On Wed, Mar 16, 2005 at 03:13:16PM -0800, Thomas Bushnell BSG wrote: > md@Linux.IT (Marco d'Itri) writes: > > > On Mar 16, Thomas Bushnell BSG <tb@becket.net> wrote: > > > > > One of the conditions for SCC is "fully functioning Unix, including > > > DNS and firewall support." What specifically is intended by "firewall > > > support"? > > I think that simple ACLs are the bare minimum. > > Ok, can you point me at the specific feature, and why is this feature > important for packaging in SCC? Consider: * SCC systems have buildds. * Buildds must be network accessible. * The first rule of securing a machine exposed to the wilds is "Deny by default, allow by need". Therefore, a box which does not provide basic firewalling capabilities (whether that's achieved by configurable ACLs, mind-reading the human traffic trigger, or pixies inspecting every packet) is thus not suitable for running a buildd on, and thus can never achieve SCC status. Sorry, but being able to cope with a hostile environment *is* a requirement in today's network, and there isn't any real way around that fact. I have no clue where Hurd network filtering stands at the moment, so I can't comment on how far it is from having this feature. I wouldn't be willing to admin any such box that was plugged into a network using a ten foot pole, and I don't see why the DSA folks should be expected to either. If you really want this fixed, I suggest finding someone who is well versed in both network security issues and Internet protocol fundamentals (not just TCP or even just IP, but all the other lovely beasties out there) and convincing them it's worth their time (I hear money is often an excellent motivator). The issues involved with writing a serious, production-capable network stack are really quite non-trivial (and yes, I *do* speak from personal experience in this). -- Joel Aelwyn <fenton@debian.org> ,''`. : :' : `. `' `-
Attachment:
signature.asc
Description: Digital signature