Date: Tue, 23 Apr 2002 08:23:26 -0700 (PDT) From: Frank Mayhar <frank@exit.com> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: "Greg 'groggy' Lehey" <grog@FreeBSD.ORG>, Jordan Hubbard <jkh@winston.freebsd.org>, Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.ORG Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <200204231523.g3NFNQnq029649@realtime.exit.com> In-Reply-To: <Pine.NEB.3.96L.1020423110123.64976j-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert, it's really, really simple. For new installs, install the new, more secure behavior. Be sure to loudly document this behavior so that those of us who expect the _old_ behavior don't get bitten by the change. And don't change the old behavior in upgrades of existing systems. As I said in my other email, if you _must_ change the defaults, add overrides so the behavior doesn't change. And by "add overrides" I mean something like an /etc/rc.conf.override file that gets pulled in after /etc/defaults/rc.conf but before /etc/rc.conf. (This says nothing about the necessity or desirability of the change itself, by the way. That's an entirely _different_ argument.) When you change defaults on a running system, you piss off a lot of users. Including me. :-) -- Frank Mayhar frank@exit.com http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204231523.g3NFNQnq029649>