On Fri, Jul 11, 2014 at 9:10 PM, Paul Irofti <[email protected]> wrote: > On Fri, Jul 11, 2014 at 01:35:54PM -0600, Daniel Dickman wrote: >> CVSROOT: /cvs >> Module name: src >> Changes by: [email protected] 2014/07/11 13:35:54 >> >> Modified files: >> gnu/usr.bin/lynx: Makefile.bsd-wrapper >> >> Log message: >> start reducing the attack surface of lynx. >> >> leave gopher, news, and dired in place for now. but we will soon catch up >> to the security level of internet explorer 7 by removing these too. > > Can you prove your statements? Or have you already integrated into the > OpenBSD subgroup that throws poo at other open-source projects just > because it's the cool thing to do? >
Paul, I'm sorry to have been unclear but you've misunderstood my commit message. This was not directed at lynx at all. I made a change in a local OpenBSD file and not anything to do with mainline lynx (the change was to Makefile.bsd-wrapper). I'm saying that we should do what Microsoft realized early on is good security practice and turn off protocols to reduce the attack surface. I'm only talking about the local version bundled on openbsd and not directing any comments at main-line lynx; a browser I use regularly. frankly i'm surprised how much people have been complaining about this change. if you want full lynx, please submit a port. pretty much no one has even realized that i've updated lynx to 2.8.8rel2. that is surely a much bigger change than to disable a few protocols. have people noticed any changes in behaviour from that massive update? where are the complaints from the update? i guess no one is actually really testing lynx...
