On Thu, Feb 24, 2011 at 03:04:26PM +0000, Matthew Garrett wrote:
And once you've got a default set for the default install, why
not just
do it at the package level and ensure some level of consistency?
Because by enabling lots of potential vulnerable services you make it a
PITA to use Fedora securely. A proper way would be to have some system
setting to specify whether or not non-essential services require
explicit enabling, e.g. a file in /etc/sysconfig/initscripts file with a
variable that one can set to true, which ensures that all not explicitly
enabled services won't be enabled.
It is pretty easy to notice that a wanted service does not run compared
to notice that an unwanted/unused service suddenly runs, because an
innocent looking package has been installed. This is a trap that is
usually set on Debian systems which everyone I know who uses Debian
dislikes.
Regards
Till