-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen: > Then just don't use it? Nobody is forcing you to. [...] > | And even if you not care about, then that functionality should be > | explicit configured and not per default. > > That makes it much less useful. On the other hand, it's not like your > system will suddenly go around connecting to random services just > because it sees them announced. So you contradict yourself within two paragraphs. It makes it less useful to enable it only on manual intervention (say, it should be enabled automatic) but on the other hand you say that nobody is forcing me (or others) to use it. How do that plays together? > Oh, I quite like services to announce themselves so I can just do ssh > foo.local. Not everything gets set up in DNS and ssh caches the host > key so doing a mitm attack after the initial handshake is prevented. Not ever service has that security fence. > Except zeroconf isn't routed so to be able to exploit it you need to be > on the same physical segment? Physical might be relative with wireless networks. But you are true, that isn't routed (good thanks), but that hinders it only from taking down the whole net. > If you have found any bugs where network sinks are used automatically > please file bugs about that. Oh, there is no change of that as I never ever will use such stuff. > Really, if you want to disable avahi, please feel free to do so on your > systems. That the discussion is about, yes. And the pressure some dependencies bring in. > Or use a firewall, or both. It is told on other places that firewalling is not the solution. > Debian has a fair balance of functionality, security and convenience > out of the box, Unfortunately some people on debian started to place convenience much higher as security. I think that is a dangerous trend. Debian gives up more and more security for convenience. > if you disagree with the current balance, feel free to invest the work > into making it possible to harden Debian further. Oh, I did. I am not a DD and involved myself in some discussions about that. But finally I found out that the force of (some) DDs is higher than mine and that they misuse it. So I am only able to fix that issues I have locally and share the hardened packages to others on a private repository. That is not great but sometimes it is the only workable way. And it is no easy way. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <kl...@ethgen.de> Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBTW9zVZ+OKpjRpO3lAQrwpAf+Nr0JUdpUpSeyyFKSRXGEbsxibvBbORWm j6DYb4QhwftUx75Kj/7dVQtu9MrGYzykHjUxTPyM00jRfjSOgcCzMdFPt3NXEWtG WeCXFrtsFW+1ulQQY+3p9QSGlR1PwduEhWKrhIDMwbatLdFHCl/JoQk2dRj2Tkza 33HHca1zrfeCslqbeemrsKSDo0m3WT94futvFNwpJGVBgDBhRuhBHqvgEC3HNrJj HmdYE14nnAI4qPjRkPYe4lRFI6A1geET30ToHfY/xVOS6FuvTlJmWI/U1CDr/6YI 71OE65YEl1UzJu5U2LpcubkG1sHrdl3kNAJobNuABQPJRStPROA/Lg== =nivA -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110303105413.gb20...@ikki.ethgen.ch
