Date: Sat, 30 Sep 2000 11:56:27 -0700 From: Kris Kennaway <kris@FreeBSD.org> To: Adam Laurie <adam@algroup.co.uk> Cc: security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <20000930115627.C39894@freefall.freebsd.org> In-Reply-To: <39D5A13C.8AF289BE@algroup.co.uk>; from adam@algroup.co.uk on Sat, Sep 30, 2000 at 09:15:56AM %2B0100 References: <200009292349.TAA07263@giganda.komkon.org> <008b01c02a71$6b8938c0$d04379a5@p4f0i0> <20000929172644.C6456@freefall.freebsd.org> <39D5A13C.8AF289BE@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 30, 2000 at 09:15:56AM +0100, Adam Laurie wrote:
> Kris Kennaway wrote:
> >
> > On Fri, Sep 29, 2000 at 08:00:17PM -0400, Jonathan M. Slivko wrote:
> >
> > > If you remove a port because of it's security concerns, then your robbing
> > > the average user the choice between what mail client to use. Also, it's not
> > > the job of the FreeBSD development team/patch/security team to weed out all
> > > the insecure programs, the responsibility lies mainly on the systems
> >
> > Yes it is. Allowing the user to install insecure software only leaves
> > them with a false sense of security and the feeling of betrayal when
> > they get exploited through it.
>
> Surely the same applies to FreeBSD itself?
It does, and anything in the same situation will be dealt with
accordingly :-) Insecure software meaning "fundamentally insecure",
and not just "can be used dangerously if you don't read the manpage).
> I find it very odd that ports get so much positive pressure from this
> list to restrict/fix/exclude them when there is a security issue, but
> try and get something done to core FreeBSD scripts/services etc., and
> you'll get shot down in flames... Bizarre...
Well, they're different parts of the system, therefore a different set
of people claim the rights to complain when you try and change things :-)
I don't recall what the security improvements to freebsd scripts
you're talking about are though..can you remind me (in private?)
If you're talking about policy changes like restricting telnet etc,
then unfortunately those discussions will almost always be taken over
by the armchair generals and theres not much you can do about it
except either do it anyway and piss them off (if you have the
political weight to do so), or wait for circumstances to change.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000930115627.C39894>