> be able to use it too. I'd suggest that we do the following: > > 1. Give the user the choice of these additional features at > installation time. Recommend the procedures, but explain that you > need to understand the differences. > > 2. Document these things very well. Both this ssh change and the X > without TCP change are confusing. If three core team members were > surprised, it's going to surprise the end user a whole lot more. > We should at least have had a HEADS UP, and we probably need a > security policy document with the distributions. >
I disagree somewhat with #1. A "secure by default" policy is by far more favorable than a "not so secure by default, but we'll try to let you know how to make it more secure easily" policy. Consider a move to make telnetd commented out in inetd.conf a default. Many newcomers will of course be baffled, but it is in the long run a better policy, and people will get used to it. This example is somewhat of an *extremely* simplified analogy to adding s/key authentication as a default before password authentication, but it still holds in that a default installation had better be more secure than not. If FreeBSD were to have installation dialogues with the user suggesting that the user install certain components for security purposes, the user will likely opt for the default "button," which I assume in this case would default to have the less secure, more conventional option. I think that #2 alone is the way to go. Make it "clear" (not that that is necessarily an easy task) that the default install of a certain software package no longer follows what has historically been the default, or at least do so in the case where the software will become unusable to the unknowing user. Perhaps a "SEVERE DIFFERENCES" section of www.freebsd.org is in order? 8D -Anthony. > Greg > -- > See complete headers for address and phone numbers > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com -----------------------------------------------
msg33750/pgp00000.pgp
Description: PGP signature