On Wed, Feb 22, 2006, Michael Stone wrote: > >From a pragmatic standpoint, pulling in nss-mdns is a PITA because it > makes certain name queries take forever--so there are reasons aside from > security to think this is annoying.
(nss-mdns does mdns too, but it's not related to avahi) > Securitywise, there is no doubt in my mind that this mdns stuff will > open a lot of new vulnerabilities in the future--the history of this > sort of service suggests that it is inevitable. Making it easy to pull > in and activate as a side effect of apparantly-unrelated packages is, > IMO, a mistake. From a security point of view, everything feature introduce risk. If you base all you reasonning on security, that is if you make security rule number 1, you get zero feature. I do agree that is is slightly different in that it adds a passive hole as soon as the package is installed in contrast with packages being dangerous when used by end-users. > The real question is whether installing gnome should mean that you get > multicast dns. I'll bet that the number of people who want the former is > significantly larger than the number who want (or know they're getting, > or even care about) music browsing. You can't take the decision to remove a feature because most people install GNOME for other reasons than that feature. Otherwise one would use the same reasonning for all features in GNOME and remove them all. But I agree with the former part: the question is do we support multicast DNS or not? When I look at the results of my mdns queries here, I have no doubt it will soon be a requirement since I see: - computers - a music remote control interface - music shares - HTTP and SSH servers (that's less common) - administrative interface for wifi APs Cheers, -- Loïc Minier <[EMAIL PROTECTED]> Current Earth status: NOT DESTROYED -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
