Re: Security through paranoia 2, with proposal...

[Tollef Fog Heen <tollef@add.no>]

* Jan Niehusmann 

(please don't Cc me on replies.)

| On Sun, Apr 01, 2001 at 02:17:47AM +0200, Tollef Fog Heen wrote:
| > * Ola Lundqvist
| 
| > | Depends: apache-ssl | apache_mod-ssl (if apache), uw-imap-ssl (if uw-imap) ...
| > | Conflicts: telnetd
| > | Recommends: ! talkd
| > | Suggests: kernel-image-2.4.2-harden
| 
| > IMHO it should only conflict, it shouldn't depend on apache-ssl, for
| > instance.  If this is a mail or DNS server, I might want to install
| > task-harden without installing a web server.
| 
| This is exactly what the depends-if clause is meant for: You can install
| hardened without apache, but if you install apache, you must install
| apache-ssl too. 

Look at how it's listed up there - apache-ssl is required.  I was
commenting on the concrete proposition up there.

| But I think this case can still be solved without depends-if. Instead, we
| would need another virtual package, apache-non-ssl. Then we could do:
| 
| Package: apache
| Depends: apache-non-ssl | apache-ssl
| 
| Package: task-hardened
| Conflicts: apache-non-ssl

Which I believe is wrong, as most of the web traffic isn't sensitive
at all, if somebody listens in on me downloading the newspaper, so be
it.  So, imho, it shouldn't conflict with normal apache.  It might
suggest or recommend, though.

-- 

Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.