Services that can start by default policy feedback

Toshio Kuratomi a.badger at gmail.com
Fri Feb 25 17:46:08 UTC 2011


On Thu, Feb 24, 2011 at 06:32:44PM +0000, Matthew Garrett wrote:
> On Thu, Feb 24, 2011 at 05:59:33PM +0100, Till Maas wrote:
> > On Thu, Feb 24, 2011 at 03:04:26PM +0000, Matthew Garrett wrote:
> > 
> > > And once you've got a default set for the default install, why not just 
> > > do it at the package level and ensure some level of consistency?
> > 
> > Because by enabling lots of potential vulnerable services you make it a
> > PITA to use Fedora securely. A proper way would be to have some system
> > setting to specify whether or not non-essential services require
> > explicit enabling, e.g. a file in /etc/sysconfig/initscripts file with a
> > variable that one can set to true, which ensures that all not explicitly
> > enabled services won't be enabled.
> 
> There are no essential services, which means any proposal that contains 
> the phrase "non-essential services" is already unimplementable.
> 
You've said this many times and it seems that you do it to be
obstructionist.  The constructive way to deal with this is to start making
a list of what people really mean by "essential" and then propose alternate
words to use.

I think, by essential, some people mean:

start the bare minimum so I don't have to start any additional services to:

... I don't want anything but init and a shell [*]
... log into a getty
... log in over the network
... log into a desktop
... do any client-side operations

[*] This one (but not limited to this one) also specifies that additional
services would be started, just not by packaging.  ie: the installer or
something else will start additional services independent of packaging.

I'll note that with both traditional SysV runlevels and the set of systemd
targets that we'll give to people in F15, we can have multiple defintions of
what services to start as well.  The rescue target (formerly runlevel 1)
would be different from the multi-user target would be different from the
graphical target.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110225/70e1557c/attachment.bin 


More information about the devel mailing list