Re: "uselessly listens on localhost" RC

To: debian-release@lists.debian.org
Subject: Re: "uselessly listens on localhost" RC
From: Luk Claes <luk@debian.org>
Date: Sun, 18 Oct 2009 14:51:18 +0200
Message-id: <[🔎] 4ADB0F46.2020700@debian.org>
In-reply-to: <[🔎] 20091018113824.GY19557@mails.so.argh.org>
References: <[🔎] 20091018113824.GY19557@mails.so.argh.org>

Andreas Barth wrote:
> after some discussion we had today on IRC, I tend to think we should
> put a section within "security" of the release policy that says
> something like "Packages must not open listening sockets at localhost
> where usage of a unix domain socket (in the filesystem) would be
> equally sufficient".
> 
> Reasoning for this is that opening listening sockets with the network
> allows "better" ways to exploit security bugs than in the traditional
> unix filesystem.
> 
> 
> Comments?

In general that seems to be harsh unless you are talking about software
that never should listen on the network or where the use case of not
listening on the network is really important.

Unless you want to make it should not instead of must not?

Cheers

Luk

Reply to:

Follow-Ups:
- Re: "uselessly listens on localhost" RC
  - From: Andreas Barth <aba@not.so.argh.org>

References:
- "uselessly listens on localhost" RC
  - From: Andreas Barth <aba@not.so.argh.org>

Prev by Date: "uselessly listens on localhost" RC
Next by Date: Re: Migration of Scilab into testing
Previous by thread: "uselessly listens on localhost" RC
Next by thread: Re: "uselessly listens on localhost" RC
Index(es):
- Date
- Thread