On Wed, Sep 29, 1999 at 06:38:55AM -0400, Michael Stone wrote: > The fantasy is over--WELCOME TO REAL LIFE! It turns out that some > people install linux without preexisting knowledge of how to securely > administer a unix machine.
sorry, it's you who needs to wake up to the real world. if people don't know how to administer a unix machine then they need to learn fast. no amount of molly-coddling by the distribution authors (i.e. us) is going to obviate that essential requirement. maintaining security on your own systems requires personal knowledge and experience, it can not be done by proxy. the "we-know-better-than-you" attitude is what redhat and caldera (and microsoft, for that matter) does. it sucks. debian has always done better than that - our way is to encourage people to learn to do it for themself by not trying to hide the fact that knowledge and experience is required (not just optional or "would be nice" but absolutly required) > When we ship a system with a bunch of stuff enabled by default, > we're not only putting their machine at risk but we're also creating > problems for everyone else who's system is attacked by someone using > the debian machine as a jump-off point. That's bad. that's bad. it's also bullshit. enabling daemons by default is not inherently a security problem. see previous message. if a particular daemon is a problem then it needs to be fixed or replaced or dropped from the distribution. changing the default so that it is only enabled manually will NOT increase security at all. > It's really time to get away from the mentality that everyone needs to > have everything turned on all of the time; if a persone really *needs* > something enabled, they can figure out how to do it. (If they can't, > should they really be administering a network node?) if they don't need it then they shouldn't install the package. why run debian (with all it's useful tools like update-inetd and update-rc.d and so on) if you're going to throw away those advantages? > This isn't a UI issue, this is a matter of security and of us taking > responsibility for the state of quite a few systems out on the > internet which will be configured according to *our* defaults. it's not a matter of security, it's a matter of personal preference. enabling daemons when they are installed is not a security problem. it's damned annoying to see people trying to force their personal preferences on everyone else by making loud noises about trumped up nebulous and vague "security" issues. it would be nicer if such FUD were left behind in the proprietary software world. craig -- craig sanders
