Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)

To: Alan Barrett <apb%cequrux.com@localhost>
Subject: Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
From: Julio Merino <jmmv84%gmail.com@localhost>
Date: Wed, 20 Jan 2010 18:27:49 +0000

On Wed, Jan 20, 2010 at 1:17 PM, Alan Barrett <apb%cequrux.com@localhost> wrote:
> On Wed, 20 Jan 2010, Julio Merino wrote:
>> On Wed, Jan 20, 2010 at 7:23 AM, Bernd Ernesti <veego%netbsd.org@localhost> 
>> wrote:
>> > On Tue, Jan 19, 2010 at 10:08:11PM +0000, Julio M. Merino Vidal wrote:
>> >> Add the check_pkg_vulnerabilities and check_pkg_signatures options
>> >> to the security script to check that the installed packages are
>> >> sane.
>
> Great!
>
>> >> All of these options are enabled by default but they will only run
>> >> if there is, at least, one installed package.
>> >
>> > I object for enabling that by default and you haven't answered my
>> > concerns when you brought this up.
>
> Nothing in NetBSD should phone home by default.

Well, why?  You wrote "should", so that's open to interpretation.

Anyway: having a list of all components that call home (callhome(7)?)
as a manpage would be good and being able to disable/enable such
behavior from sysinst too.  As to what the default should be in the
/etc/defaults config files, at that point I wouldn't care.

> It would be fine if it added a warning to the security report by
> default.  (e.g. "Warning: <option> is turned off, and that's bad because
> <reason>; do <this> to turn it on or <that> to never be reminded
> again".)

Adding that to the security report will make security reports, that
otherwise would be empty and therefore not sent, noisy.  Maybe
fetch_pkg_vulnerabilities should be a tristate yes/no/shutup.

>> The fact that we didn't do such a thing in the past is not an excuse
>> not to do it now.
>
> The fact that we used to care about users' privacy is not an excuse to
> stop doing so now.

Well, that's a very different reason that no one raised before.  But
how does this affect privacy?  Our queries do not contain any
user-identifiable information other than an IP, and the code is there
for anyone to review that that's the case.

-- 
Julio Merino

Follow-Ups:
- re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
  - From: matthew green
- Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
  - From: Christos Zoulas

References:
- Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
  - From: Julio Merino
- Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
  - From: Alan Barrett

Prev by Date: Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
Next by Date: Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
Previous by Thread: Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
Next by Thread: Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
Indexes:

Home | Main Index | Thread Index | Old Index