Re: woody release task needs help: package priorities
On 12 May 2001 kcr@debian.org wrote:
> > > vacation why standard?
> > > fingerd not very secure for baseline
> > > ftpd not very secure for baseline
> > > lpr not very secure for baseline, poss use lprng?
> These fall, IMHO, under the /important/ description:
> Important programs, including those which one would expect to find on any
> Unix-like system. If the expectation is that an experienced Unix person who
> found it missing would say `What on earth is going on, where is foo?', it
> must be an important package. [4] Other packages without which the system
> will not run well or be usable must also have priority important. This does
> not include Emacs, the X Window System, TeX or any other large
> applications. The important packages are just a bare minimum of
> commonly-expected and necessary tools.
> Experienced UNIX people [not necessarily experienced Debian people] will
> become confused and critical when somethinglike the above are missing.
I would expect an experienced UNIX user to react this way upon finding that
the ftp and finger *clients* were missing from the system, but not when
finding that the *servers* are missing. I'd be surprised if all (or even
most) proprietary Unices shipped with a finger daemon installed, and it's not
at all uncommon to find Unix systems that have fingerd and ftpd disabled.
I think an ftp server ought to be provided by default, but the question then
becomes 'which one?' We do want the distro to be as secure as possible by
default. I think the fact that ftp is a plaintext protocol isn't enough
reason to demote the daemon's priority, but the fact that many ftp daemons
have dubious security histories makes it important to choose one we trust to
be secure (since we're talking about packages that are installed on all
Debian systems, not just those run by admins who keep an eye on
security.debian.org).
Steve Langasek
postmodern programmer
Reply to: