Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
* Guus Sliepen (g...@debian.org) [100621 22:57]: There has been an extensive discussion about the proper default value of the net.ipv6.bindv6only sysctl, both on the debian-devel mailing list and in bugreport 560238. Since people are clearly divided on the issue, and it is unlikely a compromise can be found, I have forwarded it to you for a decision. Please read the past discussion, but to summarise the arguments for both possible default values: Thanks for bringing that to our attention. After reading the bug log, I don't think there is much which isn't said yet, so I'll try to avoid repeating. I need to admit that I consider the reasons to stay with the previous default, i.e. an value of 0 to be more convincing. It might had been an error a few years ago to set 0 as the default, but well - now we are here. I don't see why we should break otherwise working software. I would however welcome to have some bugfixing campaign (release goals for anyone?) which gets rid of the old interfaces in our code base. We should also think if we want to get the default changed on kbsd - basically kbsd is the new kid, so I don't think it warrants that we do strange stuff on Debian. Also, perhaps just an appropriate warning for ksbd in the release notes might be enough (at least for squeeze). Having said this, I would like to call for an vote with the options A set net.ipv6.bindv6only to 0 B set net.ipv6.bindv6only to 1 C further discussion unless someone from the tech ctte sees the need for further discussions (or options) right now. Andi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
Andreas Barth a...@not.so.argh.org writes: I would however welcome to have some bugfixing campaign (release goals for anyone?) which gets rid of the old interfaces in our code base. We should also think if we want to get the default changed on kbsd - basically kbsd is the new kid, so I don't think it warrants that we do strange stuff on Debian. Also, perhaps just an appropriate warning for ksbd in the release notes might be enough (at least for squeeze). Having a different default on BSD than on other platforms strikes me as asking for trouble (in particular, asking for obscure portability issues to BSD systems that most developers don't test on). Having said this, I would like to call for an vote with the options A set net.ipv6.bindv6only to 0 B set net.ipv6.bindv6only to 1 C further discussion unless someone from the tech ctte sees the need for further discussions (or options) right now. There's also the meta-question of whether we need to make a decision at all. Marco's last message on this topic to debian-devel said basically that he thinks the default should be set back to 0, so possibly this is happening without our involvement? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
Andreas Barth writes (Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl): Having said this, I would like to call for an vote with the options A set net.ipv6.bindv6only to 0 B set net.ipv6.bindv6only to 1 C further discussion unless someone from the tech ctte sees the need for further discussions (or options) right now. Just to be clear, do you intend that a vote for A is a vote to overrule the netbase maintainer ? On the basis that the answer is yes I vote as follows 1: A set net.ipv6.bindv6only to 0 (overruling maintainer) 2: B set net.ipv6.bindv6only to 1 3: C further discussion Ian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
Russ Allbery writes (Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl): Having a different default on BSD than on other platforms strikes me as asking for trouble (in particular, asking for obscure portability issues to BSD systems that most developers don't test on). I think the bug logs are talking about other BSDs, not Debian GNU/kFreeBSD. Our decision will bind Debian GNU/kFreeBSD although the exact mechanism will vary. I agree that both should do the same. There's also the meta-question of whether we need to make a decision at all. Marco's last message on this topic to debian-devel said basically that he thinks the default should be set back to 0, so possibly this is happening without our involvement? That's nice but I think we should continue anyway. (I'm not up to date with debian-devel.) As a matter of procedure, I think it's fine for us to carry on with making a decision provided it isn't actually moot yet. Ian. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
* Russ Allbery (r...@debian.org) [100622 01:21]: Andreas Barth a...@not.so.argh.org writes: I would however welcome to have some bugfixing campaign (release goals for anyone?) which gets rid of the old interfaces in our code base. We should also think if we want to get the default changed on kbsd - basically kbsd is the new kid, so I don't think it warrants that we do strange stuff on Debian. Also, perhaps just an appropriate warning for ksbd in the release notes might be enough (at least for squeeze). Having a different default on BSD than on other platforms strikes me as asking for trouble (in particular, asking for obscure portability issues to BSD systems that most developers don't test on). I agree with you. However, I currently view the BSD platforms as addon, i.e. I don't think we should do for our linux platforms a different decision just because kBSD exists. Of course, this calls for changing the default on kBSD - but this is the second step IMHO, not the first step. And I would like to keep that decision with the kBSD porters unless someone puts that question in front of us (i.e. I don't believe we need or should answer that question within this request). Having said this, I would like to call for an vote with the options A set net.ipv6.bindv6only to 0 B set net.ipv6.bindv6only to 1 C further discussion unless someone from the tech ctte sees the need for further discussions (or options) right now. There's also the meta-question of whether we need to make a decision at all. Marco's last message on this topic to debian-devel said basically that he thinks the default should be set back to 0, so possibly this is happening without our involvement? Hm. As it currently looks to me, the decision was delegated to us. If Marco removes that delegation, that'd be fine with me. If not, we need to make a decision (at least I believe it's sensible to not wait until someone just does it for us). Andi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
Andreas Barth a...@not.so.argh.org writes: * Russ Allbery (r...@debian.org) [100622 01:21]: Having a different default on BSD than on other platforms strikes me as asking for trouble (in particular, asking for obscure portability issues to BSD systems that most developers don't test on). I agree with you. However, I currently view the BSD platforms as addon, i.e. I don't think we should do for our linux platforms a different decision just because kBSD exists. Oh, I agree with that part. The only point that I was driving at is that I think an implication of saying the default should be 0 is that we're asking the kFreeBSD porters to change their default as well, and we should probably ensure that they're aware of the decision and the reasoning. Of course, this calls for changing the default on kBSD - but this is the second step IMHO, not the first step. And I would like to keep that decision with the kBSD porters unless someone puts that question in front of us (i.e. I don't believe we need or should answer that question within this request). If we're taking that approach, we should be very explicit here: Having said this, I would like to call for an vote with the options A set net.ipv6.bindv6only to 0 B set net.ipv6.bindv6only to 1 C further discussion that we're only talking about the Linux kernel Debian architectures. Hm. As it currently looks to me, the decision was delegated to us. If Marco removes that delegation, that'd be fine with me. If not, we need to make a decision (at least I believe it's sensible to not wait until someone just does it for us). Oh, okay, I had missed that side of things. I'm certainly fine with us making a decision that was delegated to us. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
reassign 560238 tech-ctte thanks Dear members of the Technical Committee, There has been an extensive discussion about the proper default value of the net.ipv6.bindv6only sysctl, both on the debian-devel mailing list and in bugreport 560238. Since people are clearly divided on the issue, and it is unlikely a compromise can be found, I have forwarded it to you for a decision. Please read the past discussion, but to summarise the arguments for both possible default values: net.ipv6.bindv6only = 0 --- * This is the default value of the Linux kernel. * This value is used as a default in many other Linux distributions. * This behaviour is the opposite of the default of the FreeBSD kernel. * Many applications work properly (ie, support both IPv4 and IPv6 simultaneously) only with this setting. * The behaviour of the network stack with this value conforms to RFC 3493 sections 3.7 and 5.3. * It is said to conform to POSIX 2008, Volume 2, Section 2.10.20. * Instead of IPv4 addresses, sockets return IPv6-mapped addresses, and not all software handles this properly (ie, and ACL for an IPv4 address gets ignored because the software only sees an IPv6 address). * This value does not introduce new bugs. * Setting this value now will keep unstable in a more usable state. net.ipv6.bindv6only = 1 --- * This restricts IPv6 addresses to IPv6 sockets, and IPv4 address to IPv4 sockets, making interpretation of addresses unambiguous, and hence increases security of programs. * This requires some applications to be adapted to support multiple sockets. * The behaviour of the network stack with this value is the same as the default behaviour of FreeBSD. * This value reduces security bugs, but introduces new bugs since some applications no longer work as expected. * This value will flush out all applications that cannot handle an alternative setting of net.ipv6.bindv6only. * Setting this value now will get more bugs fixed before the next release. In the past maintainers have pushed for new ways for doing things that upset the status quo. The idea is that introducing new functionality, although it will break some existing functionality, will result in faster convergence to a better situation. Opponents will argue that new functionality should preferrably only be introduced when it will not break exisiting functionality. I hope the Committee will issue a statement whether the former is, in general, accepted behaviour, or if Debian should be more conservative. -- Met vriendelijke groet / with kind regards, Guus Sliepen g...@debian.org signature.asc Description: Digital signature
Bug#560238: tech-ctte: Default value for net.ipv6.bindv6only sysctl
On Sun, Jun 13, 2010 at 13:24:39 +0200, Guus Sliepen wrote: net.ipv6.bindv6only = 1 --- * This restricts IPv6 addresses to IPv6 sockets, and IPv4 address to IPv4 sockets, making interpretation of addresses unambiguous, and hence increases security of programs. * This requires some applications to be adapted to support multiple sockets. The most likely way applications are going to be adapted is to use setsockopt to set IPV6_V6ONLY to 0, not to support multiple sockets... [...] * This value reduces security bugs, but introduces new bugs since some applications no longer work as expected. ... in which case those (hypothetical) security bugs aren't reduced. [...] * Setting this value now will get more bugs fixed before the next release. I'm unconvinced. Cheers, Julien signature.asc Description: Digital signature
