1 |
Chris Gianelloni posted <1119016612.13606.13.camel@×××××××××××××××××.net>, |
2 |
excerpted below, on Fri, 17 Jun 2005 09:56:52 -0400: |
3 |
|
4 |
> On Fri, 2005-06-17 at 01:21 -0700, Duncan wrote: |
5 |
>> The client/server thing is a concern for me here, as well, for security |
6 |
>> reasons. If I don't have an SSH server merged, it can't inadvertently |
7 |
>> be turned on somehow. [] Unfortunately, there's no USE flag to turn it |
8 |
>> off. |
9 |
> |
10 |
> There is zero security risk unless you, as root, start the server. |
11 |
|
12 |
I get the point, but if it's not there to be started, it cannot be |
13 |
started, thru some fat-fingering on the part of a confused admin trying to |
14 |
launch the client, or any other way. If it's needed, that's one thing, but |
15 |
if it's not needed, it shouldn't be there. USE flags (not split |
16 |
packages, I'll absolutely agree there) are the Gentoo way to control that. |
17 |
|
18 |
>> Similarly with a couple of the DHCP packages I was looking at a few |
19 |
>> weeks ago. [] Several of those packages have both clients and servers, |
20 |
>> with apparently no way to only install the client, short of hacking the |
21 |
>> ebuild. IMO, that's not the way it should be. Gentoo isn't supposed |
22 |
>> to work that way, and PARTICULARLY in this sort of instance, where |
23 |
>> getting mixed up in your configuration may mean you start the server |
24 |
>> instead of the client, is a security risk that simply shouldn't have to |
25 |
>> be there in the first place. |
26 |
> |
27 |
> I think you have the wrong assumption here on how Gentoo is "supposed to |
28 |
> work". Gentoo ships packages as close to how upstream packages them as |
29 |
> possible. If you have a problem with the daemon being shipped with the |
30 |
> client, then complain upstream. We have always provided the package as |
31 |
> determined by upstream. Splitting packages is a waste of developer time |
32 |
> and also makes things much more complex dependency-wise. |
33 |
|
34 |
Gentoo Philosophy page: "The Gentoo philosophy is to allow this user to |
35 |
do what he or she wants to do, without getting in the way." |
36 |
|
37 |
Of course, there's a practical limit to that. However, a simple |
38 |
"clientonly" USE flag on client/server combo packages such as ssh and |
39 |
dhcp would appear to be entirely within the Gentoo spirit, and generally |
40 |
would require no more work than is already done in support of all sorts of |
41 |
other USE flags. Simply don't compile or install the server, if a separate |
42 |
binary from the client, and don't include /etc/init.d server starter |
43 |
scripts (like sshd) and the like, if the clientonly USE flag is set. |
44 |
|
45 |
-- |
46 |
Duncan - List replies preferred. No HTML msgs. |
47 |
"Every nonfree program has a lord, a master -- |
48 |
and if you use the program, he is your master." Richard Stallman in |
49 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
50 |
|
51 |
|
52 |
-- |
53 |
gentoo-dev@g.o mailing list |