systemd requires HTTP server and serves QR codes
Peter Robinson
pbrobinson at gmail.com
Mon Oct 8 19:32:37 UTC 2012
On Mon, Oct 8, 2012 at 7:39 PM, Miloslav Trmač <mitr at volny.cz> wrote:
> On Mon, Oct 8, 2012 at 7:59 PM, Matthew Miller <mattdm at fedoraproject.org> wrote:
>> On Mon, Oct 08, 2012 at 07:37:42PM +0200, Miloslav Trmač wrote:
>>> We support a "minimal installation" target
>>> (https://fedoraproject.org/wiki/Features/MinimalPlatform ), and this
>>> really doesn't seem like something that should be included, for the
>>> same reason we don't ship a disabled-by-default ident or httpd in the
>>> minimal installation.
>>
>> I'm for a minimal installation. Let's be clear: what's the reason?
>
> 1) Ability to review - it much easier to verify security/sanity of
> files that are not there at all than of files that are present but
> supposedly unused.
> 2) Risk of enabling the service by mistake (which, given that
> journal-gatewayd will happily serve private log data to the whole
> internet AFAICS, is has a pretty bad impact in this particular case).
> 3) Overhead/downtime associated with upgrades of unused components
> (which wouldn't apply for a systemd subpackage here, but would apply
> to libmicrohttpd).
> 4) Disk space
And if it's only listening on localhost by default there's not much
point of it running on a server where there's no easy means of doing
so.
I would like to see it split into a sub package even if the subpackage
is installed by default. I think for people like this there should be
the ability to easily completely opt out (ie remove it) to completely
remove any option of compromise if they wish to do so. There's a lot
of platforms and auditors that wouldn't want this installed at all
(whether it be Fedora or RHEL) due to security risks whether it be a
valid opinion or not (ever had to deal with PCI-DSS auditors?).
Peter
More information about the devel
mailing list