On Thu, Feb 24, 2011 at 05:59:33PM +0100, Till Maas wrote:
On Thu, Feb 24, 2011 at 03:04:26PM +0000, Matthew Garrett wrote:
> And once you've got a default set for the default install, why not just
> do it at the package level and ensure some level of consistency?
Because by enabling lots of potential vulnerable services you make it a
PITA to use Fedora securely. A proper way would be to have some system
setting to specify whether or not non-essential services require
explicit enabling, e.g. a file in /etc/sysconfig/initscripts file with a
variable that one can set to true, which ensures that all not explicitly
enabled services won't be enabled.
There are no essential services, which means any proposal that contains
the phrase "non-essential services" is already unimplementable.
--
Matthew Garrett | mjg59(a)srcf.ucam.org