From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 15:29:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 114B62F4 for ; Thu, 10 Apr 2014 15:29:44 +0000 (UTC) Received: from hermes.aitken.com (hermes.aitken.com [108.44.206.27]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E3B121082 for ; Thu, 10 Apr 2014 15:29:43 +0000 (UTC) Received: by hermes.aitken.com (Postfix, from userid 1001) id 6973C3E749A; Thu, 10 Apr 2014 15:20:39 +0000 (UTC) Date: Thu, 10 Apr 2014 15:20:39 +0000 From: Jeff Aitken To: freebsd-security@freebsd.org Subject: Re: Proposal Message-ID: <20140410152039.GA18467@hermes.aitken.com> References: <86y4zd4ejb.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86y4zd4ejb.fsf@nine.des.no> User-Agent: Mutt/1.5.22 (2013-10-16) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 15:29:44 -0000 On Thu, Apr 10, 2014 at 01:20:08PM +0200, Dag-Erling Sm??rgrav wrote: > Throwing more manpower at the job won't make a difference; in fact, it > might slow things down due to the need to communicate and coordinate. You mean 9 women can't make a baby in 1 month?!! On Wed, Apr 09, 2014 at 03:44:53PM -0400, Nathan Dorfman wrote: > While I'm out here drawing fire, I might as well also ask if I'm crazy > to think that it might be a good idea for the base system OpenSSL (and > other third party imports) to just disable any and all non-essential > functionality that can be disabled at compile time? Non-essential > meaning everything not required for the base system to function -- > there's always the ports version if anyone needs more. I see the potential benefit but I think I'm opposed to this idea in general. I don't like having partially-crippled software packages in the base system because it ends up being a lot of work to deal with them. Whether you choose to install port/package over top of the base system version or put it in /usr/local you end up with a number of potential issues. I base this on negative experiences that I've had with sendmail, DNS, and kerberos in the past, to name a few. Just my opinion, YMMV obviously. --Jeff