axyftp [LSARC/2008/271 Self Review]
Mark A. Carlson
Mark.Carlson at sun.com
Tue Apr 22 10:44:32 PDT 2008
I am sponsoring this case for Charles Baker and marking it closed
approved automatic based on the FOSS checklist in the case directory.
-- mark
Mark Carlson wrote:
> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
> This information is Copyright 2008 Sun Microsystems
> 1. Introduction
> 1.1. Project/Component Working Name:
> axyftp
> 1.2. Name of Document Author/Supplier:
> Author: Charles Baker
> 1.3 Date of This Document:
> 22 April, 2008
> 4. Technical Description
> FCL--FOSS Check List
>
> 1.0 Project Information
> 1.1 Name of project/component
> axyftp-0.5.1
>
> 1.2 Author of document
> Charles Baker Charles.Baker at Sun.com
>
> 2.0 Project Summary
> 2.1 Project Description
> axyftp is a X Window system FTP client designed for unix.
>
> The integration of the new axyftp package into the Indiana project
> will provide a user friendly ftp client into Solaris, making
> Indiana more user friendly.
>
> 2.2 Release binding
> What is is the release binding?
> (see http://opensolaris.org/os/community/arc/policies/release-taxonomy/)
> [ ] Major
> [ ] Minor
> [X] Patch or Micro
> [ ] Unknown -- ARC review required
>
> 2.3 Originating Community
> 2.3.1 Community Name
> axyftp
> http://www.wxftp.seul.org/
>
> 2.3.2 Community Involvement
> Indicate Sun's involvement in the community
> [ ] Maintainer
> [ ] Contributor
> [X] Monitoring
>
> Will the project team work with the upstream community to resolve
> architectural issues of interest to Sun?
> [X] Yes
> [ ] No - briefly explain
>
> Will we or are we forking from the community?
> [ ] Yes - ARC review required prior to forking
> [X] No
>
> 3.0 Technical Description
> 3.1 Installation & Sharable
> 3.1.1S Solaris Installation - section only required for Solaris Software
> (see http://opensolaris.org/os/community/arc/policies/install-locations/ for details)
> Does this project follow the Install Locations best practice?
> [X] Yes
> [ ] No - ARC review required
>
> Does this project install into /usr under [sbin|bin|lib|include|man|share]?
> [X] Yes
> [ ] No or N/A
>
> Does this project install into /opt?
> [ ] Yes - explain below
> [X] No or N/A
>
> Does this project install into a different directory structure?
> [ ] Yes - ARC review required
> [X] No or N/A
>
> Do any of the components of this project conflict with anything under /usr?
> (see http://opensolaris.org/os/community/arc/caselog/2007/047/ for details)
> [ ] Yes - explain below
> [X] No
>
> If conflicts exist then will this project install under /usr/gnu?
> [ ] Yes
> [ ] No - ARC review required
> [X] N/A
>
> Is this project installing into /usr/sfw?
> [ ] Yes - ARC review required
> [X] No
>
> 3.1.1W Windows Installation - section only required for Windows Software
> (see http://sac.sfbay/WSARC/2002/494 for details)
> Does this project install software into a
> <system drive>:\Program Files\Sun\<product> or <system drive>:\Sun\<product>
> directory?
> [ ] Yes
> [ ] No - ARC review required
>
> Does the project use the Windows registry?
> [ ] Yes
> [ ] No - ARC review required
>
> Does the project use
> HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\<product>\<version>
> for the registry key?
> [ ] Yes
> [ ] No - ARC review required
>
> Is the project's stored location
> HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\<product id>\<version id>\Path?
> [ ] Yes
> [ ] No - ARC review required
>
> 3.1.2 Share and Sharable
> Does the module include any components that are used or shared by
> other projects?
> [ ] Yes
> [X] No
>
> If yes are these components packaged to be shared with the other FOSS?
> [ ] Yes
> [ ] No - ARC review required
>
> Are these components already in the Solaris WOS?
> [ ] Yes
> [X] No - continue with next section
>
> If yes are these newer versions being delivered?
> [ ] Yes
> [ ] No - ARC review required
>
> If yes are the newer versions replacing the existing versions?
> [ ] Yes
> [ ] No - ARC review required
>
> 3.2 Libraries
> Are 64-bit libraries being delivered?
> [ ] Yes
> [ ] No - ARC review required
> [X] N/A
> No Libraries are being delivered, only a single user binary.
>
> Are static versions of the library being delivered?
> [ ] Yes - ARC review required
> [X] No
>
> 3.3 Services and the /etc Directory
> (see http://opensolaris.org/os/community/arc/policies/SMF-policy/)
> Does the project integrate anything into /etc/init.d or /etc/rc?.d?
> [ ] Yes - ARC review required
> [X] No
>
> Does the project integrate any new entries into /etc/inittab or
> /etc/inetd.conf?
> [ ] Yes - ARC review required
> [X] No
>
> Does the project integrate any private non-public files into /etc/default
> or /etc/ configuration files?
> [ ] Yes - ARC review required
> [X] No
>
> Does the service manifests method context grant rights above that
> of the noaccess user and basic privilege set?
> [ ] Yes - ARC review required
> [X] No
>
> 3.4 Security
> 3.4.1 Secure By Default
> (see http://opensolaris.org/os/community/arc/policies/secure-by-default/ for details)
> (see http://www.opensolaris.org/os/community/arc/policies/NITS-policy/ for details)
> (see parts of http://opensolaris.org/os/community/arc/policies/SMF-policy/ for
> addtional details)
> Are network services enabled by default?
> [ ] Yes - ARC review required
> [X] No
> [ ] N/A
>
> Are network services automatically enabled by the project during installation?
> [ ] Yes - ARC review required
> [X] No
> [ ] N/A
>
> Are inbound network communications denied by default?
> [ ] Yes
> [ ] No - ARC review required
> [X] N/A
>
> Is inbound data checked to prevent content-based attacks?
> [ ] Yes
> [ ] No - ARC review required
> [X] N/A
>
> Is the outbound receiver authenticated?
> [X] Yes
> [ ] No - ARC review required
> [ ] N/A
>
> Is the receiver authenticated prior to receiving any sensitive outbound communication?
> [X] Yes
> [ ] No - ARC review required
> [ ] N/A
>
> 3.4.2 Authorization
> (see http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ and
> http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/ and
> http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
> for details)
> Are there any setuid/setgid privileged binaries in the project?
> [ ] Yes - ARC review required
> [X] No - continue with next section
>
> If yes then are the setuid/setgid privileges handled by the use of roles?
> [ ] Yes
> [ ] No - ARC review required
>
> 3.4.3 Auditing
> (see http://opensolaris.org/os/community/arc/policies/audit-policy/ for details)
> (see http://opensolaris.org/os/community/arc/caselog/2003/397 for details)
> Does this component contain administrative or security enforcing software?
> [ ] Yes - ARC review required
> [X] No - continue to next section
>
> (see http://opensolaris.org/os/community/arc/caselog/2003/397 for details)
> Do the components create audit logs detailing what took place including what event
> took place, who was involved, when the event took place?
> [ ] Yes - ARC contract and Audit project team review required
> [ ] No - ARC review required
>
>
> 3.4.4 Authentication
> (see http://opensolaris.org/os/community/arc/policies/PAM/)
> Do the components contain any authentication code?
> [ ] Yes
> [X] No - continue to next section
>
> If yes do the components use PAM (plugable authentication modules) for authentication?
> [ ] Yes
> [ ] No - ARC review required
>
> If yes is a single PAM session maintained during authentication?
> [ ] Yes
> [ ] No - ARC review required
>
> If yes are the components sufficiently privileged to allow the requested
> operations (authentication, password change, process credential manipulation,
> audit state initialization)?
> [ ] Yes - briefly describe below
> [ ] No - ARC review required
>
> 3.4.5 Passwords
> (see http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/ and
> http://opensolaris.org/os/community/arc/bestpractices/passwords-files/ for details)
> Do any of the components for the project deal with passwords?
> [X] Yes
> [ ] No - continue to next section
>
> If yes are these passwords entered via the CLI or environment?
> [ ] Yes - ARC review required
> [ ] No
> [X] GUI window, all entries shown as '*'.
>
> Are passwords stored within the file system for the component?
> [X] Yes
> [ ] No - continue to next section
>
> If yes are the permissions on the file such to protect exposing the password(s)?
> [X] Yes
> [ ] No - ARC review required
>
> 3.4.6 General Security Questions
> (see http://opensolaris.org/os/community/arc/bestpractices/security-questions/ for details)
> Do the components use standard network protocols?
> [X] Yes
> [ ] No - ARC review required
>
> Do network services for the project make decisions based upon user, host or
> service identities?
> [X] Yes - explain below
> [ ] No
> [ ] N/A
> This ia an ftp client that requires user specified host, user id, and password.
>
> Do the components make use of secret information during authentication and/or
> authorization?
> [X] Yes - explain below
> [ ] No
> [ ] N/A
> This ia an ftp client that requires user specified host, user id, and password.
>
> 3.5 Networking
> Do the components access the network?
> [X] Yes
> [ ] No - continue to next section
>
> If yes do the components support IPv6?
> [X] Yes
> [ ] No - ARC review required
>
> 3.6 Core Solaris Components
> Do the components of this project compete with or duplicate core
> Solaris components?
> [ ] Yes - ARC review required
> [X] No
>
> Examples of Core Solaris Components include but are not limited to:
>
> Secure By Default
> Authorizations
> PAM -- Plugable Authentication Module
> Privilege
> PRM -- Process Rights Management -- Privilege
> Audit
> xVm -- Virtualization
> zones / Solaris Containers
> PRM -- Process Rights Management
> RBAC -- Role Based Access Control
> TX / Trusted Extensions
> ZFS
> SMF -- Service Management Facility
> FMA -- Fault Management Architecture
> SCF -- Smart Card Facility
> IPsec
>
> 4.0 Interfaces
> (see http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/ for details)
> 4.1 Exported Interfaces
>
> Interface Name Classification Comments
> --------------------------- ------------------- ---------------------------
> AxYftp Uncommitted version 0.5.1
>
> SUNWaxyftp Uncommitted axyftp's packaging
>
> /usr/bin/axyftp Uncommitted Current version 0.5.1
> last changed Jan. 2000
> Manual Pages
> /usr/share/man/man1/axyftp.1
>
> Help Documentation
> /usr/share/doc/axyftp/help.html
> /usr/share/doc/axyftp/intro.html
> /usr/share/doc/axyftp/axyftp.html
> /usr/share/doc/axyftp/main.html
> /usr/share/doc/axyftp/options.html
> /usr/share/doc/axyftp/panels.html
> /usr/share/doc/axyftp/problems.html
> /usr/share/doc/axyftp/session.html
> /usr/share/doc/axyftp/glossary.html
> /usr/share/doc/axyftp/doc.gif
> /usr/share/doc/axyftp/folder.gif
> /usr/share/doc/axyftp/link.gif
> /usr/share/doc/axyftp/up.gif
>
> License Files
> /usr/share/doc/axyftp/artistic.txt
> /usr/share/doc/axyftp/lgpl.txt
>
> 4.2 Imported Interfaces
> Interface Name Classification Comments
> --------------------------- -------------------- --------------------------
> GTK+ 1.2.10 Volatile PSARC/2000/487
> GLIB 1.2.10 Volitile PSARC/2000/487
> GDK 1.2.10 Volitile PSARC/2000/487
>
> libsocket(3LIB) Committed
> libnsl(3LIB) Committed
> X(5) Committed
> libm(3LIB) Committed
>
>
> Brief Interface Classifications - See Appendix C for definitions
> Volatile - use check list for approval
> Uncommitted - ARC review might be required, seek committee member advice
> package names do not require further review
> Committed - ARC review required
> Project Private - no review required, just documentat in table
> Contracted (interface modifier) - further review required
>
> Appendix A - References
> 1. Solaris Installation Locations Policy
> http://opensolaris.org/os/community/arc/policies/install-locations/
> 2. /usr/gnu Installation ARC case
> http://opensolaris.org/os/community/arc/caselog/2007/047/
> 3. Secure By Default Policy
> http://opensolaris.org/os/community/arc/policies/secure-by-default/
> 4. Network Install Time Securityuy Policy
> http://www.opensolaris.org/os/community/arc/policies/NITS-policy/
> 5. Adding RBAC Authorizations Policy
> http://opensolaris.org/os/community/arc/bestpractices/rbac-auths/
> 6. When to use setuid -vs- RBAC roles and profiles
> http://opensolaris.org/os/community/arc/bestpractices/rbac-intro/ and
> 7. Building RBAC Rights Profiles
> http://opensolaris.org/os/community/arc/bestpractices/rbac-profiles/
> 8. Solaris Audit Policy
> http://opensolaris.org/os/community/arc/policies/audit-policy/
> 9. Security questionaire
> http://opensolaris.org/os/community/arc/bestpractices/security-questions/
> 10. Interface Taxonomy
> http://www.opensolaris.org/os/community/arc/policies/interface-taxonomy/
> 11. Plugable Authentication Modules -- PAM
> http://opensolaris.org/os/community/arc/policies/PAM/
> 12. Reusable Passwords In Command Line Arguments and Environment Variables
> http://opensolaris.org/os/community/arc/bestpractices/passwords-cli/
> 13. Storing Reusable Passwords on a Filesystem
> http://opensolaris.org/os/community/arc/bestpractices/passwords-files/
> 14. Release Taxonomy
> http://opensolaris.org/os/community/arc/policies/release-taxonomy/
> 15. Service Management Facility (SMF) usage
> http://opensolaris.org/os/community/arc/policies/SMF-policy/
>
>
> Appendix B - Suggested case materials
> 1. man pages
> 2. SMF manifests
> 3. links to contracts
>
> Appendix C - Definitions
> Submitter
> an agent responsible for creation of an ARC project along with the
> materials describing that project.
> Owner
> the ARC agent responsible for shepherding the case through review
> and ensuring a formal opinion is written where required.
> Maintainer
> an agent responsible for releasing new versions of a program, typically
> the "main" contributor or person incharge of making Architectural
> decisions for the project
> Contributor
> an agent who make contributions to a project, typically has a voice in
> making Architectural decisions for the project
> Monitoring
> an agent who is only following the changes made in the community and
> has no Architectural input into the project
> Volatile*
> interfaces that are very fluid and typically follow the originating
> community. Typically these interfaces can not be imported by other
> projects.
> Uncommitted*
> interfaces that are still evolving but will most likely be present from
> release to release.
> Committed*
> interfaces that are stable and with Sun guaranteeing some level of
> compatibility from release to release.
> Project Private*
> interfaces that are exposed only to or intended to be used only by
> the project being reviewed. These interfaces can not be imported by
> other projects.
> Not-An-Interface*
> components that are not interfaces.
> Contracted* (interface modifier) - ARC review of Contract required
> interfaces that do not allow another project to import can be
>
> *Note: see http://opensolaris.org/os/community/arc/policies/interface-taxonomy/ for details
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> ON
> 6.5. ARC review type: Automatic
> 6.6. ARC Exposure: open
>
>
More information about the opensolaris-arc
mailing list