[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task-harden

On Tue, Apr 10, 2001 at 02:24:56PM +0200, Robert van der Meulen wrote:
> Quoting Michael Stone (mstone@debian.org):
> > That's their own problem, and a local security policy. This task-harden
> > package is degenerating farther and farther from any sensible, useful
> > tool and rapidly becoming a marginal utility that will never get much
> > exposure. I suggest starting from the beginning, drafting some formal
> > *goals* for the project, and approaching this with a bit more
> > flexibility so that it's actually useful.
> Hear, hear! :)
> Would a package that installs packages (or sets packages to 'install') be
> evil ?

That's what dselect does. And if you think dselect's evil, well, apt does
it too. If you think apt's evil, you're probably not interested in Debian
anyway. None of them try to do it during the package install stage though.

tasksel's another example. You'll note it's not actually run during
the post install of the package, but rather during the initial
dpkg-reconfigure during the first reboot of a newly installed system.

A package that tries to do it automatically as soon as it's installed via
maintainer scripts wouldn't work; and doing it with Depends: and Conflicts:
is pretty limited.

Another approach to consider is one like vrms: allow the user to investigate
what you think is wrong with their system and act on it as the choose;
rather than the all or nothing thing Conflicts: offers.

Also, task- packages really shouldn't Conflict: with other packages. It's
not really how the infrastructure for them works. There's no documented
policy for task- packages yet, and, IMAO, it's really starting to show. :(

> I was thinking that it would be cool to have a (debconf?) frontend that
> asks questions about _what_ you want to secure, and installs the packages
> you need. 

Personally, I wouldn't really recommend using debconf, at least initially.
It's pretty limiting in many ways, and the specific purposes it's been
designed for mighn't match what you're trying to do.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

``_Any_ increase in interface difficulty, in exchange for a benefit you
  do not understand, cannot perceive, or don't care about, is too much.''
                      -- John S. Novak, III (The Humblest Man on the Net)

Attachment: pgpSIZSpaAJg1.pgp
Description: PGP signature

Reply to: