Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: tech-security <>
From: gabriel rosenkoetter <>
List: tech-security
Date: 07/12/2002 10:43:56
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 12, 2002 at 04:16:48PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> - the package is "safe" (the vuln's are unknown at the moment),

ALL software has unknown vulnerabilities. No software corporation's
guarantees about security change that. You might as well accept it.

> - or s/he just ignored the message, because the package was
>   just too minore (an error in Apache is something else than
>   an error in some Joe Shmoe's script) Genuine CERT.ORG is a good
>   example. Just compare a database of vuln's at
>   with a number of advisories issued by CERT...

Sure, but Security Focus doesn't get everything either, since plenty
of folks don't come forward with a security vulnerability that
they've discovered but just go off and exploit it. Not much you can
do about that either.

> But my question was different: what mechanism is behind gathering=20
> information for "vulnerabilities" text file? How many people care of it?=
> On what basis?

You'd have to ask the package maintainer to be sure.

> Are they paid by NetBSD Foundation?

Almost definitely not.

> Or Wassabi Systems?=20

Probably not. Only one s in Wasabi, btw.

> Or is it just a chaotic mess?

Umm... the suggestion that if it isn't one of your possibilities it
must be a chaotic mess is a bit offensive. NetBSD is not a large,
corporate entity. It is a community-developed operating system. There's
probably someone that cares about this somewhere. Sounds like that
someone might be you right now. If you don't want to deal with
maintaining the security of your own system, then you probably
don't want to use NetBSD in production.

> Also: if a package stays calmly in pkgsrc collection for a suspiciously=
> long time (this is obviously more an issue of security software,=20
> firewalls than let's say a TeX), does anybody care if it shouldn't be=20
> removed - becuase the package maintainer doesn't care anymore - rather=20
> than making people think they are safe?

I don't think we're making anyone think they're safe. If you think a
package is out of date, submit a PR about it. It'll get handled much
more quickly if you include a reference to the current version and
any necessary localization patches.

Ultimately, security MUST BE the system administrator's
responsibility. I'm really bothered by the tendency in businesses
today (and expressed in your questions here) to put the blame for
the insecurity of a specific system on the operating system
installed. Note that NetBSD was provided to you WITHOUT guarantees,
of security or anything else. Lots of people seem to think it's
secure. But they think that through experience.

gabriel rosenkoetter

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (NetBSD)