On Sat, 2005-12-17 at 15:39 -0500, Sean wrote:
But the point has to be made again, nothing we're talking about here changes the situation of malicious code. _Today_ as Fedora exists out of the box, a malicious program can enable UPnP on a router that has it enabled. All we're talking about is using that facility as it was meant to be used, by _trusted_ application like the bit torrent client supplied with the distribution.
And here I thought we were discussing the merrits of having the bt client default to upnp enabled. I would rather it be disabled, and let the user decide to use risky features. Secure by default.
On Sat, December 17, 2005 4:01 pm, Jesse Keating said:
And here I thought we were discussing the merrits of having the bt client default to upnp enabled. I would rather it be disabled, and let the user decide to use risky features. Secure by default.
There is no significant risk added at all. If there is an exploit in the bit torrent client, it needs to have a security patch either way. Enabling the use of UPnP doesn't change that. But it would significantly improve the user experience of a large number of users that want to use it to download Fedora releases. The use of UPnP is actually an improvement over manually configured port settings because they're only in place while the client is being used. But as long as the feature is at least provided as an option, having it default to "off" isn't a big deal.
Cheers, Sean