Date: Thu, 9 Nov 2017 21:19:09 +0000
From: co...@sdf.org
Message-ID: <20171109211908.ga8...@sdf.org>
| The way virecover currently works is problematic for security (see the
| recent nvi commits).
Aside from a few (potential mostly) bug fixes, the one issue that Christos
fixed recently was one where it was possible to make it hang (effectively,
disabling it). Your solution to that is to disable it ????
All the thing does is send mail - about the worst security issue it poses
is that it might allow some "spam" mail to be generated (mail at boot to
the wrong user.) The one thing that might be useful would be to run it
in background, rather that having rc wait for it to finish.
If you don't trust it, and/or don't have users who use vi, then disable it
on your system. It is as simple as "virecover=NO" in your rc.conf.
Aside from that, fix any bugs you find, but otherwise leave it alone.
kre
