages which audits your running system against this list, so
> you get an output it compromised pkgs are found.

Ehm, I didn't formulate my previous e-mail well. I have installed this 
package long time ago and I have modified my security.local. My problem 
isn't with downloading parsing a text file "vulnerabilities" against a 
list of installed packages. I was trying to get an info how 
"responsibly" is the information gathered for the text file -- 
especially for 3rd party software.


> You can have a look at the Database
> and you will see that there are really a lot vulnerabilities listed and a lot
> of sources for that vulnerabilities, like FreeBSD, securityfocus.com
> cert.org and so on.

Well, you can look at them, but the problem is that it means again only that
- the package is "safe" (the vuln's are unknown at the moment),
- or this maintainer of the list didn't receive any notification
   about a bug
- or s/he just ignored the message, because the package was
   just too minore (an error in Apache is something else than
   an error in some Joe Shmoe's script) Genuine CERT.ORG is a good
   example. Just compare a database of vuln's at online.securityfocus.com
   with a number of advisories issued by CERT...

But my question was different: what mechanism is behind gathering 
information for "vulnerabilities" text file? How many people care of it? 
On what basis? Are they paid by NetBSD Foundation? Or Wassabi Systems? 
Or is it just a chaotic mess?


Also: if a package stays calmly in pkgsrc collection for a suspiciously 
long time (this is obviously more an issue of security software, 
firewalls than let's say a TeX), does anybody care if it shouldn't be 
removed - becuase the package maintainer doesn't care anymore - rather 
than making people think they are safe?



Thanks,

Ivan