Joel Aelwyn dijo [Wed, Mar 16, 2005 at 08:39:48PM -0700]: > Consider: > > * SCC systems have buildds. > > * Buildds must be network accessible. > > * The first rule of securing a machine exposed to the wilds is "Deny by > default, allow by need". > > Therefore, a box which does not provide basic firewalling capabilities > (whether that's achieved by configurable ACLs, mind-reading the human > traffic trigger, or pixies inspecting every packet) is thus not suitable > for running a buildd on, and thus can never achieve SCC status. > > Sorry, but being able to cope with a hostile environment *is* a requirement > in today's network, and there isn't any real way around that fact. I have > no clue where Hurd network filtering stands at the moment, so I can't > comment on how far it is from having this feature. I wouldn't be willing to > admin any such box that was plugged into a network using a ten foot pole, > and I don't see why the DSA folks should be expected to either.
I would admin such a machine precisely by using a ten foot pole - That ten foot pole can be materialized into a firewall-able machine sitting between it and the network. I agree that any Debian architecture needs to provide basic networking facilities, but I don't think firewalling is a real requirement. Yes, of course, we expect users to actually _run_ this architecture, and they will probably be connected to the network, and thus they can be at risk - But right now Debian installs are done with no firewalling rules on anyway. Greetings, -- Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)1451-2244 / 5554-9450 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
