Re: Attempts at security

[Lars Wirzenius <liw@liw.iki.fi>]

On la, 2007-02-03 at 12:37 +0100, Hendrik Sattler wrote:
> > > Not being able to change the cause to the better doesn't mean to
> > > introduce a mess to control the result.  And I really hope that Debian
> > > never considers installing+enabling selinux by default.
> >
> > IIRC, debian/etch already does already install selinux today without you
> > even noticing it.
> 
> It is not enabled by default. That is the other point: you get that selinux 
> integration if you want or not.

Debian has made similar decisions throughout its history: we generally
don't provide separate X and non-X versions of the same package, for
packages where this is a build time option, for example. That is also a
cost every Debian user pays: increased disk and memory usage, even if
they don't use X at all.

In order to keep the complexity of the entire Debian system manageable,
we need to make those choices. If we, as a project, are of the opinion
that providing SELinux support is a good thing, then everything in
Debian that needs to be changed for the support to exist needs to be
changed, even if the individual maintainer thinks SELinux isn't useful.

The mechanism we have for deciding such policy issues is the policy
document, the -policy list, and the associated procedures for proposing
and accepting changes to the policy.

Enabling SELinux by default obviously shouldn't happen until it can be
done without disturbing most people's use of Debian. As far as I know,
that should be possible to achieve, though.

-- 
I've never seen anyone wear a Freudian slip.