Re: [tlug] remote

[Josh Glover <jmglov@example.com>]

Matt Doughty wrote:
> On Thu, Jun 27, 2002 at 09:04:27AM -0400, Josh Glover wrote:
> 
>>>As for that ridiculous claim about the default install. Dude they 
>>>basically turn off all services in the default install [...]
>>
>>I will not argue that Open has its shortcomings, but I *like* the way a 
>>default install is carried out. When *I* do a Redhat install, for 
>>instance, the first thing I do (before even plugging eth0 in, thank you) 
>>is hunting down and disabling or uninstalling all the crap that runs by 
>>default. I would rather, a la OpenBSD or Gentoo (there are others, these 
>>are just the two I am most familiar with), add just what I need and not 
>>have to worry that I missed something.
> 
> 
> Others like NetBSD maybe? You know where you have to turn everything on
> explicitly.  Anyone can and should do this for the default install, but
> only Open sits around and pats themselves on the back for doing what
> only amounts to good sense.  It good that they do the right thing, but
> they aren't the only ones. You have just manage to nail one of my 
> chief gripes with RedHat.

And one of my own gripes with Redhat, as well.

The attitude of the OpenBSD guys has always been a bit controversial, 
and put the teams involved with the other BSDs and some of the Linux 
distros on the defencive, feeling that OpenBSD was claiming that "we are 
the only ones who know shit about security" instead of "we follow good 
security practises, do you".

All in all, I like the presence of Open in the Unix world for the reason 
that they make security a top priority, and their stance / attitude 
makes other vendors (both commercial and Open Source) put their money 
where their mouth is.

>>>and then say "no remote exploit in blablabla".  Their record isn't
>>>any better than just about anybody elses.
>>
>>This is debatable. The OpenBSD team in general and Theo in particular 
>>*have* done a lot for the Open Source community. Their code audits have 
>>turned up quite a few things that people have been able to fix proactively.
> 
> 
> True, they also have a history of not resubmitting their patches to 
> upstream developers. I recall that Theo was of the opinion that 
> the upstream developers should have to check the OpenBSD CVS for
> fixes. Still no one will argue that the auditing is a bad thing.

That sounds like the Theo that I know and love! :)

>>Which SSH do you use? I am trying to get away from OpenSSH on my stuff. 
>>Just too scary recently!
> 
> I use the ssh from ssh.com. It works like a charm for me, and I have had
> no problems at all with it.

Thanks. I will look into it. I knew of it, and the fact that it was free 
for non-commercial use on Linux and the BSDs.

Reading the license (albeit quickly) just now, I am saddened by two things:

1) My company does not qualify for the non-com license
2) I cannot even read the source, insofar as I was able to ascertain

Again, I have a commitment to the Open Source philosophy that makes me 
want to use a commercial solution only as an absolute last resort (such 
as when I am required to by my employer or when I feel that the security 
risks are just too great not to--not the case WRT OpenSSH, IMO).


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.