Hi, after some discussion we had today on IRC, I tend to think we should put a section within "security" of the release policy that says something like "Packages must not open listening sockets at localhost where usage of a unix domain socket (in the filesystem) would be equally sufficient".
Reasoning for this is that opening listening sockets with the network allows "better" ways to exploit security bugs than in the traditional unix filesystem. Comments? Cheers, Andi -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
