On Wed, 12 Nov 2014 17:54, Stanislav Brabec wrote:
Marcus Meissner Wrote:
So I would like not to have specific presets in packages, but track them all in the branding-presets-.
I understand your concern.
There is a question, whether branding-presets- should be considered as presets approved by security team for particular product or a standard branding package, which is expected to be modified by branders.
There are still ways to force-enable services in packages, even without presets and review.
grep -l "systemctl.*enable" */*.spec on the current Factory shows these candidates:
bluez/bluez.spec cups/cups.spec ipmiutil/ipmiutil.spec ModemManager/ModemManager.spec NetworkManager/NetworkManager.spec openldap2/openldap2-client.spec openldap2/openldap2.spec openvpn/openvpn.spec rsyslog/rsyslog.spec sendmail/sendmail.spec spice-vdagent/spice-vdagent.spec syslogd/syslogd.spec syslog-ng/syslog-ng.spec systemd/systemd-mini.spec systemd/systemd.spec sysvinit/powerd.spec wicked/wicked.spec xen/xen.spec
IMHO it is remarkable that neither the 'big' databases (postgres/mysql) nor any of the httpd / imapd / popd / sshd have any of this 'special' handling in the spec file. I have little trouble with the thought of a 'enable'-preset for the syslog trio (rsyslog / syslogd / syslog-ng), but the hacks in the spec files smack of remnants of earlier time. Personally, I vote for 'no enabling' for any daemon that can not be used in a secure way out of the box without user input for the configuration. That means "NO to auto-enable" of any Imap / POP / mail daemon. Is openldap really usable without further config? And IMPI is a known security risk on its own. As it is, it is hair-rising in terms of security. - Yamaban. (who abhors wicked, it kills vlan setups) -- We, the under-trained, insufficient supplied, are called to work the miracles of tomorrow. Well, same s..t as yesterday then. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org