On Thu, May 12, 2005 at 09:52:35PM -0400, Joey Hess wrote: >Anibal Monsalve Salazar wrote: >>>Also, unlike the comment in the file claims, manual modificatons are >>>lost as soon as the package is reconfigured (or upgraded, I think): >> >>I'm afraid that is not the case. >> >>>root@dragon:/home/joey>cat /etc/portmap.conf >>># Portmap configuration file >>># >>># Note: if you manually edit this configuration file, >>># portmap configuration scripts will avoid modifying it >>># (for example, by running 'dpkg-reconfigure portmap'). >>> >>># By default listen on all interfaces >>># >>># If you want portmap to listen only on the loopback >>># interface, uncomment the following line (it will be >>># uncommented automatically if you configure this >>># through debconf). >>>OPTIONS="-i 127.0.0.1" >>>root@dragon:/home/joey>dpkg-reconfigure portmap >>>Stopping portmap daemon: portmap. >>>Configuring portmap >>>------------------- >>> >>>Portmap by default listens to all IP addresses. However, if you are not using >>>RPC services that connect to remote servers (like NFS or NIS) you can safely >>>bind it to the loopback IP address 127.0.0.1. >>> >>>This will allow RPC local services (like FAM) to work properly while preventing >>>remote systems from accessing your RPC services. >>> >>>You can change this configuration also by editing the OPTIONS line in the >>>/etc/portmap.conf file. If you just don't specify the -i option it will bind to >>>all interfaces. >>> >>>Should portmap be bound to the loopback address? no >> >>Here you selected 'no'. >> >>>Starting portmap daemon: portmap. >>>Restoring old RPC service information...done. >>>root@dragon:/home/joey>cat /etc/portmap.conf >>># Portmap configuration file >>># >>># Note: if you manually edit this configuration file, >>># portmap configuration scripts will avoid modifying it >>># (for example, by running 'dpkg-reconfigure portmap'). >>> >>># By default listen on all interfaces >>># >>># If you want portmap to listen only on the loopback >>># interface, uncomment the following line (it will be >>># uncommented automatically if you configure this >>># through debconf). >>>#OPTIONS="-i 127.0.0.1" >> >>The obove commented out line is the result of the 'no' selection. > >THe missing information in the transcript is that "no" was the default, >even though per the config file the default should have been yes. It's corrected now. Changes: portmap (5-12) unstable; urgency=high . * Changed default of debconf question to correspond to the value in the config file. >>>> * Fixed "SIGCHLD handler doesn't preserve errno", closes: #306929. >>>> Patch by Alexander Achenbach <xela@slit.de>. >>> >>>Not important or RC is it? >> >>It's an RC bug. It may result in termination of the server process. >>According to the author of the bug report, it was reported on >>freebsd-bugs back in 1998. >> >>>>Version: 5-10 >>>>Closes: 286301 301130 301535 >>>>Changes: >>>> portmap (5-10) unstable; urgency=high >>>> . >>>> * Re-added the debconf configuration, although the default for this is now >>>> to have portamp listening in all interfaces. The debconf setting >>>> allows system administrators, base-config and cdd developers to preseed >>>> this value to 'true' (link only to the loopback interface) if needed. >>>> Patch by Javier Fernández-Sanguino Peña <jfs@computer.org>. >>>> Closes: #301130, #286301. >>> >>>So you made a change in -10 that introduced a RC bug that was fixed >>>in -11? And no changes in -10 were RC or even important. The point of >>>freeze exceptions is not to allow continuing unstable development of >>>packages in sarge so I don't see why this should be accepted. >> >>Javier pushed -10 as an important security improvement for desktop/laptop >>systems and I agree with him on that regard. Running portmap listening >>to the world on a desktop/laptop system is a considerable security >>risk. > >This is only my opinion, but debian systems have been running with these >problems for as long as there was debian; delaying the sarge release to >fix them does not seem worth it. > >-- >see shy jo Anibal Monsalve Salazar -- .''`. Debian GNU/Linux : :' : Free Operating System `. `' http://debian.org/ `- http://v7w.com/anibal
Attachment:
signature.asc
Description: Digital signature