Re: Changing NGROUPS_MAX to 1024?

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>>> As soon as you need security, the performance of v3 becomes
>>> irrelevant.
>> Unless your threat model is such that you can get that security
>> through infrastructure [...]
> OTOH NFSv3 itself and the security workarounds come with a cost (not
> least the inevitable constraints on the system's management and
> evolution/adjustment).

Yes, but...

> Relying on some mainstream OS with support for NFSv4 does not bring
> similar disadvantages.

...doesn't it?  In my experience, *every* OS, including "mainstream"
ones, comes with its own constraints on system mangement, evolution,
and adjustment.  It's a question of tradeoffs: which set of constraints
is less of a problem for the use case in question?

> As a result, without NFSv4 it is hard to expect that NetBSD would be
> considered for new NFS installations. :-(

Is it?  My feeling - deriving largely from my experience - is that NFS
is far more likely to be deployed in a private internal network than
over relatively attackable networks like the open Internet.  Do you
have reason to think that feeling is wrong in the large, that "new NFS
installations" predominantly have threat models where on-the-wire
attacks are significant enough for them to find NFSv3 unacceptable?
(Honestly, my guess would be that most of them have not even formulated
their threat model.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B