> be able to use it too. I'd suggest that we do the following: > > 1. Give the user the choice of these additional features at > installation time. Recommend the procedures, but explain that you > need to understand the differences. > > 2. Document these things very well. Both this ssh change and the X > without TCP change are confusing. If three core team members were > surprised, it's going to surprise the end user a whole lot more. > We should at least have had a HEADS UP, and we probably need a > security policy document with the distributions. >
I disagree somewhat with #1. A "secure by default" policy is by far more
favorable than a "not so secure by default, but we'll try to let you know
how to make it more secure easily" policy. Consider a move to make telnetd
commented out in inetd.conf a default. Many newcomers will of course be
baffled, but it is in the long run a better policy, and people will get
used to it.
This example is somewhat of an *extremely* simplified analogy to adding
s/key authentication as a default before password authentication, but it
still holds in that a default installation had better be more secure than
not. If FreeBSD were to have installation dialogues with the user
suggesting that the user install certain components for security purposes,
the user will likely opt for the default "button," which I assume in this
case would default to have the less secure, more conventional option.
I think that #2 alone is the way to go. Make it "clear" (not that that
is necessarily an easy task) that the default install of a certain
software package no longer follows what has historically been the default,
or at least do so in the case where the software will become unusable to
the unknowing user.
Perhaps a "SEVERE DIFFERENCES" section of www.freebsd.org is in order? 8D
-Anthony.
> Greg
> --
> See complete headers for address and phone numbers
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
-----------------------------------------------
PGP key at:
http://www.keyserver.net/
http://www.anthonydotcom.com/gpgkey/key.txt
Home:
http://www.anthonydotcom.com
-----------------------------------------------
msg33750/pgp00000.pgp
Description: PGP signature
