[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: woody release task needs help: package priorities

On 05/15/2001 08:00:09 AM exa wrote:

>> What about closing all the ports by default? The user can open them by
>> himself if he wants to anyway. Security fans would really be happy then.

Still have the vulnerable, exploitable binaries.  All you have to do it get
root and open the "talkd" ports once, or buffer overflow "talk".  Make
criminals really work for it, don't make anything easier for them.

>> I sometimes have the feeling that too much security is breaking many
>> convenient features. It would be wrong to put in a program with known
>> vulnerabilities, but except that I don't see why you would want to
>> remove useful small programs.

The problem is that all programs more complicated than "hello world" have
vulnerabilities that will eventually be found.  Consider the recent man-db

On my deployed end user systems, although man would be "nice", it's just
not needed to do the job.  Most end users would never RTFM anyway, and I
never have to RTFM on the production boxes (that's what development boxes
are for), therefore man-db would never be run on my production boxes.  So I
get rid of it.  Therefore I don't care about the recent man-db security
problems on my deployed systems, because none of them have man-db

Never install something unless you are willing to take the time to support
and debug it, AND then justify the time to your boss.  Just because it's
very easy to install MTAs and webservers and compilers doesn't mean it's a
good idea to do so on every box, just because you can.

If you have no use for talk or talkd, you should not install them.  Most
people have no use for them, therefore most people should not install them.
Therefore talk and talkd should be removed from standard.  The few people
that do have a use, also have the skill to type "apt-get install talk

Reply to: