[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 01:04:36PM +0200, Robert van der Meulen wrote:
> Hi,
> Quoting Adam McKenna (adam@debian.org):
> > On Thu, Apr 19, 2001 at 11:04:04AM +0200, Robert van der Meulen wrote:
> > > Thanks for the clear explanation; my vision was getting a bit clouded, late
> > > at night (and annoyed by the troll :) )
> > > I totally agree with all this.
> > Of course you do, because it's 100% correct.  But this thread isn't about
> > what individual administrators do, or what they should do, it's about what
> > Debian should do by default.  And PARANOID should not be used at all, let
> > alone be the default.  (Except for pedants as previously illustrated.)
> This is starting to become an endless discussion with no real outcome.
> What Debian does by default should be what most admins do. I'm not going to
> get into this discussion anymore, as i think all arguments have been brought
> forward too many times. You think 'paranoid' should not be used at all, I
> think 'ALL: PARANOID' is not strong enough, but for a default install 'ALL:
> ALL' would be too strong.

Yes, but the problem is that you seem to think that ALL: PARANOID is
somewhere between no security and ALL: ALL.  It's not.  It enforces NO access
control.  The problems that ALL: PARANOID was designed to prevent went away a
long time ago, and today, its only use is to cause interoperability problems
between Debian boxes and clients with incorrectly configured DNS.  You may be
OK with this, but to me this is a gross violation of the robustness
principle, and a way to cause people headache with very little gain in


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: