On Jan 6, 2008, at 1:28 AM, Karthik Kumar wrote:
Deliberately ignoring the point doesn't make it any less relevant.
I am saying that the secure by default doesn't hold because lots of
people use ports.
Most people do. Extending your UNIX system to make it work as you want
is a basic, and natural, extension of using it.
I use ports for mplayer, xmms, xfce, fluxbox, firefox, evince,
openvpn, dante, flex, bison, gmake, squid, thttpd and php.
The issue here is flashplayer is in the ports; People are told how to
use it and install it on their OpenBSD system. So people do turn an
otherwise secure OpenBSD system into one that is not: It doesn't make
it "secure by use". I was not ignoring your point;
No, the issue was "non-free software is installed by default." You're
now trying to backtrack on the point I was making: default install, by
turning off most services, has had fewer remote exploits than any
other OS out there. I run OpenVPN. Outside of it, LZO, and pftop,
there is nothing else that's not "default" on the system. PF is
installed by default, but not turned on. Big deal on it not being
turned on, it's THERE. If you don't do some level of post install
configuration, you have a useless hunk of hardware.
Adding in a layer of complexity by installing a any "non-default
software" is an admittedly hazardous choice. But, risk mitigation (via
randomizing mmap, pro-police being standard, keeping sockets turned
off, privsep daemons, etc), is a very valuable system, and not one
used often in other BSDs, let alone other UNIXen. It's hard to do
right, hard to implement, and costly to maintain.