In message <[EMAIL PROTECTED]>, "Noah L. Meyerhans" writes:
>I do think it's worth discussing whether the policy should be "on by
>default" of "off by default". Not just for the simple services, but for
>all services that get installed. Which option leaves more work to be
>done by the admin? In the current "on by default" state, you install a
>new system and go through /etc/rc?.d/ and /etc/inetd.conf and turn off
>things that you don't need, or uninstall them completely. Is that
>less time consuming for the admin than requiring them to go over the
>same directories and files and explicitly enable the services they want?
>I am not sure, but I expect it might not be. And I know it would be
>safer to leave services off by default. There are a lot of incompetent
>admins out there, and while "off by default" might generate a bit more
>traffic on -user, it is likely to save some of them some major grief.
IMHO, I like the default-on setup in debian. The main reason that I like it
is that it maintains the linkage between installation of a package and that
package working. I like knowing that if I apt-get a new package, it will
work, and I won't have to do additional munging to get it to work. Especially
for complex packages, this is invaluable. Without the default-on policy,
installing new packages will be a horrible nightmare. Imagine trying to
install konqueror on a kde-free machine with a default-off policy. Although
many packages would install cleanly, there would be hundreds of packages that
would require hassle to install. I think the solution to the problem above is
package removal. If you don't want NFS client support, just remove
nfs-common. Don't want portmap? Remove it. Same with inetd. In unstable
both inetd and portmap are their own packages now. I know that this wasn't
the case in the past, but in a release or two, stable will have the same
functionality. I think that we should continue with this strategy of package
proliferation rather than have a drastic change to policy. This combination
of ease-of-use with the eternal vigilance of the security team is what gives
debian the enviable reputation of security and ease-of-use that it has today.
--
Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]
Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED]
"I have taken all knowledge to be my province." -F. Bacon [EMAIL PROTECTED]
"Human kind cannot bear very much reality."-T.S.Eliot [EMAIL PROTECTED]
PGP signature