[Guidelines change] Changes to the packaging guidelines
Miloslav Trmač
mitr at redhat.com
Tue May 26 18:45:35 UTC 2015
Hello,
> > Nevertheless, you raise an interesting question in general. The way
> > I understand the motivation for the restriction is to avoid any
> > chance of attack or unexpected access over the network. [...]
>
> OK, so the question is - are we (still) trying to preclude -local-
> escalation-of-privileges type problems?
Hopefully not just trying to: http://fedoraproject.org/wiki/Privilege_escalation_policy .
I.e. there should be no known unrestricted privilege escalation paths.
> If not, then many more
> services can be enabled by default - as long as they bind only to
> unix-domain sockets and/or localhost.
As for restricted/authenticated privilege escalation: the default choice should be “switched off”, i.e. never install and enable a service just because someone wrote it if there is no actual need to keep it installed and enabled by default. (This is the case we’ve been burned with in the 1990’s—“Internet server” Linux distributions and UNIX products: package all available servers, install and enable all of them by default, they were supposedly either harmless or properly authenticated—except that the implementations, not the design intent, were insecure.)
Obviously some services are much less, if at all, useful if not enabled by default, so this is obviously a balancing act; but I do want to stress that “services can be enabled by default” should be viewed more as a responsibility and a burden, rather than as a freedom to be celebrated and gleefully used to the maximum extent.
> (I guess we're not supposed to
> count on the default firewalls?)
The firewall that allows most incoming connections on Workstation? No.
Mirek
More information about the devel
mailing list