-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/02/2020 13.47, Stefan Seyfried wrote: | Am 08.02.20 um 12:57 schrieb Michael Ströder: |> Security best practices mandate that you only have needed |> functionality enabled. Bear in mind that nss_ modules listed in |> /etc/nsswitch.conf get linked into every process. |> |> Thus I always remove unneeded stuff from nsswitch.conf, |> especially the nis module. | | Well, and you do exactly the same in the future: by providing your | own nsswitch.conf, you override the defaults. | | Nothing really changes. | |> Yes, today I can completely override the compile-time defaults |> with /etc/nsswitch.conf. But I suspect that the other day |> somebody has this great idea of making this impossible. | | Has anybody spoken about "let's remove nsswitch.conf and just | compile in the only possible setup"? I have not read anything | resembling this. | | But instead of "shipping a default config file where you need to | guess at next update if it has been changed" I think that "do not | ship a default config file, but just set the defaults to what used | to be in this file" seems sensible, because then you know *if* | there is a config file, the admin has expressed his wishes -- and | you can obey them. Or warn with a postinst message that he needs to | look because something changed. | Having the defaults in the binary means that we users/admins will not know when the defaults change. Same problem as with removal of rpmnew files. - -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCXj/uzQAKCRC1MxgcbY1H 1dSYAJ9D8+nM0iu7N9JmV5ppKOLtVBuzYQCeMeAW94gDonro/5a8ENaqaS3QemQ= =iQny -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org