On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <[email protected]> wrote: > On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <[email protected]> wrote: >> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote: >>> some package announce their existance to the world without any admin >>> decision! >>> It is not a fud and a security hole! >> >> That's a vague generality... which packages? You mentioned phpmyadmin. >> What are the actual problems that results from this announcement? What >> bad things happen from it? Can the fact that you have phpmyadmin become >> known to an attacker via port scanning, or similar techniques? If so, >> does it matter if phpmyadmin also announces things via avahi? What do >> you suggest as a solution? Would a blanket policy of having all services >> to default to not announce themselves? What would the problems from such >> a policy be? >> >> (I don't know much about this stuff, and I don't particularly care, but >> it'd be nice if we could turn the discussion into a constructive one.) > > Windows has the concept of home / private and public networks. On > public networks, sharing gets disabled. > Such a concept would be good for this situation as well. Let the user > indicate what type of network he is on and what type of services > should be opened to that network.
The last bug is not about this, it is I have a phpmyadmin running as www user and I announce I run it. Not really good to give the path to phpmyadmin (that is running by admin decission) Bastien > Olaf > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > Archive: > http://lists.debian.org/[email protected] > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
