Hi again On Fri, Apr 21, 2006 at 10:52:40PM +0200, Thomas Huriaux wrote: > Ola Lundqvist <[EMAIL PROTECTED]> (21/04/2006): > > On Fri, Apr 21, 2006 at 07:35:01PM +0200, Thomas Huriaux wrote: > > > Ola Lundqvist <[EMAIL PROTECTED]> (21/04/2006): > > > > The usefulness of this package is that the admin will know about > > > > this _during_ the installation. > > > > > > > > I still do not understand why you have a problem with this. > > > > > > Because installation is not the place to care about this. As I've said, > > > the purpose of a package should be documented on places such as package > > > description, project website, ..., the use of a package should be > > > documented in manpages, README files, etc. Keep the things where they > > > belong. > > > > But this package is intended for people that are not that used to Debian > > and security hardening. They probably do not even know about the > > README.Debian > > files anyway. > > Do you really think that people not used to Debian and security > hardening will understand that the notes they read during the > installation process are instructions to apply after the installation?
Yes I think so. I have read through them again and I can not see why it is a problem. Quote from the templates: ---------- Template: harden-servers/plaintext Type: note _Description: Plaintext passwords Services that use plaintext passwords are almost by definition insecure. The reason is that you cannot know if someone is sniffing your passwords. . In a local environment with no connection to the outside world this is of course not a big problem. On the other hand then you will not need to secure your system at all and should not need this package. . This package conflicts with a lot of server service components that depend on plaintext passwords. Some tools that use plaintext passwords are not conflicted because they can be configured not to use plaintext passwords. So installing this package will only help you with some of the most critical servers. . The advice is to look at each available service and investigate if it uses plaintext passwords. If it does, try to configure it so it starts using encryption or some password exchange algorithm that does not require plaintext passwords. Template: harden-servers/inetd Type: note _Description: Default services and inetd By default some unnecessary services are enabled on your system. The program that provides them is inetd. There are alternatives to inetd which are more flexible. The problem is not that inetd in itself is insecure so you will probably not need to remove it. The problem is that you have to configure it to provide only the services that are really needed. . If you have the normal inetd program installed you should configure it by editing /etc/inetd.conf. . The general rule is to comment all lines that you do not need. If you do not know what it is, you probably do not need it. If you discover some problem you can always uncomment it later. . When you have edited that file, you have to restart the inet daemon with the following command: /etc/init.d/inetd restart ----- Client note look similar to the server note so I do not list it here. I can see that my english is not perfect but that is not what we are arguing on here. I can add a note to tell that this is supposed to be done after configuring if that make it better. > > > Just imagine that every package displays debconf notes such as your > > > package does (i.e. notes that are not related with the package > > > configuration). I really think that Debian would be unconfigurable, as > > > every package would stop the installation procedure many times > > > (especially true for harden/welcome, even if it is also true for the > > > other notes). > > > > I agree in general but I still think that these notes are valid to print. > > > > > Another problem that I see with this: during the installation procedure, > > > I usually only want to configure the newly installed packages. In this > > > case, I'm installing the harden suite and plenty of other packages. As > > > I've seen that the Debconf notes were not related with the configuration, > > > I just read them but took no action immediatly, as it is better to finish > > > the full installation before reconfiguring other packages. Now that my > > > installation is finished, I want to make my system secure. > > > I don't think that dpkg-reconfigure harden-servers is the intuitive > > > way to find the instructions (this is especially true for the > > > harden-servers/vncserver and harden-servers/inetd notes). > > > > We can of course add the notes to the README.Debian file as well as the > > debconf output. > > > > > Finally, I would accept some notes being displayed during the installation > > > procedure, but only before being prompted by apt/aptitude if I accept to > > > remove packages that conflict with harden* (in the case of > > > harden-servers/plaintext and harden-clients/plaintext). This is > > > unfortunately not possible, AFAIK. With the current conception of the > > > package, these notes are displayed too late to be useful during the > > > installation procedure. > > > > What? The notes are not for you to remove packages but to make sure that > > you use try to configure your system for encryption. > > Then it is worst than I thought. If these notes are not even made to > explain what's happening during the installation process, then they > really should be removed. Please tell me what is hard to understand with these notes instead. > > > Conclusion: If you want to keep the current philosophy of the package > > > without bothering users with pointless notes, you should take the > > > following actions: > > > * remove harden/welcome (or move it to a README.Debian file) > > It is already with priority low output, so I do not really agree. > > Even with a low priority, once again, imagine that every package > displays a note with "Hello, you are using the foobar package. You > can find more documentation blablabla...". It would simply make the low > priority unused by users. That is what you have low priority for. The default is medium and therefore you will not have them printed with the default option. So what is the problem? > > > * remove harden-*/plaintext and emphasize (if needed) the package > > > description about the conflicts > > But they are not for describing the conflicts. > > See above. > > > > * provide documentations such as README, manpage, ... for > > > harden-servers/inetd and harden-servers/vncserver (and of course > > > remove those notes) > > > > No I will not do this last point, unless inetd have changed their > > defaults of course. > > Still the same difference of opinion, i.e. something like that has no > added value during the package configuration process. BUT the package have NO use without the notes and the conflicts!!! It do not contain anything else. > I'm afraid our main disagreement is the distinction I made between > installation/configuration of a package and use of a package. It seems > for me that you consider you're using a package as soon as you start > to install it. In this case it is true as this is mostly a meta package with some additional help to the user. > If I'm right with this last statement, then I will change my > argumentation :-) > > Sorry to be so insistent for the removal of these debconf templates, but > one of my main activities within Debian is debconf-related QA and I'm > still convinced that you are using debconf where you should not. > That's why I really would like to see this issue fixed :-) Well I am still not convinced and as I have seen that this package is used by quite a few people I assume that people like the idea of it. You are the first person to complain about these notes. If you get consensus about this on debian-devel (which I do not read by the way) or you can convince many people to answer this bug with the same opinion I may change my mind. You see the inetd note was created because users requested that inetd servers should be disabled by default when installing this package. I decided that it was not a good thing to change configuration so therefore I added this note. The plaintext password notes was added because that I could not find out a good way to configure all servers to use encryption, so that note was added. I still do not understand why you are think they are so bad as these two things are quite important for hardening of a system. A better thing would of course be if I had implemented functions for editing inetd services and also to configure password handling for all clients and servers, but I have not really had the time to start such a big project. Regards, // Ola > Cheers, > > -- > Thomas Huriaux -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
