From owner-freebsd-security Fri Jul 14 10:21:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 5E28437C7B7 for ; Fri, 14 Jul 2000 10:21:39 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id MAA01507; Fri, 14 Jul 2000 12:21:23 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-73.max1.wa.cyberlynk.net(207.227.118.73) by peak.mountin.net via smap (V1.3) id sma001505; Fri Jul 14 12:21:17 2000 Message-Id: <4.3.2.20000714120547.00b2f730@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 14 Jul 2000 12:20:29 -0500 To: Marc Rassbach , Paul Robinson From: "Jeffrey J. Mountin" Subject: Re: Displacement of Blame[tm] Cc: security@FreeBSD.ORG In-Reply-To: References: <00071411574600.46406@foo.akitanet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:53 AM 7/14/00 -0500, Marc Rassbach wrote: >On Fri, 14 Jul 2000, Paul Robinson wrote: > > > > > Anybody who just does cd /usr/ports// and then types 'make; > > make install' deserves to be r00ted in 5 minutes anyway. > >This is a rather poor attitude. The less sites the script kiddies have >to launch thier attacks from, the harder it will be for the kids to >hide. It is in ALL of our interests to have hosts secure. And networks as part of a "good neighbor" policy. >And doesn't >comment well on how you think >the ports of FreeBSD is done. Ports and the job done there is part of >what makes FreeBSD as nice as it is. Convenient they are. On the negative side, they tend to make one a bit lazy. >ANY system 'set up and forgotten' is subject to attack and eventually will >fail. The white hats only have to screw up once. The black hats get to >try over and over again. > >But to blame ports for making FreeBSD 'less secure', it sounds like you >should then be looking at OpenBSD. A nice minimalist system, lacking the >richness of FreeBSD. The ultimate security is a good memory. Rather than blame ports one should evalute the risks. > > What I would propose is this - why don't we have 2 lists - one for > > freebsd-security where genuine issues with security in the core FreeBSD > > distro are discussed, and another (freebsd-ports-security for example) > where > > announcments on ports shipped with FreeBSD are announced. > >Nothing stopping you, Brett or someone else making a second list. > >This whole idea came up a few months ago, and the same suggestion >was made for a different list to serve this need. And it came up on -stable a few days back. Again because of too many messages that didn't seem to suit the person's needs and/or perception of the list. >If you feel the present list doesn't do the job, start your own version >that you feel *DOES* do the job. And, if it *IS* is a better list >(better==more popular) one of two things will happen: >1) you will get the job of managing the security list. >2) your ideas will be taken, and used to manage the security list. > >Taking the action of creating a new list controlled by the people who want >change, doen on their serveres, done there way, would address the >concerns the people who want change have. >And, like the history of UNIX itself, if the new list has the better idea, >it will float to the top. Out of the lists I read regularly and infrequently -security is low traffic, high content, and low noise. Generally. Starting a new list due to a surge of OT postings could result in a proliferation of lists and those wishing to catch messages of value would need to track even more lists. No thanks. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message