| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 15/01/13 04:16 AM, Michael Weber wrote: |
| 5 |
> Hi, |
| 6 |
> |
| 7 |
> "This can have serious security implications" [1] |
| 8 |
> |
| 9 |
> For whom? |
| 10 |
|
| 11 |
I think the idea there is that a user expects eth0 and eth1 to stay |
| 12 |
the same, writes iptables rules on a per-interface basis to control |
| 13 |
what they want, then update the kernel or make some other change |
| 14 |
(upgraded udev, maybe? :D) which swaps them around and poof, the rules |
| 15 |
they thought were correct don't end up protecting them they way they |
| 16 |
assumed it would... |
| 17 |
|
| 18 |
Not saying this is necessarily valid, just saying how I interpreted |
| 19 |
their meaning of "serious security implications". |
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
> [about NIC names] ... Opt-out urges users into either adapt their |
| 24 |
> setups or disable the rules. |
| 25 |
|
| 26 |
Unless i'm mistaken (and i haven't done any sort of comprehensive |
| 27 |
search so I could be), I believe the majority of package rollouts for |
| 28 |
systemd-udev is going to provide an opt-in rather than an opt-out. I |
| 29 |
understand the general point here, that systemd-udev upstream perhaps |
| 30 |
should also be defaulting to an opt-in, but there isn't a whole lot of |
| 31 |
benefit in making that point on the gentoo ML.. :) |
| 32 |
-----BEGIN PGP SIGNATURE----- |
| 33 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 34 |
|
| 35 |
iF4EAREIAAYFAlD1YKMACgkQ2ugaI38ACPA8OgEAtK1Y3vHB3oBQyAdmZHYFZcBW |
| 36 |
4g9ry2YFts41Zu1wuXcA/REe9lunWnLQ9w4uZNxvFnZ0LqEK9lMrOP0pJEr3UHAq |
| 37 |
=06X2 |
| 38 |
-----END PGP SIGNATURE----- |
Archives