* Luk Claes (l...@debian.org) [091018 14:51]: > Andreas Barth wrote: > > after some discussion we had today on IRC, I tend to think we should > > put a section within "security" of the release policy that says > > something like "Packages must not open listening sockets at localhost > > where usage of a unix domain socket (in the filesystem) would be > > equally sufficient". > > > > Reasoning for this is that opening listening sockets with the network > > allows "better" ways to exploit security bugs than in the traditional > > unix filesystem.
> In general that seems to be harsh unless you are talking about software > that never should listen on the network or where the use case of not > listening on the network is really important. Basically it would be "if there is no bonus in listening on the network don't do it". I agree that this is a bit strict, however the current stanca | Programs must be setup to use the minimum privleges they can. is already as strict re priveleges, so I think it would fit. > Unless you want to make it should not instead of must not? "should" shouldn't be part of the release policy I'd say. :) Cheers, Andi -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
