Re: Opera vulnerability, marked forbidden instead of update?
About updating opera port, it's matter of updating plist to make sure that opera cleans up after deinstall properly. Opera have a habit of silently adding new files between versions, so it's must be checked. Speaking from user perspective, you don't even need to bump version in Makefile, nobody stops you from downloading from opera.com directly and using their installer as well as their uninstaller (they provide both). It works, and should always work, as long FreeBSD is supported platform. Just when something is in ports, it must be integrated into infrastructure fully. -- View this message in context: http://freebsd.1045724.n5.nabble.com/Opera-vulnerability-marked-forbidden-instead-of-update-tp5763426p5765785.html Sent from the freebsd-ports mailing list archive at Nabble.com. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Fri, 23 Nov 2012 09:00:59 + Matthew Seaman matt...@freebsd.org wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Just a comment that, for any USERS who would like to take a chance with updating their Opera (rather than taking a chance running the vulnerable version), just modifying the Makefile as described above works to provide the update. I've updated www/opera and www/opera-linuxplugins, and my new Opera is running fine: About Opera Version information Version 12.11 Build 1661 PlatformFreeBSD System amd64, 8.3-STABLE -- greg byshenk - gbysh...@byshenk.net - Leiden, NL - Portland, OR USA ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Opera vulnerability, marked forbidden instead of update?
Hello, I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Regards, -- Matthieu Volat ma...@alkumuna.eu ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Friday 23 November 2012 03:00:59 Matthew Seaman wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-h ead The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew I did the same and I don't have problems... Mitja http://www.redbubble.com/people/lumiwa ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: Opera vulnerability, marked forbidden instead of update?
On Fri, 23 Nov 2012 09:00:59 + Matthew Seaman matt...@freebsd.org wrote: On 23/11/2012 08:26, Matthieu Volat wrote: I've noticed that www/opera was marked FORBIDDEN because of a security hole: http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. I've bumped the versions in the Makefile OPERA_VER?= 12.11 OPERA_BUILD?= 1661 and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org Hello and thanks for the explanation, Cheers, -- Matthieu Volat ma...@alkumuna.eu ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org