From owner-cvs-all@FreeBSD.ORG Wed Apr 30 13:00:10 2003 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0DD737B401; Wed, 30 Apr 2003 13:00:10 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-67-115-75-172.dsl.lsan03.pacbell.net [67.115.75.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84C4943FD7; Wed, 30 Apr 2003 13:00:09 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 3D31666BE5; Wed, 30 Apr 2003 13:00:09 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 178B5125C; Wed, 30 Apr 2003 13:00:09 -0700 (PDT) Date: Wed, 30 Apr 2003 13:00:09 -0700 From: Kris Kennaway To: Mark Murray Message-ID: <20030430200008.GA85160@rot13.obsecurity.org> References: <20030430194402.GB84924@rot13.obsecurity.org> <200304301952.h3UJqiQL016860@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <200304301952.h3UJqiQL016860@grimreaper.grondar.org> User-Agent: Mutt/1.4i cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: Mark Murray cc: cvs-all@FreeBSD.org cc: Kris Kennaway Subject: Re: cvs commit: src/release Makefile src/release/scripts crypto-install.sh X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 20:00:11 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 30, 2003 at 08:52:44PM +0100, Mark Murray wrote: > Kris Kennaway writes: > > > It will be a box on-the side. > >=20 > > I don't understand this sentence. >=20 > Sorry. :-). >=20 > It is just extra commands to type. Nothing invasive. >=20 > > > Simplifies installations, and if folks > > > dont want to use the applets, they won't have to. > >=20 > > But they are still there, and having a bunch of kerberos stuff > > installed by default (as crypto is) is an additional security hazard > > to the system. >=20 > How is having the kerberos tools hazardous? For example, there's been at least one security vulnerability in k5su over the past year (two if you count the different security policy behaviour). The bottom line here is that most people will never use kerberos, so installing it by default is an unnecessary security risk, and contributes to bloat. I don't understand why this change needed to be made; everything seemed to work fine having k5 in a separate distribution (the makefile logic was all correct, etc). Kris --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+sCtIWry0BWjoQKURAq1AAJ0ci2XIuPN8/SxMdw8vYSh+uYhDbQCgrGJu uGZW36GTlz1ejOwZ5bqfftU= =kXX/ -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--