In message <[🔎] 20010619105847.B22841@morgul.net>, "Noah L. Meyerhans" writes: >I do think it's worth discussing whether the policy should be "on by >default" of "off by default". Not just for the simple services, but for >all services that get installed. Which option leaves more work to be >done by the admin? In the current "on by default" state, you install a >new system and go through /etc/rc?.d/ and /etc/inetd.conf and turn off >things that you don't need, or uninstall them completely. Is that >less time consuming for the admin than requiring them to go over the >same directories and files and explicitly enable the services they want? >I am not sure, but I expect it might not be. And I know it would be >safer to leave services off by default. There are a lot of incompetent >admins out there, and while "off by default" might generate a bit more >traffic on -user, it is likely to save some of them some major grief. IMHO, I like the default-on setup in debian. The main reason that I like it is that it maintains the linkage between installation of a package and that package working. I like knowing that if I apt-get a new package, it will work, and I won't have to do additional munging to get it to work. Especially for complex packages, this is invaluable. Without the default-on policy, installing new packages will be a horrible nightmare. Imagine trying to install konqueror on a kde-free machine with a default-off policy. Although many packages would install cleanly, there would be hundreds of packages that would require hassle to install. I think the solution to the problem above is package removal. If you don't want NFS client support, just remove nfs-common. Don't want portmap? Remove it. Same with inetd. In unstable both inetd and portmap are their own packages now. I know that this wasn't the case in the past, but in a release or two, stable will have the same functionality. I think that we should continue with this strategy of package proliferation rather than have a drastic change to policy. This combination of ease-of-use with the eternal vigilance of the security team is what gives debian the enviable reputation of security and ease-of-use that it has today. -- Ted Cabeen http://www.pobox.com/~secabeen secabeen@pobox.com Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@uchicago.edu "I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org "Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Attachment:
pgpWUyQ4nhCmn.pgp
Description: PGP signature