On Tue, Mar 28, 2006 at 11:18:25AM +0200, Christian Helmuth wrote: > On Tue, Mar 28, 2006 at 10:34:54AM +0200, Marcus Brinkmann wrote: > > > Is the bottom line of this a) you don't care about MAC or b) HURD does not > > > care about MAC? IMO Mandatory Access Control is something somebody who > > > operates a server really wants... > > > > I care about user freedom. My understanding of the term MAC does not > > have anything to do with use of specific protocols to log on to the > > machine remotely. Maybe if you explain how you understand the term > > MAC here, and why you think that the suggested mechanism violates it, > > I can respond to that. > > My use case was "limit SSH to protocol version 2, because I (the owner) > consider it as safe enough for my system". An operating system for the > future should provide me with powerful tools sufficient for my needs and > no vague doubts should hinder this. Say: If it's crap I'll don't "buy" it.
It doesn't work. If you don't trust your users to do the right thing, then don't give them access to the network. If they really want to use SSH1, they can just run their own server on their own port. Hell, they can even run a telnet server if they feel like it. The only thing you can do as an administrator is set the default to allow ssh 2 only (for example by not providing an ssh1 server at all), but there is no guarantee that people stick to that default. Adding such options to the configuration only gives administrators a false sense of control, which is probably more dangerous than a sense of no control. > > And again: That somebody wants something is not a sufficient reason > > to do it (in fact, not even a necessary reason). Marcus: Of course somebody must want it. Otherwise nobody will want to implement it. ;-) > I understand this as: You don't care about anything somebody wants or > doesn't want including "user freedom", correct? I don't think this is what Marcus meant. The point is that if I say "I want to spy on my employees" (which I don't, just to be clear), then that isn't a reason for the Hurd to support it. The Hurd as we design it now is based on design goals. If a feature fits in with those goals (and it seems interesting enough to support), then we do it. If it conflicts with those goals, we don't do it. The fact that someone says "But I really want that feature" is hardly relevant at all in the decision. > Personally, I do not like the new course this discussion takes, because it > becomes too political... Design is choosing, and choosing is politics. I'm sorry to tell you, but the only way to avoid politics is to avoid all situations where a choice must be made. Perhaps the only way to do that is die, which I don't recommend. ;-) What people call "politics" in software seems to me to really be "applying ethics". This is indeed what politics should be all about (although unfortunately it usually isn't). In my opinion ethics must play a role in any choice that is made. I can understand that from a computer science perspective ethics don't usually play a large role. But we're talking about building a system which will be used by real people here, not just something to be studied. Ethics is therefore very relevant, and I think such discussions very much belong on a list like this one (although I agree that for example on the coyotos list, they would be off-topic). You're not actually saying it, but your statement sounds like "That's politics, therefore we should not discuss it". I strongly disagree with that way of treating ethics, because ethics is IMO the most important aspect of life. That doesn't mean we must continuously talk about it, but it does mean that when it comes up, it's probably relevant and therefore worth discussing. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
