John Plocher wrote: > Danek Duvall wrote: >> in our environment, would all 5000 >> printers show up, or some subset of those? > > > I assume that, like today, if the user has a ~/.printers file, > its "all:" entry will be used. If this is done naively, it could > completely hide any auto-discovered printers... > > I'm a bit worried about the "out of the box" use-case; the usability > of the system seems to be directly tied to this being on, yet network > secure-by-default means that it probably should be off...
I'm not sure that secure-by-default does require that this be off. As I understand this case it is egress probing not a daemon listening of ingress requests. Secure-by-default for network services is mostly about the attack surface of the host so concentrates mostly on the ingress case. For example security-by-default has a lot to say about things like telnetd and friends being off by default but says nothing about disallowing outbound telnet(1). Closer to this case a host being a printer server is off by default but allowing printing to network printers is on. I may be missing something about how this case actually works but my reading of the materials didn't show that there as a daemon actively listening for incoming connections rather it was a service sending out probes and acting on the results. -- Darren J Moffat
