Date: Wed, 24 Apr 2002 07:27:55 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: "Greg 'groggy' Lehey" <grog@FreeBSD.org> Cc: Robert Watson <rwatson@FreeBSD.org>, Jordan Hubbard <jkh@winston.freebsd.org>, Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <20020424122754.GC42969@madman.nectar.cc> In-Reply-To: <20020424090655.O6425@wantadilla.lemis.com> References: <20020423131646.I6425@wantadilla.lemis.com> <Pine.NEB.3.96L.1020423110123.64976j-100000@fledge.watson.org> <20020424090655.O6425@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 24, 2002 at 09:06:55AM +0930, Greg 'groggy' Lehey wrote:
> I think the issue here is that individuals make this kind of decision.
> We need a broader consensus for this kind of change. As Jochem points
> out, only 3 people were involved in the decision, all of them people
> with security profiles which weren't affected by this change.
What, he should have gotten 30 reviewers? I think what is happening
here is exactly what should happen: it seems like a good idea to one
guy; he implements it. He shows it to a few more folks; they think it
is a good idea, too. It gets committed, and the majority of people
either don't notice it or believe it is a good feature.
But the majority doesn't rule.
The feature sits in the tree and maybe people run into problems with
it. If so, it gets fine tuned or backed out. I think this is what is
supposed to happen.
For my part, I would like to see the change backed out and rethought.
I like having the X server not doing TCP by default, but this change
loses because:
= It breaks existing configurations with no warning.
= The option is in the wrong place (startx) and there is apparently
no way to override the default.
I think it would be better to just put `-nolisten tcp' in
/usr/X11R6/lib/X11/xinit/xserverrc for new installations only. Then
the system administrator could easily override it for all users; and
at least a user can override it for herself.
Disclosure: I'm unhappy that after upgrading my laptop yesterday, I
found I couldn't run `x2x', and had to restart my X session to remedy
the problem. All my X traffic uses IPsec --- there's no need to bring
up SSH.
Cheers,
--
Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020424122754.GC42969>