From owner-freebsd-arch  Mon Nov 29 18: 0:50 1999
Delivered-To: freebsd-arch@freebsd.org
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
	by hub.freebsd.org (Postfix) with ESMTP id 2246715697
	for <freebsd-arch@freebsd.org>; Mon, 29 Nov 1999 18:00:44 -0800 (PST)
	(envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.3/8.9.3) with ESMTP id DAA26759
	for <freebsd-arch@freebsd.org>; Tue, 30 Nov 1999 03:00:43 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id DAA67893
	for freebsd-arch@freebsd.org; Tue, 30 Nov 1999 03:00:43 +0100 (MET)
Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228])
	by hub.freebsd.org (Postfix) with ESMTP
	id F0C0B15698; Mon, 29 Nov 1999 17:59:12 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
Received: from zippy.cdrom.com (localhost [127.0.0.1])
	by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id RAA88178;
	Mon, 29 Nov 1999 17:59:10 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
To: Kris Kennaway <kris@hub.freebsd.org>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Dan Moschuk <dan@freebsd.org>, arch@freebsd.org, audit@freebsd.org
Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h 
In-reply-to: Your message of "Mon, 29 Nov 1999 13:27:42 PST."
             <Pine.BSF.4.21.9911291319580.51314-100000@hub.freebsd.org> 
Date: Mon, 29 Nov 1999 17:59:10 -0800
Message-ID: <88174.943927150@zippy.cdrom.com>
From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> * Changes which tighten security are arguably only useful if they're on by
> default, otherwise all the newbies will leave them off, and have
> (relatively speaking) insecure boxes.

That's highly arguable.  We provide secure levels, for example, but if
we turned them on to any appreciable degree then people's X servers
wouldn't work because we have no aperture driver.  Would it be correct
in the general case?  Yes.  Would it be correct for workstation users?
No.  Such is also the case in numerous other situations and it really
is a question of providing mechanisms which people can use selectively,
not just in providing the best "out of box" security defaults.

- Jordan




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message