[Guidelines change] Changes to the packaging guidelines

Stephen Gallagher sgallagh at redhat.com
Fri May 22 02:44:09 UTC 2015

On Thu, 2015-05-21 at 21:03 -0400, Frank Ch. Eigler wrote:
> Jason L Tibbitts III <tibbs at math.uh.edu> writes:
> > Here are the recent changes to the packaging guidelines:
> > [...]
> >  * https://fedoraproject.org/wiki/Packaging:DefaultServices
> > [...]
> In this context (1.1 "locally running services"), what is a "public
> network socket"?  Is the idea that localhost services are now
> permitted by default (despite the risk of e.g. privilege escalation
> that we had tried to preclude before)?

The definition of "public" was intentionally vague, but perhaps we
could try to find a better way to say it. I was trying to treat it as
"network interfaces that accept connections from arbitrary sources".

I'm not sure that there's a tremendously meaningful distinction to be
made between allowing services that listen on D-BUS or a local UNIX
socket and services that listen on the localhost TCP socket, except
perhaps that D-BUS and UNIX sockets have a limited degree of built-in
authorization capability.

I'd personally prefer to assume the best intentions of our packagers;
specifically I'd assume that if there's a question as to the safety of
starting something by default, either they'd bring it up voluntarily or
someone would do so on their behalf if a problem was discovered.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150521/10106d80/attachment.sig>

More information about the devel mailing list