On Friday, August 19, 2011 10:50:51 AM Richard Hughes wrote: > On 19 August 2011 13:35, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > > All security guidance says turn off or get rid of avahi. We really don't > > want to require it just to print. > > Then "security" is flying in the face of usability. Generally there is that tension. The main objections is that it makes discovering system resources easy, which in terms of security is bad. It also used to punch a hole in the firewall and add routing rules. All of this is bad for security. If you are catering to a laptop crowd that wants to share music and pictures then avahi is no concern. If however you want a secure by default server OS, then avahi needs to default to disabled. The concern is when its allowed by default, then people might start relying on it to the extent that its impossible to remove later. For example, cups is used as part of the LSPP certification. People running in a LSPP configuration would be horrified to know avahi is now required for printing top secret documents. -Steve -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
