From owner-freebsd-stable  Sat Aug 21  9: 4:49 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from misha.cisco.com (misha.cisco.com [171.69.206.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7BC3114F10; Sat, 21 Aug 1999 09:04:47 -0700 (PDT)
	(envelope-from mi@misha.cisco.com)
Received: (from mi@localhost)
	by misha.cisco.com (8.9.3/8.9.1) id MAA06275;
	Sat, 21 Aug 1999 12:02:07 -0400 (EDT)
	(envelope-from mi)
Message-Id: <199908211602.MAA06275@misha.cisco.com>
Subject: Re: setting up -STABLE for hack contest
In-Reply-To: <6C37EE640B78D2118D2F00A0C90FCB4401105BBB@site2s1> from Christopher
 Michaels at "Aug 21, 1999 10:47:59 am"
To: stable@freebsd.org
Date: Sat, 21 Aug 1999 12:02:07 -0400 (EDT)
Cc: jkb@freebsd.org
Reply-To: mi@aldan.algebra.com
From: Mikhail Teterin <mi@aldan.algebra.com>
X-Mailer: ELM [version 2.4ME+ PL60 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Christopher Michaels once wrote:

> Take a look here.
> http://www.freebsd.org/~jkb/howto.html

Is the "http://www.freebsd.org/~jkb/howto.html#pp" an official point of
view?

	Ports and Packages

	It is best  not to use ports or packages  when building a secure
	system.  You don't  really  know which  ports  or packages  will
	install suid-root binaries  on your system - and  you don't want
	more then what  you have already, trust me. Even  though you can
	give different switches to the  pkg_add command (such as "-v" or
	"-n"), it is  best to download the software in  source code form
	and compile it yourself.

I  do  not see  how  building  the  software  manualy is  "more  secure"
--  unless  you  study  the Makefiles  and  INSTALL/README  files.  This
is  something you  can  do  with ports  prior  to  doing `make  install'
anyway. Perhaps, that's what the  web-page should encourage, rather then
dismissing the whole ports system as "insecure".

The  web-page also  has no  mention of  xinetd --  a pretty  good, IMHO,
replacement for inetd.

	-mi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message