Quote:
Originally Posted by rufwoof
Is is OK to use the base systems fvwm (2.2.5) which is so old it isn't even supported by the developers anymore?
|
Break/fix for all content in the base OS is supported by the OpenBSD Project members, via their bugs@ mailing list.
Quote:
I know I could install the more recent package based version (2.6.5)...
|
The port is supported by its individual maintainer. This is support of the
port of the application. It is not support of the application itself, which is via
http://fvwm.org/support/.
Quote:
My thinking is that the base system fvwm is audited as part of the general security auditing...
|
True, but the audit is generaly conducted by humans, and only sometimes augmented with software studies.
Quote:
... (which is more intensive than for packages)...
|
No, the applications in the ports tree are not audited at all. The ports (the instructions for building the applications on OpenBSD) are reviewed and two developers must approve any commits to the tree - new ports, revisions, updates, or removals.
Quote:
and it may have even be changed in 5.9 for better security (changelog suggests fvwm/fvwm-pager were changed to use pledge (which restricts system operations))
|
Indeed, the pledge(2) syscall restriction has been applied to the fvwm application in the base OS.
Code:
$ find /usr/xenocara/app/fvwm -type f -exec grep pledge {} +
/usr/xenocara/app/fvwm/fvwm/fvwm.c: if (pledge("stdio rpath proc exec", NULL) == -1)
/usr/xenocara/app/fvwm/fvwm/fvwm.c: err(1, "pledge");
/usr/xenocara/app/fvwm/modules/FvwmPager/FvwmPager.c: if (pledge("stdio", NULL) == -1)
/usr/xenocara/app/fvwm/modules/FvwmPager/FvwmPager.c: err(1, "pledge");
$
Quote:
... but then again that might have been for the package based (later) version of fvwm).
|
No. The port has not been pledged.
Code:
$ find /usr/ports/x11/fvwm2 -type f -exec grep pledge {} +
$
I have run the same find(1) against the port's extracted $WRKSRC, the application does not have pledge() syscall restrictions.
Quote:
My understanding is that the fvwm developers changed the licensing such that later versions after 2.2.5 wont be incorporated into OpenBSD base system...
|
The port's license description in /usr/ports/x11/fvwm2/Makefile states:
Code:
# GPL/BSD-like (badly worded)
Quote:
... but if sticking with the older version were a security issue I would have thought it would have been pulled out altogether, and that if its still in the base system then its OK to use.
|
This is the general rule. Old software that is not maintained or is no longer maintainable is removed. There is a long history of removing cruft.