tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)
On Wed, Jan 20, 2010 at 1:17 PM, Alan Barrett <apb%cequrux.com@localhost> wrote:
> On Wed, 20 Jan 2010, Julio Merino wrote:
>> On Wed, Jan 20, 2010 at 7:23 AM, Bernd Ernesti <veego%netbsd.org@localhost>
>> wrote:
>> > On Tue, Jan 19, 2010 at 10:08:11PM +0000, Julio M. Merino Vidal wrote:
>> >> Add the check_pkg_vulnerabilities and check_pkg_signatures options
>> >> to the security script to check that the installed packages are
>> >> sane.
>
> Great!
>
>> >> All of these options are enabled by default but they will only run
>> >> if there is, at least, one installed package.
>> >
>> > I object for enabling that by default and you haven't answered my
>> > concerns when you brought this up.
>
> Nothing in NetBSD should phone home by default.
Well, why? You wrote "should", so that's open to interpretation.
Anyway: having a list of all components that call home (callhome(7)?)
as a manpage would be good and being able to disable/enable such
behavior from sysinst too. As to what the default should be in the
/etc/defaults config files, at that point I wouldn't care.
> It would be fine if it added a warning to the security report by
> default. (e.g. "Warning: <option> is turned off, and that's bad because
> <reason>; do <this> to turn it on or <that> to never be reminded
> again".)
Adding that to the security report will make security reports, that
otherwise would be empty and therefore not sent, noisy. Maybe
fetch_pkg_vulnerabilities should be a tristate yes/no/shutup.
>> The fact that we didn't do such a thing in the past is not an excuse
>> not to do it now.
>
> The fact that we used to care about users' privacy is not an excuse to
> stop doing so now.
Well, that's a very different reason that no one raised before. But
how does this affect privacy? Our queries do not contain any
user-identifiable information other than an IP, and the code is there
for anyone to review that that's the case.
--
Julio Merino
Home |
Main Index |
Thread Index |
Old Index