Re: avahi-daemon

To: debian-security@lists.debian.org
Subject: Re: avahi-daemon
From: Michael Stone <mstone@debian.org>
Date: Wed, 22 Feb 2006 13:00:10 -0500
Message-id: <[🔎] 20060222180008.GD9733@mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20060222155726.GF17249@bee.dooz.org>
References: <[🔎] 43FC4A6C.9010801@gmx.net> <[🔎] 20060222142342.GD17249@bee.dooz.org> <[🔎] 20060222145124.GC9733@mathom.us> <[🔎] 20060222155726.GF17249@bee.dooz.org>

On Wed, Feb 22, 2006 at 04:57:26PM +0100, Loïc Minier wrote:

On Wed, Feb 22, 2006, Michael Stone wrote:
>From a pragmatic standpoint, pulling in nss-mdns is a PITA because itmakes certain name queries take forever--so there are reasons aside fromsecurity to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi)


No?

Package: avahi-daemon
Source: avahi
Version: 0.6.7-1
Depends: libavahi-common3 (>= 0.6.4), libavahi-core3 (>= 0.6.0), libc6 (>= 2.3.5-1), libcap1, libdaemon0, libdbus-1-2 (>= 0.60), libexpat1 (>= 1.95.8), adduser, dbus (>= 0.60)
Recommends: libnss-mdns

The dependency chains here get a little scary.

From a security point of view, everything feature introduce risk.  If
you base all you reasonning on security, that is if you make security
rule number 1, you get zero feature.

And if you introduce questionable features with huge securityimplications without thinking them through you get a real mess which isgoing to take a lot of work down the road to clean up. There's a realdanger inherent in focusing on a particular bit of functionality andignoring its larger implications, *especially* in a project as large asdebian.

You can't take the decision to remove a feature because most people
install GNOME for other reasons than that feature.  Otherwise one would
use the same reasonning for all features in GNOME and remove them all.


Your logic is frankly questionable. Anytime you start with a

proposition like "making that decision equates to removing everypossible feature" you're probably making a logical leap.

But I agree with the former part: the question is do we support
multicast DNS or not?  When I look at the results of my mdns queries
here, I have no doubt it will soon be a requirement since I see:
- computers
- a music remote control interface
- music shares
- HTTP and SSH servers (that's less common)
- administrative interface for wifi APs

I don't see any of those appearing on any network I maintain. I've nowtrumped your assertion with one of my own, do I win something? On any*managed* network I don't think that having stuff like this appear outof nowhere is particularly beneficial. On a small home network I'm notconvinced it buys you anything because you're not generally dealing withenough stuff to need a service location solution. I'm sure itspotentially very useful on geeky home networks with lots of systems andservices, but I'm not sure that's a reasonable basis for a defaultconfiguration.


--
Michael Stone

Reply to:

References:
- avahi-daemon
  - From: aliban <aliban@gmx.net>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>
- Re: avahi-daemon
  - From: Michael Stone <mstone@debian.org>
- Re: avahi-daemon
  - From: Loïc Minier <lool+debian@via.ecp.fr>

Prev by Date: Re: avahi-daemon
Next by Date: Re: avahi-daemon
Previous by thread: Re: avahi-daemon
Next by thread: Re: avahi-daemon
Index(es):
- Date
- Thread