From owner-freebsd-security  Thu Apr 18 15:29:11 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240])
	by hub.freebsd.org (Postfix) with ESMTP id A757437B41A
	for <security@FreeBSD.ORG>; Thu, 18 Apr 2002 15:29:06 -0700 (PDT)
Received: by ralf.artlogix.com (Postfix, from userid 1000)
	id 4CBC91B9C9F; Thu, 18 Apr 2002 15:32:42 -0700 (PDT)
To: Brett Glass <brett@lariat.org>
Cc: Christopher Schulte <schulte+freebsd@nospam.schulte.org>,
	security@FreeBSD.ORG
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org>
	<4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org>
	<200204171923.g3HJNga58899@freefall.freebsd.org>
	<4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org>
	<4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org>
From: Ken McGlothlen <mcglk@artlogix.com>
Date: 18 Apr 2002 15:32:42 -0700
In-Reply-To: <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org>
Message-ID: <878z7k4oz9.fsf@ralf.artlogix.com>
Lines: 23
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Brett Glass <brett@lariat.org> writes:

| Good tips here, assuming that you're willing to keep a build server around.
| But what if you're doing a fresh install at a customer site (with Internet
| feed), and want to get from floppies to a reasonably secure system without
| headaches?

I'd probably burn it onto a CD myself based on the latest -STABLE I was willing
to support.

| Also, won't "make installworld" nuke some of the customization you've done to
| each machine?

I try my hardest not to customize anything in /usr/src.  If you do that, you're
on your own, bud.

| And what if you're running with SECURELEVEL=2 on your production servers?

You'll have run with a lower SECURELEVEL to install it.  But then, you'd have
to anyway.

C'mon, Brett, these last two objections are really stretching things.  Are you
looking for a solution, or are you just whinging?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message