Re: avahi-daemon
Hi,
On Wed, Feb 22, 2006, aliban wrote:
> as the package maintainer seems to ignore my complaint I forward the
> discussion to debian-user mailing list.
I am the package maintainer of Rhythmbox, am I the package maintainer
you refer to? Or did you mean the avahi-daemon package manager?
> On debian testing the rhythmbox suggested to install the avahi-daemon
> that listens on all interfaces by default.
It used to Depend on it (ie. MUST install avahi-daemon to be able to
install rhythmbox), but this has been downgraded to Recommends (ie. in
some rare cases, it might be legitimate not to install it and face the
consequences). If you feel paranoid, you can uninstall avahi-daemon,
but don't complain that music sharing doesn't work.
> I think this kind of install behaviour is insecure even if the package
> maintainer does not agree.
Are you building a secure machine? Are you running Firefox and
browsing web pages written by strangers? Security is not only
about not listening on any port.
The default Debian distribution doesn't come with an iptables rule
denying all traffic (inbound and outbound), you're free to add it.
If you do install a GNOME desktop environment, expect to have a web
browser which might run malicious code, games which might be sgid
games, and tons of stuff which might be opening more doors than you
like.
> In short I think: even if the user "should know what he is doing" when
> he updates his system it is not a secure design for packages to start
> listening on all interfaces by default without prompting AND warning
> the user. It is not sufficient to mention this behaviour somewhere in
> the package description as many packages come as a dependency or as a
> suggested package; users wont read every package description of every
> package they install, especially if they come as a suggested package
> or dependency.
People want more features, people want a working desktop by default,
people want their USB key mounted automatically when it's connected,
even if it might trigger some malicious vfat code, they want their iPod
synced automatically with the library by default, they want to see
network shares by default, they want to be able to share their data, be
it via DAAP, SMB, or DAV...
What you want is the opposite of plug and play: closing all doors and
requiring people to open N doors to use a high-level feature such as
music browsing is *not* intuitive.
Parts of this discussion are available in #349478.
Cheers,
--
Loïc Minier <lool@dooz.org>
Current Earth status: NOT DESTROYED
Reply to: