From owner-freebsd-current@FreeBSD.ORG Mon May 5 05:10:52 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9010537B401; Mon, 5 May 2003 05:10:52 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C59DC43F3F; Mon, 5 May 2003 05:10:51 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 3C5AB26; Mon, 5 May 2003 07:10:51 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 9478078C4A; Mon, 5 May 2003 07:10:50 -0500 (CDT) Date: Mon, 5 May 2003 07:10:50 -0500 From: "Jacques A. Vidrine" To: Doug Barton Message-ID: <20030505121050.GC21530@madman.celabo.org> References: <200305050845.h458j38c069038@grimreaper.grondar.org> <20030505020008.V1391@znfgre.qbhto.arg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030505020008.V1391@znfgre.qbhto.arg> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: current@freebsd.org cc: Mark Murray Subject: Re: HEADS UP! Kerberos5/Heimdal now default! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2003 12:10:52 -0000 On Mon, May 05, 2003 at 02:02:41AM -0700, Doug Barton wrote: > I have to object to this change of direction. Both on POLA grounds, and on > the grounds that because most people don't use kerberos, it shouldn't be > the default. I also think that given the historical propensity of kerberos > to be vulnerable to attack, it definitely shouldn't be included by > default. Actually, I think we've now fixed POLA issues ... previously we installed the Kerberos bits by default, but did not rebuild them when the rest of the system was updated. Other OSes that supply Kerberos directly come with those bits by default. I do not think that whether or not `most people' use a part of the system is the only (or most important) criteria in determining whether or not to build or not build that part of the system by default. To what `historical propensity' are you referring? I intend this as an honest question. We include software in the base system that most definitely has a poor security track record, but I don't think that Kerberos 5 gets any distinction in this regard. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se