Re: Release update

To: debian-devel@lists.debian.org
Subject: Re: Release update
From: Steve Kemp <skx@debian.org>
Date: Mon, 29 Mar 2004 22:22:45 +0100
Message-id: <[🔎] 20040329212245.GA10196@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] 20040329192416.GC13590@rembrandt.csv.ica.uni-stuttgart.de>
References: <20040329144022.GA24540@riva.ucam.org> <[🔎] 20040329152459.GA27437@steve.org.uk> <[🔎] 20040329175005.GC17981@keid.carnet.hr> <[🔎] 20040329180159.GA1809@steve.org.uk> <[🔎] 20040329182606.GA13590@rembrandt.csv.ica.uni-stuttgart.de> <[🔎] 20040329185452.GB4006@steve.org.uk> <[🔎] 20040329192416.GC13590@rembrandt.csv.ica.uni-stuttgart.de>

On Mon, Mar 29, 2004 at 09:24:16PM +0200, Thiemo Seufer wrote:

> I disagree. If you don't want to use a network service, then don't
> install it in the first place, or bind it to a local port.

  This is one approach.

  However it fails when installing a new system.  By default when
 installing Woody right now many things are listening globally.
 Exim, portmap, echo etc from inetd.

  Other things must be explicitly installed such as openssh, apache,
 but the user gets no choice about these base packages.  Sure they
 could be disabled by a clueful person.  But I think the overhead
 of "would you like this machine to run a firewall [yes/no]" to
 be minimal.

> It was just an example. The same goes for every remote box which is
> updated via network.

  I'm not talking about *updating* an existing system, I'm talking
 about installing a new system.

  However I guess you could mean updating Woody -> Sarge.  In this
 case I would suggest a firewall ruleset which said something like

    * Drop all incoming connections.
    * Permit connections which are established.

  At the point the firewall was brought up the remote session doing
 the update would be established, so there would be no issue.

Steve
--

Reply to:

Follow-Ups:
- Re: Release update
  - From: Thiemo Seufer <ica2_ts@csv.ica.uni-stuttgart.de>

References:
- Re: Release update
  - From: Steve Kemp <skx@debian.org>
- Re: Release update
  - From: Josip Rodin <joy@srce.hr>
- Re: Release update
  - From: Steve Kemp <skx@debian.org>
- Re: Release update
  - From: Thiemo Seufer <ica2_ts@csv.ica.uni-stuttgart.de>
- Re: Release update
  - From: Steve Kemp <skx@debian.org>
- Re: Release update
  - From: Thiemo Seufer <ica2_ts@csv.ica.uni-stuttgart.de>

Prev by Date: Re: [RFC] User Accesable Filesystem Hierarchy Standard
Next by Date: Re: Release update
Previous by thread: Re: Release update
Next by thread: Re: Release update
Index(es):
- Date
- Thread