On Thu, May 12, 2005 at 09:52:35PM -0400, Joey Hess wrote: >Anibal Monsalve Salazar wrote: >>>Also, unlike the comment in the file claims, manual modificatons are >>>lost as soon as the package is reconfigured (or upgraded, I think): >> >>I'm afraid that is not the case. >> >>>[EMAIL PROTECTED]:/home/joey>cat /etc/portmap.conf >>># Portmap configuration file >>># >>># Note: if you manually edit this configuration file, >>># portmap configuration scripts will avoid modifying it >>># (for example, by running 'dpkg-reconfigure portmap'). >>> >>># By default listen on all interfaces >>># >>># If you want portmap to listen only on the loopback >>># interface, uncomment the following line (it will be >>># uncommented automatically if you configure this >>># through debconf). >>>OPTIONS="-i 127.0.0.1" >>>[EMAIL PROTECTED]:/home/joey>dpkg-reconfigure portmap >>>Stopping portmap daemon: portmap. >>>Configuring portmap >>>------------------- >>> >>>Portmap by default listens to all IP addresses. However, if you are not >>>using >>>RPC services that connect to remote servers (like NFS or NIS) you can safely >>>bind it to the loopback IP address 127.0.0.1. >>> >>>This will allow RPC local services (like FAM) to work properly while >>>preventing >>>remote systems from accessing your RPC services. >>> >>>You can change this configuration also by editing the OPTIONS line in the >>>/etc/portmap.conf file. If you just don't specify the -i option it will bind >>>to >>>all interfaces. >>> >>>Should portmap be bound to the loopback address? no >> >>Here you selected 'no'. >> >>>Starting portmap daemon: portmap. >>>Restoring old RPC service information...done. >>>[EMAIL PROTECTED]:/home/joey>cat /etc/portmap.conf >>># Portmap configuration file >>># >>># Note: if you manually edit this configuration file, >>># portmap configuration scripts will avoid modifying it >>># (for example, by running 'dpkg-reconfigure portmap'). >>> >>># By default listen on all interfaces >>># >>># If you want portmap to listen only on the loopback >>># interface, uncomment the following line (it will be >>># uncommented automatically if you configure this >>># through debconf). >>>#OPTIONS="-i 127.0.0.1" >> >>The obove commented out line is the result of the 'no' selection. > >THe missing information in the transcript is that "no" was the default, >even though per the config file the default should have been yes.
It's corrected now.
Changes:
portmap (5-12) unstable; urgency=high
.
* Changed default of debconf question to correspond to the value
in the config file.
>>>> * Fixed "SIGCHLD handler doesn't preserve errno", closes: #306929.
>>>> Patch by Alexander Achenbach <[EMAIL PROTECTED]>.
>>>
>>>Not important or RC is it?
>>
>>It's an RC bug. It may result in termination of the server process.
>>According to the author of the bug report, it was reported on
>>freebsd-bugs back in 1998.
>>
>>>>Version: 5-10
>>>>Closes: 286301 301130 301535
>>>>Changes:
>>>> portmap (5-10) unstable; urgency=high
>>>> .
>>>> * Re-added the debconf configuration, although the default for this is
>>>> now
>>>> to have portamp listening in all interfaces. The debconf setting
>>>> allows system administrators, base-config and cdd developers to preseed
>>>> this value to 'true' (link only to the loopback interface) if needed.
>>>> Patch by Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>.
>>>> Closes: #301130, #286301.
>>>
>>>So you made a change in -10 that introduced a RC bug that was fixed
>>>in -11? And no changes in -10 were RC or even important. The point of
>>>freeze exceptions is not to allow continuing unstable development of
>>>packages in sarge so I don't see why this should be accepted.
>>
>>Javier pushed -10 as an important security improvement for desktop/laptop
>>systems and I agree with him on that regard. Running portmap listening
>>to the world on a desktop/laptop system is a considerable security
>>risk.
>
>This is only my opinion, but debian systems have been running with these
>problems for as long as there was debian; delaying the sarge release to
>fix them does not seem worth it.
>
>--
>see shy jo
Anibal Monsalve Salazar
--
.''`. Debian GNU/Linux
: :' : Free Operating System
`. `' http://debian.org/
`- http://v7w.com/anibal
signature.asc
Description: Digital signature
