As one who maintains a remix for journalists, I expect the default for a workstation should be that you mus* explicitly know what you are doing to open a port, and enable or start a service - the default release should have a minimum attack surface by design. As a result of this discussion I plan to modify my remix so that is the case - ports open by default in Fedora 21 Workstation will be closed in OSJourno. I'm on the fence over the ports below 1024, but I suspect those should be closed as well. On Mon, Dec 8, 2014 at 10:41 AM, Adam Jackson <ajax@xxxxxxxxxx> wrote: > On Mon, 2014-12-08 at 18:40 +0100, Reindl Harald wrote: > >> * vulnerable port open > > Yeah, see, this bit right here is the actual issue. Curiously, AV > software on Other Operating Systems has had the ability to delegate this > very policy decision to the user session for at least a decade, and yet > nobody on this thread seems to have any desire to _write code_ to _fix > the problem_. > > Instead we are treated to infinite spew about how nostalgic we are for a > security model we learned in 1996. Sorry y'all, port-based security > does not match reality's threat model. Let's be better than that. > > - ajax > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Twitter: http://twitter.com/znmeb; OSJourno: Robust Power Tools for Digital Journalists https://osjourno.com Remember, if you're traveling to Bactria, Hump Day is Tuesday and Thursday. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
