From owner-freebsd-security  Mon Feb 18 11:19:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from yez.hyperreal.org (dsl027-182-008.sfo1.dsl.speakeasy.net [216.27.182.8])
	by hub.freebsd.org (Postfix) with SMTP id F162737B400
	for <freebsd-security@FreeBSD.ORG>; Mon, 18 Feb 2002 11:19:08 -0800 (PST)
Received: (qmail 2194 invoked by uid 1000); 18 Feb 2002 19:19:50 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 18 Feb 2002 19:19:50 -0000
Date: Mon, 18 Feb 2002 11:19:50 -0800 (PST)
From: Brian Behlendorf <brian@hyperreal.org>
X-X-Sender: brian@localhost
To: Miguel Mendez <flynn@energyhq.homeip.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: as they advise the Sponsor.
In-Reply-To: <20020218155334.A29845@energyhq.homeip.net>
Message-ID: <20020218111251.C2156-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, 18 Feb 2002, Miguel Mendez wrote:
> FreeBSD is *not* by any means a mainstream OS. And that means that the
> people who use it usually know what they're doing, at least to the point
> of not executing a file they got from a stranger.

I dunno, I end up doing "make install" in my ports tree or "pkg_add" of a
package as root all the time, in both cases executing code written by
people I've never met and usually don't even know the names of.  I trust
that those who've been given access to the FreeBSD ports three and package
collections are trusted by the community, FSV of "trusted" and
"community".  I don't have the time to audit all of the code myself - I'm
putting faith in the inherent security of an open process, which has no
guarantees of reliability.

Though this is leagues away from, say, running a random executable I got
via email, I still fear that the biggest threat to the security of my
FreeBSD laptop would be a rogue actor within a trusted circle.  Of course
this is much much better than having to trust one company whose business
interests are to always cover up or minimize the amount of knowlege about
security holes.

This is probably going way off topic.

	Brian




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message