On 13.7.2016 9:38, Steve Clement wrote:
https://vez.mrsk.me/freebsd-defaults.txt
This document is based on premise I can't agree with. I will not dispute
each argument in the document, but there are two main ideas.
Features compiled in and features turned on by default.
According features compiled in ...
I'm administrator responsible for a computer configuration.
If OpenSSH devs have publicly said threads are too risky and won't be
added, I'm hearing their opinion and taking them seriously, but final
decision shall be mine.
I wish I will be allowed to decide I wish to use threads, NONE cipher
and so on.
In short, no features should be removed/disabled at compiled time
because if "security" (assuming the "insecure" feature can be disabled
by configuration).
According features turned on by default ...
To say true, I don't care them so much. Performance, backward
compatibility and security require trade offs all the time. There are no
generic answers.
I assume the virgin installed system will be ready to be remotely
configured (e.g. sshd running, no firewall).
Particular system needs to be tuned according local environment, goal
and requirements. Thus I don't care install-time defaults so much.
Just $0.02 ...
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
