Services that can start by default policy feedback
mjg59 at srcf.ucam.org
Mon Feb 28 14:03:26 UTC 2011
On Sun, Feb 27, 2011 at 11:13:44PM +0100, Till Maas wrote:
> On Sun, Feb 27, 2011 at 07:21:30PM +0000, Matthew Garrett wrote:
> > No, but it does mean that what you're proposing would involve adding
> > functionality to Anaconda. The current situation is that the services
> > that are started when the respective package is installed and the
> > services that are enabled by default by the Fedora installer *are* the
> > same.
> You wrote that Anaconda already has the code to active services, so
> there is no additional functionality needed. Only the list of services
> to be enabled needs to be extended.
Anaconda obviously has the code to activate services, given that you can
do so with Kickstart. But there's no mechanism for a set of packages to
be provided in order to allow a per-spin set of defaults. You'd need to
write code for parsing a configuration file of some description and
you'd need to provide a way to get those files into each spin's Anaconda
image. The multipathd case is one that's explicitly special-cased in the
> Nevertheless, this is a lot cleaner solution that having to recommend
> to users of Fedora to not install packages on systems on a network or
> with non-admin users logged in to avoid potential security risks
> because services might activate themselves.
What's the policy you actually want here? If it's "Services shouldn't
start by default" then your solution obviously satisfies that, but if
it's "Packages should not install anything that runs with elevated
privileges unless the user explicitly enables them" then it doesn't.
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel