[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avahi-daemon



On Wed, Feb 22, 2006 at 08:59:40AM -0800, Rick Moen wrote:
> Quoting aliban (aliban@gmx.net):
> 
> > MS Blaster infected many million system within seconds...
> 
> Relying on the vulnerable MSDE embedded SQL database engine being
> embedded into a large number of consumer software products, and
> irresponsibly left bound to all network ports, not just loopback.

You are confusing worms, Blaster exploited the DCOM RPC vulnerability
(CAN-2003-0352). The one that exploited CAN-2002-0649 and 
CAN-2002-1145 in both SQL Server and MSDE was SQLExp / Slammer.
The former worm targeted a critical OS service, the later a database service.
Neither of which were actually useful if bound to loopback, BTW.

IMHO the problem here is having a music program (as rhythmbox) Recommends:
avahi-daemon, when IMHO it should be Suggests: . The functionality
provided by avahi-daemon (a network service for sharing music) is not something
I would say that all rhythmbox users require (based on rhythmbox' description, which
looks like a music library organization tool for me). However, it will get it
installed per default by users using 'aptitude' (not 'apt') which is the
recommended tool these days.

If I were you (aliban) I would bug rhythmbox. It seems that Bug #349478 got
it to reduce the Depends: on that daemon to a Recommends:, I think it would
be better to have that as Suggests:
Disclaimer: I don't know much about rhythmbox and the relationship of ahavi-daemon

I agree with Michael Stone in that the dependecy chain here might be a
problem in the long run. 

Maintainers remember: it's much better to *not* install/activate a network
service than to have a service, even if it's chrooted, or running under lower
privileges (like the ahavi maintainers describe in
https://wiki.ubuntu.com/MainInclusionReportAvahi) which, BTW, is not that
common. The keyword here is 'exposure'.

Really, do *almost all* rhythmbox users need to share music (and consequentely need
ahavi)? 

Regards

Javier

Attachment: signature.asc
Description: Digital signature


Reply to: