On Sunday, August 21, 2011 08:01:33 PM Rahul Sundaram wrote: > On 08/22/2011 05:24 AM, Steve Grubb wrote: > > Imagine an updated xinetd + upstart. Would that not solve the > > problems, cause less turmoil, and be more secure? > > How? Fedora has talked about moving to systemd much before the Fedora > 14 release. Sorry, I was very busy at the time. I am just beginning to look to the future and what might be coming my way for RHEL7 common criteria. I have a hard time with systemd being network aware. The requirements going into RHEL7 will likely be meeting what was known as GPOSPP which includes requirements for a minimal Intrusion Prevention System. Its also a harder protection profile than we have ever met. With init performing an xinetd role, I can't see how I am to kill it when it goes rogue. > It was postponed to Fedora 15, has become the default in that release and we have > already migrated dozens and dozens of services and we are nearing the Fedora 16 > Alpha release shortly and aiming for 100% conversion by the general release. I know. I added support in our audit package, but not upstream. I am not convinced yet this is a sound design. How many major throw away subsystems have we seen over the years? The code may be perfectly implemented. But do we really want to design systems with a new, expanded attack surface? This is a design problem that is more secure as separate processes. (Going from sysvinit to upstart was no problem because the attack surface change is minimal.) > How is moving *back* now to upstart going to be less turmoil? You're not seeing the hundreds - no thousands of emails about systemd? You are not seeing that all the expected facilities of init are not covered? There is well founded rebellion here. How do I see all targets on a system? List all services enabled/disabled for each target in one shot? Chkconfig is not perfect, but its a trusted friend. Also, not preparing for both server/desktop targets at a minimum seems problematic in my opinion. > I understand that you are busy and paying attention to this matter only now but I > can't consider this as a serious proposal. I am wondering if it was ever considered to give xinetd a makeover? I bet the coding would have been done in 2-3 weeks tops. -Steve -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
