service accepting commands from the network by default
zbyszek at in.waw.pl
Sun Feb 22 20:25:01 UTC 2015
On Sun, Feb 22, 2015 at 01:08:34PM -0700, Kevin Fenzi wrote:
> On Sun, 22 Feb 2015 15:04:18 +0100
> Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl> wrote:
> > Are Fedora packages allowed to have a default configuration in which
> > the service accepts commands from the network in the default
> > configuration?
> Commands from the network what sort of commands?
Monitoring status, bringing the service down, extracting data, adding
data, deleting data. I'm not aware of further escalation, but it certainly
could be possible.
> Perhaps you had an example package in mind that caused you to bring
> this up?
Yes, this was about elasticsearch review. I left that piece of
information out on purpose, because was hoping for a general rule.
> As the saying goes "It's hard to legislate common sense" (ie, it's hard
> to write down every single thing people should/should not do).
> Many packages in this situation at least listen only on localhost, so
> the issue isn't remote access anyhow.
> IMHO, I would talk to the package maintainer(s) and ask them to do
> something to improve the situation.
So, my problem is whether the package should go through review in current
state. My gut feeling is that it shouldn't, but I don't want to overstep
my role as a reviewer.
More information about the devel