On Fri, 2005-06-17 at 01:21 -0700, Duncan wrote: > The client/server thing is a concern for me here, as well, for security > reasons. If I don't have an SSH server merged, it can't inadvertently > be turned on somehow. SSH is apparently a dependency for something I have > merged, and currently, it includes the SSH server. That worries me, as > it's a server component on a normally client system, and is thus a > potential security vuln. IMO, having it there when it's not used and the > human behind the machine has no intention of running it, is just /asking/ > for security issues. It shouldn't be there in the first place. > Unfortunately, there's no USE flag to turn it off.
There is zero security risk unless you, as root, start the server. > Similarly with a couple of the DHCP packages I was looking at a few weeks > ago. I normally run static IPs on a LAN behind a NAPT based router, > giving me a /bit/ more leeway in terms of security on my Linux box, but > decided to install some form of DHCP just in case. Several of those > packages have both clients and servers, with apparently no way to only > install the client, short of hacking the ebuild. IMO, that's not the way > it should be. Gentoo isn't supposed to work that way, and PARTICULARLY in > this sort of instance, where getting mixed up in your configuration may > mean you start the server instead of the client, is a security risk that > simply shouldn't have to be there in the first place. I think you have the wrong assumption here on how Gentoo is "supposed to work". Gentoo ships packages as close to how upstream packages them as possible. If you have a problem with the daemon being shipped with the client, then complain upstream. We have always provided the package as determined by upstream. Splitting packages is a waste of developer time and also makes things much more complex dependency-wise. If you do not want the binary for the server installed, then edit the ebuild yourself, remove the binary, or use INSTALL_MASK. It isn't like we have not provided methods for you to do this yourself. You cannot expect us to provide for every possible scenario and still get anything accomplished. -- Chris Gianelloni Release Engineering - Strategic Lead/QA Manager Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
