From owner-cvs-all  Wed Aug 29  4:25:33 2001
Delivered-To: cvs-all@freebsd.org
Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18])
	by hub.freebsd.org (Postfix) with ESMTP
	id 43BB537B406; Wed, 29 Aug 2001 04:25:24 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12])
	by Awfulhak.org (8.11.5/8.11.5) with ESMTP id f7TBPMA53299;
	Wed, 29 Aug 2001 12:25:22 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f7TBPLf74224;
	Wed, 29 Aug 2001 12:25:21 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200108291125.f7TBPLf74224@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Joshua Goodall <joshua@roughtrade.net>
Cc: Giorgos Keramidas <keramida@ceid.upatras.gr>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org,
	brian@freebsd-services.com
Subject: Re: cvs commit: src/etc/defaults rc.conf src/etc/mtree BSD.var.dist src/etc/namedb named.conf 
In-Reply-To: Message from Joshua Goodall <joshua@roughtrade.net> 
   of "Wed, 29 Aug 2001 09:51:46 BST." <Pine.LNX.4.33.0108290946460.23691-100000@elm.phenome.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 29 Aug 2001 12:25:21 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> On Thu, 23 Aug 2001, Giorgos Keramidas wrote:
> 
> > I don't agree to running named in a sandbox by default, but can we, at
> > least, have a note in UPDATING?  Please?
> 
> Breaking parts of -stable configurations is expected during upgrade.
> pam.conf/sshd springs immediately to mind. In the past I have generally
> expected mergemaster to tweak my systems, and surely that is highly
> applicable here? An MFC should (must?) be accompanied by mergemaster
> gaining the ability to fix up sandbox structures and configuration.
> 
> Personally I can only applaud further security measures, especially with
> something so widespread, and with such an insecure history, as BIND.

A not-updated configuration file should never become invalid after a 
-stable update, not unless there are exceptional circumstances and 
it's documented in UPDATING.

> Joshua

-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message