Package: boot-floppies,www.debian.org Version: N/A; reported 2002-07-29 Severity: critical Tags: security Justification: breaks unrelated software
Hi, The paragraph: "Please note that the ssh package in this release enables root logins by default. (Disabled in 2.2) If you do not need this feature for remote access to your system you should ensure that the PermitRootLogin option in /etc/ssh/sshd_config is set to no after upgrade for security reasons. To ensure dpkg never updates the file to match new defaults, you can simply modify the file locally. Adding a blank line is enough." (in section 3.2.2) should be removed immediatly for these reasons: a) installing the new package tells you the useful parts of this information already (to wit, that the default has changed, and how to set it back if you so wish) b) it is factually incorrect (the postinst will offer to auto-generate a new configuration file for you if you're upgrading from the 1.3 package, and do nothing in this regard otherwise); dpkg will not do anything to the configuration file on upgrade to woody in any case. Thus it will confuse people as to what is going on wrt PermitRootLogin c) the wording is clearly designed to subvert the package maintainers' default, and indeed with the security properties of this setting. Without entering into a debate on the rights and wrongs of this setting (since this is not the place to do so), it is absurd that we should ship with a package and release notes that disagree with each other; the release notes should go along with the packages in question, so we at least appear to be consistent. If the author of this section of the release notes (who was not me) disagrees with my defaults for the ssh package, then there are other fora to air those disagreements. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux ming 2.2.20 #4 Tue Jun 18 13:51:22 BST 2002 i686 Locale: LANG=C, LC_CTYPE=C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
