Re: avahi-daemon
On Wed, Feb 22, 2006, Michael Stone wrote:
> >From a pragmatic standpoint, pulling in nss-mdns is a PITA because it
> makes certain name queries take forever--so there are reasons aside from
> security to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi)
> Securitywise, there is no doubt in my mind that this mdns stuff will
> open a lot of new vulnerabilities in the future--the history of this
> sort of service suggests that it is inevitable. Making it easy to pull
> in and activate as a side effect of apparantly-unrelated packages is,
> IMO, a mistake.
From a security point of view, everything feature introduce risk. If
you base all you reasonning on security, that is if you make security
rule number 1, you get zero feature.
I do agree that is is slightly different in that it adds a passive hole
as soon as the package is installed in contrast with packages being
dangerous when used by end-users.
> The real question is whether installing gnome should mean that you get
> multicast dns. I'll bet that the number of people who want the former is
> significantly larger than the number who want (or know they're getting,
> or even care about) music browsing.
You can't take the decision to remove a feature because most people
install GNOME for other reasons than that feature. Otherwise one would
use the same reasonning for all features in GNOME and remove them all.
But I agree with the former part: the question is do we support
multicast DNS or not? When I look at the results of my mdns queries
here, I have no doubt it will soon be a requirement since I see:
- computers
- a music remote control interface
- music shares
- HTTP and SSH servers (that's less common)
- administrative interface for wifi APs
Cheers,
--
Loïc Minier <lool@dooz.org>
Current Earth status: NOT DESTROYED
Reply to: