Services that can start by default policy feedback
Toshio Kuratomi
a.badger at gmail.com
Thu Feb 24 17:47:22 UTC 2011
On Thu, Feb 24, 2011 at 10:42:54AM -0500, Colin Walters wrote:
> On Thu, Feb 24, 2011 at 10:32 AM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
>
> > "May" as in "Are allowed to". It's always going to be the package
> > maintainers call in the end - we're not going to mandate it.
>
> Okay; it's not worth going through the details if you guys already
> discussed and rejected it, we've lived for years with the status quo
> and this is basically just documenting it.
>
Actually, this policy is a large departure to the status quo. The standard
has pretty much been "off by default unless you're an old package from RHL
that was on or you slip it by your reviewer."
I think that the intention of the old policy (I believe there was an
explicit policy about this in Fedora.us but mschwendt or someone who has
a better memory than I could correct me there) was that only essential
services were on by default to minimize security risk (not just remote
exploits, but local exploits as well), to minimize resource usage, and to
put the system administrator in charge of their environment (as Till Maas
has pointed out, he has a lot of server software installed but not running
unless he needs it for a particular task.)
The draft policy that FESCo has up is much broader than that. For instance,
"If a service does not require configuration to be functional and is not
network enabled, it may be enabled by default (but is not required to do
so)." Includes things such as apache and mysql if we ship them with
a configuration that only listens on localhost.
This isn't necessarily a bad thing (although speakingfor myself, I lean
towards your view of everything off in packaging and then turn things on at
the installer/spin creator/kickstart/etc level) but it is a large policy
shift, not just a statement of the status quo.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110224/662de5c0/attachment.bin
More information about the devel
mailing list