On Sun, 22 Feb 2015 15:04:18 +0100 Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > Are Fedora packages allowed to have a default configuration in which > the service accepts commands from the network in the default > configuration? Commands from the network what sort of commands? Perhaps you had an example package in mind that caused you to bring this up? There's nothing I can think of off hand in the packaging guidelines about accepting commands from the network in default config. It sounds like common sense would be to avoid such a thing tho. > The daemon is not enabled by default, so the administrator has to do a > systemctl enable/start first. Right, there are guidelines on this > This means that just installing the > package does not create a problem, and an explicit admin action is > necessary for the daemon to start listening. Nevertheless, I'm still > worried that people will start the service to try it out without > reading the fine print and will be vulnerable to attack. I would think > that the Packaging Guidelines cover this, but I don't think they do. As the saying goes "It's hard to legislate common sense" (ie, it's hard to write down every single thing people should/should not do). Many packages in this situation at least listen only on localhost, so the issue isn't remote access anyhow. IMHO, I would talk to the package maintainer(s) and ask them to do something to improve the situation. kevin
Attachment:
pgpaa3XV6Uc6H.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
