Trent, > I'd like to repoint out that mDNS is an *untrusted*, *ad-hoc* source. > > if you have something relying on mDNS for any secure operation then THAT > IS BROKEN, not Avahi.
You are correct. Avahi is inherently insecure, and by design. It is the fact of having mDNS on the machine at all that is the problem, whether or not any other services use it. It creates an insecure network overlay that can be used to communicate with other computers in violation of network security policies. It is for that reason that it should not be installed by default, and at the very least should not be a required dependency of the ubuntu-desktop as it is now. In the United States, companies are required to segregate and control information within the company. E.g., human resources, accounting, and sales should not have access to each other's information except in certain pre-defined ways that are established by the company's information security policy. The network administrators go to great lengths to ensure that information can be shared in accordance with the policy. For publicly traded companies, or those who have such aspirations, Sarbanes-Oxley imposes personal liability on corporate officers for violations of corporate information control policies. For detailed requirements of the Sarbanes Oxley requirement for information control, see http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981. Avahi permits employees to communicate information outside of the normal networking channels. Thus, an employee in accounting could grant access to payroll information to someone in sales, which would be VERY bad and would contravene standard practices in corporate networks. I just don't see why we would intentionally install an insecure networking protocol by default. Happy Trails, Loye Young Isaac & Young Computer Company Laredo, Texas http://www.iycc.biz -- SetHostName can be called by users https://bugs.launchpad.net/bugs/195140 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
