Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files

To: Ralf Jung <post@ralfj.de>
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
From: Wouter Verhelst <wouter@debian.org>
Date: Sat, 22 Nov 2014 11:42:41 +0100
Message-id: <[🔎] 20141122104241.GD8577@grep.be>
In-reply-to: <[🔎] 54561762.1060909@ralfj.de>
References: <1411953785.28972.7.camel@scientia.net> <20140929110845.GA20150@khazad-dum.debian.net> <1414617850.4565.8.camel@scientia.net> <87y4rycmcx.fsf@hope.eyrie.org> <1414642183.15628.1.camel@scientia.net> <87a94ecfh1.fsf@hope.eyrie.org> <1414687927.4849.5.camel@scientia.net> <[🔎] 20141101184642.GA10558@simplex.0x539.de> <[🔎] 20141102112921.GE16582@grep.be> <[🔎] 54561762.1060909@ralfj.de>

On Sun, Nov 02, 2014 at 12:37:06PM +0100, Ralf Jung wrote:
> Hi,
> 
> >>> - Debian should ship a default set of firewall rules. Are we the only
> >>> distro which doesn't do this? I mean a basic ruleset which drops
> >>> incoming, accepts outgoing and accepts related,establised is so easy to
> >>> do... and it would help for all those cases where services are started
> >>> but not yet finally configured/secured by the admin.
> >>
> >> Are all of our users admins that grasp firewalls?
> > 
> > Most likely not, and therefore I agree that with the current state of
> > affairs, enabling a firewall on Debian by default is probably a bad idea.
> 
> One could also interpret this the other way - since many people don't
> know how to manually configure a firewall, there should be something
> there per default that protects them.

Except that if a firewall "protects" a user from using their printer
(random example, not sure how likely) and they have no way of fixing
that (or even understanding what's wrong), that's not very helpful. This
is why I said "with the current state of affairs".

Before we enable a firewall by default, we should, IMO, have the
following:

- A way for a user to configure it without understanding iptables.
- A way for a user to debug (without understanding iptables) if things
  don't work.
- A way for a package maintainer to assert that this particular package
  needs a hole in the firewall to be useful, and that this hole needs to
  be available to a particular group of remote machines. E.g., cups
  would not expect connections from the other end of the world, while
  webservers would.

I'm sure the first of those exists, someone with more of an opinion
about it than me should have a look at the available options and decide
what should be made the default.

I'm not so sure about the second; it might exist, or it might not. I
wouldn't know.

I know for sure that the latter does not exist; a spec should probably
be written and proposed. In order for this to not result in yet another
systemd-style "discussion", said spec should preferably be written
without a particular implementation in mind (so that all implementations
can use it).

[...]
-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26

Reply to:

Follow-Ups:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Chow Loong Jin <hyperair@debian.org>

References:
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Philipp Kern <pkern@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
  - From: Ralf Jung <post@ralfj.de>

Prev by Date: Re: init system policy
Next by Date: Re: init system policy
Previous by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Next by thread: Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Index(es):
- Date
- Thread