On Sun, Feb 22, 2015 at 01:08:34PM -0700, Kevin Fenzi wrote: > On Sun, 22 Feb 2015 15:04:18 +0100 > Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > > > Are Fedora packages allowed to have a default configuration in which > > the service accepts commands from the network in the default > > configuration? > > Commands from the network what sort of commands? Monitoring status, bringing the service down, extracting data, adding data, deleting data. I'm not aware of further escalation, but it certainly could be possible. > Perhaps you had an example package in mind that caused you to bring > this up? Yes, this was about elasticsearch review. I left that piece of information out on purpose, because was hoping for a general rule. > As the saying goes "It's hard to legislate common sense" (ie, it's hard > to write down every single thing people should/should not do). > > Many packages in this situation at least listen only on localhost, so > the issue isn't remote access anyhow. > > IMHO, I would talk to the package maintainer(s) and ask them to do > something to improve the situation. So, my problem is whether the package should go through review in current state. My gut feeling is that it shouldn't, but I don't want to overstep my role as a reviewer. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
