On Mon, 4 Nov 1996, Greg A. Woods wrote:

> Maybe you do, but I never have beyond a well defined policy where I know
> at all levels which environment variables are innocuous, and which are
> not, and usually a simple grep of the source tree will show me where my
> policy might be violated, or possibly where I must add another variable
> to the list of dangerous data bins.

I'm glad you have full source code for all of your programs.
Unfortunately, I don't, and I don't care to modify login to screen
certain variables every time I install a new program for which I
don't have source.

This policy is also a lot of work to maintain. If you're going to keep
a local source tree and maintain this sort of policy, I can't see what
the problem would be with running a modified login. Whereas those who
don't want to do this sort of thing shouldn't be exposed to these sorts
of security risks by putting this in the standard distribution.

cjs