* Lupe Christoph <l...@lupe-christoph.de> [090811 10:56]:
> > So it is in my eyes no criteria at all that the user has to change some
> > configuration. The question is whether this change is supposed to cause
> > the effects it does and if a user can be expected to understand the
> > effects.
>
> Please go ahead and file security-related bugs against all packages that
> allow the user to open security holes by changing the default
> configuration.
>
> I suppose we should agree to disagree and terminate this thread here. Of
> course I will not restrict your freedom to answer to this mail, but I
> will leave your reply unanswered because I believe we won't ever
> agree.
Thanks for "not restricting" my "freedom" to reply to a mail that ridicules
what I say by drawing absurd conclusions out of it.
I never said that being able to change a configuration to open holes is
in itself and always a security problem. What I am saying is that
needing user action or having to change a configuration file is no
reason at all to claim that something is not a security problem.
Annoyed,
Bernhard R. Link
> That is a bug because sshd does not what is documented. Suppose
> sshd_config had an option "PermitRootLogin always", meaning that no
> password or key is required to log in as root. Would it be a bug of sshd
> to include this option or a misfeature?
Of course not. And being able to add an option to sendmail to allow
everyone to relay would of course also definitely be no problem if it was
documentated to do so and has a sensible name. And noone in this thread
claimed it would be.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
