> On Thu, Oct 18, 2012, at 12:17 PM, Theo de Raadt wrote:
> > As you note, this has come up before, and the same reasons exist then
> > as now.
> > 
> > The security model makes no sense: firewall, but allow NFS.
> 
> It may make no sense to you, but that doesn't mean it makes no sense to
> everyone, especially those with setups where this is the only way to
> accomplish the desired goal.

Right.... and we should bring telnetd back, since it makes sense in
some setups to accomplish the desired goal.

As developers we make decisions which we believe serve our users the
best.  In this project that often includes blocking our users from
building foolish and insecure configurations too easily.  Or at all,
if the configuration is particularily ridiculous.

This is an policy decision that is different between OpenBSD and other
operating systems.

In OpenBSD, IP port randomization is a mandatory part of the system.
We do not provide workarounds -- especially deep inside the RPC layer
of libc.  Every time those kinds of things are used by people, they
are creating deep security problems way outside their scope to assess
the impact.

This one specific case is no different from other cases where we have
make similar decisions.  These decisions we make come as a package of
decisions.  If you don't like them, there are other operating systems
to run.  They come with different decisisions, once again, as a
package of decisions.

That's the way it is.  Sorry.

Reply via email to