From: Ed White (ed.whitelibero.it)
Date: Mon Nov 22 2004 - 07:48:01 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting from here: http://www.onlamp.com/lpt/a/5302

FB: ethereal was removed from the ports tree because "the ethereal team does
not care about security, as new protocols get added, and nothing gets done
about the many more holes that exist." I hope that this is not the beginning
of a hunting season to remove software because it's [insecure. That] will end
with a system that's secure because [it] can't do anything. I'm wrong, right?

Peter Valchev: You are in part correct.

People often forget the main purpose of the ports tree is to provide packages,
especially on the CDs when a release is done, for convenience. When a piece
of networking software running with root privileges continuously gets holed,
and the developers do not address the root of the problem (the big hunk of
code running as root), the other facts aside, means we ship a holed version
in our releases. Then many people, not knowing better, will just add the
package in question and get in trouble. Namely, that was the case in 3.5.
This kind of software does not belong to the ports tree for mainly that
reason ... especially when alternatives exist. And maybe someone who cares
about this particular piece of software and relies on parts of it can use
this as motivation and address the root problem. You are not wrong that
OpenBSD will discourage the use of insecure software in the future, in the
ports tree or not. It's why rlogin was removed from the source tree, for
example. I know of a big institution that recommends rlogin over ssh to this
day. I don't think that is the world OpenBSD enthusiasts want to live in.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]