On Fri, 2004-11-05 at 15:57 +0000, Luke Kenneth Casson Leighton wrote: > response 3: _is_ it the job of debian developers to dictate the minimum > acceptable security level?
It is absolutely Debian's job to provide a baseline level of security by default. Debian doesn't let you install a system by default without a root password, or install a mail server that relays mail from any IP address, etc. You're encouraged to create a regular user account for logins (IIRC). Likewise, I think it should be part of the standard Linux security practice to have SELinux enabled by default. With the targeted policy and all the flexibility it offers (e.g. just turn off protection for Apache, keep protection for named/portmap/syslog etc on), there's very little reason not to ship it on.
