[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 08:52:55AM -0700, Adam McKenna wrote:
> On Thu, Apr 19, 2001 at 10:07:48PM +1000, Craig Sanders wrote:
> > > I.E., nothing.  Give me an example of one situation where this would
> > > accomplish more than stalling an attacker for a few seconds.
> > 
> > i have no wish to waste my time. figure it out for yourself - it won't
> > make any difference anyway, because you're determined not to see any POV
> > other than your own.
> 
> So far the only POV you've expressed is that it's OK for Debian to be
> pedantic just for the sake of being pedantic, without adding any value to our
> users.
> 
> > > After hearing things like this it's not hard for me to understand why
> > > a lot of people hate Debian Developers and think they're all assholes.
> > 
> > that would be right.  mediocre people tend to think that only arseholes
> > bother to get things right.
> 
> It's not right though.  It's wrong.  And it needs to be fixed.
> 
> > there's enough distributions out there where mediocrity is good enough.
> > feel free to use one of them if debian's pursuit of excellence disturbs
> > you.
> 
> In case you missed it, here is what I am advocating --
> 
> a) removal of PARANOID and all dependence on hostname-based access control
> b) installation time configuration of allowed subnets
> c) encouragement of IP-based access rules

Adam, you are getting really close to something I can agree with you on.

on a) - ok, providing it's replaced with something better

on b) & c) - ONLY on the custom or expert installs.  There needs to be a 
"secure by default" option that users who don't know crap about IP address
can use.  IP addressing knowledge CANNOT be a requirement for a user to 
be comfortable with Debian.

> 
> Please tell me how these qualify as "mediocre" and how they are worse than
> the status quo (which provides NO access control).

They are close, but they can only apply to the expert installs.

> This isn't rocket science.  Hostname-based security rules are less secure
> than IP-based security rules.  Why does Debian continue to encourage their 
> use, to the detriment of our users?

Because Debian doesn't have a good install allowing for a range of user 
experience levels.  This is a install time simple vs. expert issue, not
a mandatory system default issue.

-Nathan
Reply to: