On Thu, 04 Dec 2014 09:37:24 -0800 Christopher Head wrote: > On December 4, 2014 8:12:58 AM PST, Andrew Savchenko <birc...@gentoo.org> > wrote: > > > >Yes. But booting as much services as possible is even more > >preferable, especially when box is remote. > > Are you sure booting most, but not all, services in a loop is > always better than booting none of them at all?
If we're talking about early loop solver, then yes. Because this solver never breaks "need" dependencies. > What if I have an insecure dæmon listening on TCP, I need it > running, but I want to ensure only local processes can connect to > it? Obviously, I would make it “need iptables”, assuming the dæmon > doesn’t have its own bind address config knob. And "need iptables" will do the job. Either weaker part in the loop will be broken, or your loop will be left unsolved (e.g. if iptables directly or indirectly _needs_ your daemon). > What if now, by some accident, iptables ends up in a loop (maybe > not even a loop including $insecure_service, but some other loop > entirely), and it’s the randomly chosen victim? Is it still good to > boot as many services as possible? Yes, it is, because only weak dependencies like "after" and "use" may be broken (and after is considered stronger than use IIRC). As for later loop detector, it may break need dependency. Current need dependency for iptables is fsck <- localmount <- iptables, so it is still unlikely that your daemon will be caught in such need-only loop. Though on author's request later loop solver is out of scope of this discussion now... Best regards, Andrew Savchenko
pgpqurCNF2A_f.pgp
Description: PGP signature
