With the obvious understanding that all work is done by people who are willing to pitch in... who's domain does this fall under? Would this be something that the Fedora Security Team would focus on? Would this be done by the maintainers of the individual 'services'. I realize a lot of what people would consider 'sane default' configurations are going to vary greatly based on a person's needs, but there's probably some pretty simple baseline ones. Like for instance... should the apache service be loading kernel modules... imma say no on that one... im sure there's probably some reason out there why someone would want that, but i dont think its crazy to suggest that most people using apache won't be wanting that.
So where does one start? File a ticket against the package for the maintainer to solve? That seems like we'd end up with no cohesive plan for the overall issue.
I'd be willing to do the leg work and go down the list and reach out to the maintainers, but it seems like there should be some sort of plan or vision for how this would go by either fesco or the security team.
So where does one start? File a ticket against the package for the maintainer to solve? That seems like we'd end up with no cohesive plan for the overall issue.
I'd be willing to do the leg work and go down the list and reach out to the maintainers, but it seems like there should be some sort of plan or vision for how this would go by either fesco or the security team.
On Wed, Mar 2, 2022 at 11:40 AM Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote:
On Thu, Feb 24, 2022 at 08:13:15PM +0100, Zbigniew Jędrzejewski-Szmek wrote:
> It would probably be good to use more of those features, but you need
> to understand the service very well to know what systemd security
> features can be enabled for it.
I'd definitely love to see us put more effort into this — but we don't have
any specific resources for this kind of thing, so it needs to be someone's
labor of love.
See https://pagure.io/packaging-committee/issue/667 as a first start...
--
Matthew Miller
<mattdm@xxxxxxxxxxxxxxxxx>
Fedora Project Leader
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure