On Mon, Aug 01, 2011 at 12:14:31PM +0200, Marco d'Itri wrote: > > Making the "do not start by default" policy default for the distro should > > improve out-of-box security. > When I install a package I want to actually use it. > A better security policy is to not install by default useless packages. >
What is "use"? For example rsync package provides both "rsync" client and rsync daemon. Both cases are "use", right? Another example is dovecot-imapd. It's possible to use it in preauthenticated mode. In such case no system-wide daemon is required and mail client should just start imapd and talk with it using stdin/stdout. Also some services may be needed only sometimes (like ejabberd on laptop when developing some XMPP stuff). Or "tor" package that also provides system-wide tor daemon. At the same time it's possible to use tor individually by every user and start it only when needed. At least on laptops. -- WBR, Dmitry
signature.asc
Description: Digital signature
