Package: netbase Version: 6.0 Severity: important
Hi. Recently, isakmp was removed for udp from /etc/services. First, this should be added back, as it's perfectly fine to be used on UDP (see rfc2408). IIRC UDP was actually *the* transport protocol on which it's used (TCP is only breifly mentioned in the standard). It's rather the TCP version which should be removed (but this should be thoroughly checked first). This however points to another serious problem with simply removing entries from services. People may actually use these and since they likely don't read the changelog and there is no NEWS.Debian which would mention it (and which one can users expect to read) pretty bad things can happen. In my case I used it in iptables rules files, so either - the rules are (rather silently) not loaded and thus system security could easily be compromised completely (since the default Debian boots anyway even if e.g. netfilter-persistent fails to load rules - or on my case, where I've tightened the unit files for netfilter-persistend a bit (i.e. making it a hard RequiredBy=sysinit.target network-pre.target network.target it causes the system to hang at boot,.. which is stil better than a security compromise but still not so good ;-) Not sure what's best to do, cause obviously it makes sense to keep services cleaned up. Maybe you should add NEWS.Debian entries each time you remove something. Cheers, Chris.
