Re: Release update

[Thiemo Seufer <ica2_ts@csv.ica.uni-stuttgart.de>]

Steve Kemp wrote:
> On Mon, Mar 29, 2004 at 09:24:16PM +0200, Thiemo Seufer wrote:
> 
> > I disagree. If you don't want to use a network service, then don't
> > install it in the first place, or bind it to a local port.
> 
>   This is one approach.
> 
>   However it fails when installing a new system.  By default when
>  installing Woody right now many things are listening globally.
>  Exim, portmap, echo etc from inetd.

If those are opening ports by default, file bugs against them.

>   Other things must be explicitly installed such as openssh, apache,
>  but the user gets no choice about these base packages.  Sure they
>  could be disabled by a clueful person.  But I think the overhead
>  of "would you like this machine to run a firewall [yes/no]" to
>  be minimal.

It's not about the overhead, it's about the potential breakage,
e.g. for automated noninteractive installs.

> > It was just an example. The same goes for every remote box which is
> > updated via network.
> 
>   I'm not talking about *updating* an existing system, I'm talking
>  about installing a new system.

Adding some firewall to the base affects both.

>   However I guess you could mean updating Woody -> Sarge.  In this
>  case I would suggest a firewall ruleset which said something like
> 
>     * Drop all incoming connections.
>     * Permit connections which are established.
> 
>   At the point the firewall was brought up the remote session doing
>  the update would be established, so there would be no issue.

It occurs to me you never did system management over flaky connections.


Thiemo