Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16
To: RJ Atkinson <>
From: Perry E. Metzger <>
List: tech-security
Date: 07/24/2000 13:07:21
  by with SMTP; 24 Jul 2000 17:07:27 -0000
	id E7BE31E00AD; Mon, 24 Jul 2000 13:07:21 -0400 (EDT)
From: "Perry E. Metzger" <>
To: RJ Atkinson <>
Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16
References: <Hubert Feyrer's message of "Fri, 21 Jul 2000 03:16:47 +0200 (MET DST)"> <> <>
Date: 24 Jul 2000 13:07:21 -0400
In-Reply-To: RJ Atkinson's message of "Mon, 24 Jul 2000 10:59:00 -0400"
Message-ID: <>
Lines: 24

RJ Atkinson <> writes:
>          None the less, I think it would make a quite reasonable 
> default for all *BSDs, perhaps even for XFree86 in general.
> The number of folks who want remote access is smaller than those
> who don't need it, I'd guess.  In any event, I believe in systems
> that ship secure by default.
>          If undertaken, it is important that this choice/change
> is clearly documented and that any clues needed to run an 
> X server without that option were also well documented.

It would be pretty easy for a user to undo. All we'd really need to do
is ship a startx that included -nolisten tcp.

The question is how to document it in such a way that users would
actually get the documentation. I'm not really sure on that
part. Documentation of such things has traditionally been our weakest

Perry E. Metzger
Quality NetBSD Sales, Support & Service.