tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: fetch_pkg_vulnerabilities enabled by default (was: CVS commit: src/etc)

On Wed, Jan 20, 2010 at 1:17 PM, Alan Barrett <> wrote:
> On Wed, 20 Jan 2010, Julio Merino wrote:
>> On Wed, Jan 20, 2010 at 7:23 AM, Bernd Ernesti <> 
>> wrote:
>> > On Tue, Jan 19, 2010 at 10:08:11PM +0000, Julio M. Merino Vidal wrote:
>> >> Add the check_pkg_vulnerabilities and check_pkg_signatures options
>> >> to the security script to check that the installed packages are
>> >> sane.
> Great!
>> >> All of these options are enabled by default but they will only run
>> >> if there is, at least, one installed package.
>> >
>> > I object for enabling that by default and you haven't answered my
>> > concerns when you brought this up.
> Nothing in NetBSD should phone home by default.

Well, why?  You wrote "should", so that's open to interpretation.

Anyway: having a list of all components that call home (callhome(7)?)
as a manpage would be good and being able to disable/enable such
behavior from sysinst too.  As to what the default should be in the
/etc/defaults config files, at that point I wouldn't care.

> It would be fine if it added a warning to the security report by
> default.  (e.g. "Warning: <option> is turned off, and that's bad because
> <reason>; do <this> to turn it on or <that> to never be reminded
> again".)

Adding that to the security report will make security reports, that
otherwise would be empty and therefore not sent, noisy.  Maybe
fetch_pkg_vulnerabilities should be a tristate yes/no/shutup.

>> The fact that we didn't do such a thing in the past is not an excuse
>> not to do it now.
> The fact that we used to care about users' privacy is not an excuse to
> stop doing so now.

Well, that's a very different reason that no one raised before.  But
how does this affect privacy?  Our queries do not contain any
user-identifiable information other than an IP, and the code is there
for anyone to review that that's the case.

Julio Merino

Home | Main Index | Thread Index | Old Index