From owner-freebsd-security Sat Sep 30 11:56:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 32CBE37B502; Sat, 30 Sep 2000 11:56:27 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA49634; Sat, 30 Sep 2000 11:56:27 -0700 (PDT) (envelope-from kris@FreeBSD.org) Date: Sat, 30 Sep 2000 11:56:27 -0700 From: Kris Kennaway To: Adam Laurie Cc: security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <20000930115627.C39894@freefall.freebsd.org> References: <200009292349.TAA07263@giganda.komkon.org> <008b01c02a71$6b8938c0$d04379a5@p4f0i0> <20000929172644.C6456@freefall.freebsd.org> <39D5A13C.8AF289BE@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39D5A13C.8AF289BE@algroup.co.uk>; from adam@algroup.co.uk on Sat, Sep 30, 2000 at 09:15:56AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 30, 2000 at 09:15:56AM +0100, Adam Laurie wrote: > Kris Kennaway wrote: > > > > On Fri, Sep 29, 2000 at 08:00:17PM -0400, Jonathan M. Slivko wrote: > > > > > If you remove a port because of it's security concerns, then your robbing > > > the average user the choice between what mail client to use. Also, it's not > > > the job of the FreeBSD development team/patch/security team to weed out all > > > the insecure programs, the responsibility lies mainly on the systems > > > > Yes it is. Allowing the user to install insecure software only leaves > > them with a false sense of security and the feeling of betrayal when > > they get exploited through it. > > Surely the same applies to FreeBSD itself? It does, and anything in the same situation will be dealt with accordingly :-) Insecure software meaning "fundamentally insecure", and not just "can be used dangerously if you don't read the manpage). > I find it very odd that ports get so much positive pressure from this > list to restrict/fix/exclude them when there is a security issue, but > try and get something done to core FreeBSD scripts/services etc., and > you'll get shot down in flames... Bizarre... Well, they're different parts of the system, therefore a different set of people claim the rights to complain when you try and change things :-) I don't recall what the security improvements to freebsd scripts you're talking about are though..can you remind me (in private?) If you're talking about policy changes like restricting telnet etc, then unfortunately those discussions will almost always be taken over by the armchair generals and theres not much you can do about it except either do it anyway and piss them off (if you have the political weight to do so), or wait for circumstances to change. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message