Let me list the counter arguments to the proposal (to include a new field
PREFER_HARDENED_CONFIG) so far:
* The packages should be deploying a secure configuration by default.
Counter-argument: Yes, but they don't. There are obviuosly competing interests
and sometimes convenience wins.
To what extent a machine is locked down is a policy choice. There are
already loads of tools available to manage policy so this really doesn't
belong here and if you want to ensure that your fleet of machines are locked
down through something like PREFER_HARDENED_CONFIG=1, you're going to need
>>> Peter Hoeg schrieb am 17.02.2022 um 07:07 in Nachricht
<87k0duvvtv@hoeg.com>:
>>> I think os‑relesase describes the operating system, not policies.
>>
>> You are right. Perhaps machine‑info would be a better fit than os‑release.
>
> To what extent a machine is locked down is a policy