[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages should not Conflict on the basis of duplicate functionality

On Wed, Sep 29, 1999 at 06:38:55AM -0400, Michael Stone wrote:

> The fantasy is over--WELCOME TO REAL LIFE! It turns out that some
> people install linux without preexisting knowledge of how to securely
> administer a unix machine.

sorry, it's you who needs to wake up to the real world.

if people don't know how to administer a unix machine then they need
to learn fast. no amount of molly-coddling by the distribution authors
(i.e. us) is going to obviate that essential requirement. maintaining
security on your own systems requires personal knowledge and experience,
it can not be done by proxy.

the "we-know-better-than-you" attitude is what redhat and caldera (and
microsoft, for that matter) does. it sucks. debian has always done
better than that - our way is to encourage people to learn to do it for
themself by not trying to hide the fact that knowledge and experience is
required (not just optional or "would be nice" but absolutly required)

> When we ship a system with a bunch of stuff enabled by default,
> we're not only putting their machine at risk but we're also creating
> problems for everyone else who's system is attacked by someone using
> the debian machine as a jump-off point. That's bad.

that's bad. it's also bullshit. enabling daemons by default is not
inherently a security problem.

see previous message. if a particular daemon is a problem then it needs
to be fixed or replaced or dropped from the distribution. changing the
default so that it is only enabled manually will NOT increase security
at all.

> It's really time to get away from the mentality that everyone needs to
> have everything turned on all of the time; if a persone really *needs*
> something enabled, they can figure out how to do it. (If they can't,
> should they really be administering a network node?)

if they don't need it then they shouldn't install the package.

why run debian (with all it's useful tools like update-inetd and
update-rc.d and so on) if you're going to throw away those advantages?

> This isn't a UI issue, this is a matter of security and of us taking
> responsibility for the state of quite a few systems out on the
> internet which will be configured according to *our* defaults.

it's not a matter of security, it's a matter of personal preference.
enabling daemons when they are installed is not a security problem.

it's damned annoying to see people trying to force their personal
preferences on everyone else by making loud noises about trumped up
nebulous and vague "security" issues. it would be nicer if such FUD were
left behind in the proprietary software world.


craig sanders

Reply to: