-----BEGIN PGP SIGNED MESSAGE-----
On 08/02/2020 13.47, Stefan Seyfried wrote:
| Am 08.02.20 um 12:57 schrieb Michael Ströder:
|> Security best practices mandate that you only have needed
|> functionality enabled. Bear in mind that nss_ modules listed in
|> /etc/nsswitch.conf get linked into every process.
|> Thus I always remove unneeded stuff from nsswitch.conf,
|> especially the nis module.
| Well, and you do exactly the same in the future: by providing your
| own nsswitch.conf, you override the defaults.
| Nothing really changes.
|> Yes, today I can completely override the compile-time defaults
|> with /etc/nsswitch.conf. But I suspect that the other day
|> somebody has this great idea of making this impossible.
| Has anybody spoken about "let's remove nsswitch.conf and just
| compile in the only possible setup"? I have not read anything
| resembling this.
| But instead of "shipping a default config file where you need to
| guess at next update if it has been changed" I think that "do not
| ship a default config file, but just set the defaults to what used
| to be in this file" seems sensible, because then you know *if*
| there is a config file, the admin has expressed his wishes -- and
| you can obey them. Or warn with a postinst message that he needs to
| look because something changed.
Having the defaults in the binary means that we users/admins will not
know when the defaults change. Same problem as with removal of rpmnew
Cheers / Saludos,
Carlos E. R.
(from 15.1 x86_64 at Telcontar)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org