All in all, I donot agree with bubble talk we are getting here. I
donot think people
who are just talking with sheer imagination with computer illiteracy
to come here.
This is high volume site. People over here do some real work. It cannot be used
to malice a set of people.
[~]# netstat -ap|grep
Hi,
On Fri, Mar 04, 2011 at 08:10:01PM +0100, Adam Borowski wrote:
On Fri, Mar 04, 2011 at 08:56:46PM +0200, Andrei Popescu wrote:
On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
Except in a workstation place.
...
If you have trouble un-installing avahi-daemon from those systems feel
Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
Does avahi could be disable (using kernel level firewalling is not from my
point of view a solution) ?
# update-rc.d avahi-daemon disable
Does the job for me.. :)
Anyway, I'll need a puppet (or similar) rule to maintain this for my users,
| echo resolv.conf options ndots:15
Thanks for the suggestion, but this does not seem to do what I want, I think?
Another Pointer
(http://www.dd-wrt.com/phpBB2/viewtopic.php?p=344310sid=6f3fef9df8b046ec568039de87c1175f).
so doing «getent hosts foo.bar» will only generate a query for
On Thu, 2011-03-03 at 16:08 +, Philipp Kern wrote:
We don't like security by obscurity, as you might know.
Not shouting out loud that a service is available doesn't qualify as
“security by obscurity” for me.
Regards,
--
Yves-Alexis
--
To UNSUBSCRIBE, email to
On Thu, 2011-03-03 at 12:45 +0100, Bastien ROUCARIES wrote:
main security problem is resolver,
$host -v www.local
www.local
www.local.mydomain.com
see security issue in draft paper also in case
http://tools.ietf.org/html/draft-cheshire-dnsext-multicastdns-08
resolver is more like the
On Thu, Mar 03, 2011 at 11:02:47AM +0100, Klaus Ethgen wrote:
Hi,
Am Do den 3. Mär 2011 um 3:35 schrieb Chow Loong Jin:
A system has not to listen for any unused and unneeded services ever. A
firewall is to control services you _need_.
All that zeroconf stuff is absolutely not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Am Fr den 4. Mär 2011 um 10:31 schrieb Wouter Verhelst:
[Corporate users with preference for security]
[Home users with preference for convenience]
I somewhat agree. But not in all consequence.
For that users that you call Corporate users I
As I told, I think that the default should be disabled (as that would
correct for most of the debian users). But I agree that the
enabling/disabling should be easy; and not only per system, zeroconf
insists on several systems like avahi, link local, mdns, ...
Atleast on Ubuntu You are asked
On Vi, 04 mar 11, 11:32:01, Klaus Ethgen wrote:
The reason is not that obvious but might be clear when looking to the
image, systems have in the world:
Windows: Insecure, full control, many software, games, official support
Mac: Easy, colorful, all is moving and wabbering
Debian: Secure,
On Fri, Mar 04, 2011 at 11:32:01AM +0100, Klaus Ethgen wrote:
A user that installs Debian on his system will do that due to the
reputation in security. If he want to have a simpler system he would
install, for example, Ubuntu, Mac or Windows.
[...]
I do not think that Debian should be good for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Am Fr den 4. Mär 2011 um 12:19 schrieb Andrei Popescu:
I thought Debian was The Universal Operating System ;), so I would
rather divide like this:
GNOME/KDE system: lots of functionality out-of-the-box
XFCE/LXDE system: decent
On Thu, 3 Mar 2011 12:06:42 +0900, Norbert Preining prein...@logic.at wrote:
...
I don't need not want avahi, it actually two or three times broke
my network by doing changes to config file I don't want (don't remember
the details) and at that time I could purge it away, but it came back
On Fri, 2011-03-04 at 08:15 +0100, Tollef Fog Heen wrote:
]] Ben Hutchings
Hi,
| On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
|
| To the extent this is a bug, it's a bug in the resolver that it does not
| treat names with dots in them as absolute, but relative. I
On Fri, 2011-03-04 at 10:31 +0100, Wouter Verhelst wrote:
On Thu, Mar 03, 2011 at 11:02:47AM +0100, Klaus Ethgen wrote:
Hi,
Am Do den 3. Mär 2011 um 3:35 schrieb Chow Loong Jin:
A system has not to listen for any unused and unneeded services ever. A
firewall is to control
On 2011-03-04, Philip Hands p...@hands.com wrote:
I'd have decided to install it, and so if there were any issues with it,
it would be my fault for installing it, but since I'm not aware of ever
having needed it, and since I don't use gnome (although I occasionally
install gnome-ish things,
On Fri, Mar 4, 2011 at 1:23 PM, Ben Hutchings b...@decadent.org.uk wrote:
You could stop being lazy and type the dot on the end too. ;-)
You can't expect everyone to type a dot after every single domain name they use.
Olaf
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
On Fri, 2011-03-04 at 12:24 +0100, Wouter Verhelst wrote:
If you're unfamiliar with computers, on the other hand, chances that
you'll be able to figure out how to enable convenience services are
slim, at best. Since home users typically use computers in a desktop
environment, I therefore think
On Fri, Mar 04, 2011 at 01:47:35PM +0100, Yves-Alexis Perez wrote:
On Fri, 2011-03-04 at 12:24 +0100, Wouter Verhelst wrote:
If you're unfamiliar with computers, on the other hand, chances that
you'll be able to figure out how to enable convenience services are
slim, at best. Since home
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Fr den 4. Mär 2011 um 12:24 schrieb Wouter Verhelst:
On Fri, Mar 04, 2011 at 11:32:01AM +0100, Klaus Ethgen wrote:
A user that installs Debian on his system will do that due to the
reputation in security. If he want to have a simpler system
On Fri, Mar 4, 2011 at 3:59 PM, Klaus Ethgen kl...@ethgen.de wrote:
In ancient times debian was packaged the way that the administrator only
installed the daemons that he needed. Today many daemons gets installed
by dependencies and gets started without any need. Just the fact is
security
On Fri, Mar 4, 2011 at 10:59 PM, Klaus Ethgen kl...@ethgen.de wrote:
If you want to change debian to be ubuntu it would be the time to look
for another distribution that can be used on servers. (unfortunately I
do not know an alternative.)
Ubuntu actually has better
On Fri, 2011-03-04 at 23:28 +0800, Paul Wise wrote:
Ubuntu actually has better pro-active/defence-in-depth security than
Debian right now. For example compiler hardening flags, kernel
hardening (symlink, hardlink, ptrace, nx emulation), MAC (AppArmour).
Perusing their roadmap pages is quite
Le vendredi 4 mars 2011 10:31:30, Wouter Verhelst a écrit :
On Thu, Mar 03, 2011 at 11:02:47AM +0100, Klaus Ethgen wrote:
Hi,
And even worse, debian is often used on server platforms where you never
ever want to have any such magically configured services.
Since avahi isn't a dependency
On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
Since avahi isn't a dependency of anything you'd want to install on a
server -- I personally have never installed gnome on a server, for
instance -- it usually isn't.
[...]
Except in a workstation place.
In a uni we use your
On Fri, Mar 04, 2011 at 08:56:46PM +0200, Andrei Popescu wrote:
On Vi, 04 mar 11, 19:29:36, Bastien ROUCARIES wrote:
Except in a workstation place.
In a uni we use your workstation during the days for teaching and the
night for grid computing. And we care both about security and about
On Vi, 04 mar 11, 20:10:01, Adam Borowski wrote:
You'll then have to install every bit of gnome by hand, since the
meta-packages depend on avahi.
Maybe they can just recommend avahi-daemon and gnome-user-share
Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
On Fri, Mar 04, 2011 at 04:09:44PM +0100, Olaf van der Spek wrote:
On Fri, Mar 4, 2011 at 3:59 PM, Klaus Ethgen kl...@ethgen.de wrote:
In ancient times debian was packaged the way that the administrator only
installed the daemons that he needed. Today many daemons gets installed
by
Le vendredi 4 mars 2011 13:23:32, Ben Hutchings a écrit :
On Fri, 2011-03-04 at 08:15 +0100, Tollef Fog Heen wrote:
]] Ben Hutchings
Hi,
| On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
| To the extent this is a bug, it's a bug in the resolver that it does
|
On Friday, March 04, 2011 02:48:07 pm Adam Borowski wrote:
On Fri, Mar 04, 2011 at 04:09:44PM +0100, Olaf van der Spek wrote:
On Fri, Mar 4, 2011 at 3:59 PM, Klaus Ethgen kl...@ethgen.de wrote:
In ancient times debian was packaged the way that the administrator
only installed the daemons
On Fri, Mar 04, 2011 at 08:48:07PM +0100, Adam Borowski wrote:
And why does it open this security hole? To make it slightly easier to
configure link-local instant messages. Who exactly is going to need that
these days? The times of local networks disconnected from the world are
mostly over.
Hi!
* Bastien ROUCARIES roucaries.bast...@gmail.com [2011-03-02 18:25:30 CET]:
Does avahi could be disable (using kernel level firewalling is not
from my point of view a solution) ?
A nice hack that I was informed just recently about:
echo exit 0 /etc/default/avahi-daemon
That
On Wed, Mar 2, 2011 at 11:51 PM, Ben Hutchings b...@decadent.org.uk wrote:
On Wed, 2011-03-02 at 23:09 +0100, Julien BLACHE wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
Hi,
Because I work in a untrusted work place and home network (public
networks, wifi...) I whish to purge
On Wed, Mar 2, 2011 at 11:54 PM, Klaus Ethgen kl...@ethgen.de wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Mi den 2. Mär 2011 um 18:25 schrieb Bastien ROUCARIES:
More and more packages depend on avahi aka zeroconf. I have found some
information on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Am Do den 3. Mär 2011 um 3:35 schrieb Chow Loong Jin:
A system has not to listen for any unused and unneeded services ever. A
firewall is to control services you _need_.
All that zeroconf stuff is absolutely not needed and wanted.
On Wed, Mar 2, 2011 at 10:24 PM, Josselin Mouette j...@debian.org wrote:
Le mercredi 02 mars 2011 à 18:25 +0100, Bastien ROUCARIES a écrit :
And more specifically from an administrator point of view does avahi
could library could be made purgeable and no more than suggest
dependencies (I am
]] Klaus Ethgen
Hi,
| The thoughts of that makes me shiver! Trusting untreatable sources on a
| network for configuring local stuff is worse ever.
Then just don't use it? Nobody is forcing you to.
| I think those two functionalities are pretty useful to the end-user.
|
| Well, they might
On Thu, Mar 3, 2011 at 11:02 AM, Klaus Ethgen kl...@ethgen.de wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Am Do den 3. Mär 2011 um 3:35 schrieb Chow Loong Jin:
A system has not to listen for any unused and unneeded services ever. A
firewall is to control services you
On Thu, Mar 3, 2011 at 11:25 AM, Tollef Fog Heen tfh...@err.no wrote:
]] Klaus Ethgen
Hi,
| The thoughts of that makes me shiver! Trusting untreatable sources on a
| network for configuring local stuff is worse ever.
Then just don't use it? Nobody is forcing you to.
| I think those two
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
Then just don't use it? Nobody is forcing you to.
[...]
| And even if you not care about, then that functionality should be
| explicit configured and not per default.
That makes it
On Thu, Mar 03, 2011 at 11:32:23AM +0100, Bastien ROUCARIES wrote:
Not everything gets set up in DNS and ssh caches the host
key so doing a mitm attack after the initial handshake is prevented.
It's not like it'll magically be pulled in on servers or anybody is
suggesting making it part of
Tollef Fog Heen tfh...@err.no wrote:
Hi,
Except zeroconf isn't routed so to be able to exploit it you need to be
on the same physical segment?
mDNS traffic can actually be relayed, but this requires setting up a
relay daemon on the gateway(s).
Quite useful when done properly.
JB.
--
On to, 2011-03-03 at 11:54 +0100, Klaus Ethgen wrote:
Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
Then just don't use it? Nobody is forcing you to.
[...]
| And even if you not care about, then that functionality should be
| explicit configured and not per default.
That
However, could we please end the FUDfest? This thread seems to be quite
unconstructive, with unspecific claims of security problems, unwarranted
slurs on users based on their operating system, and accusations on
Debian developer's attitudes. If there is an actual problem, explain
I totally
On Thu, Mar 3, 2011 at 12:22 PM, Lars Wirzenius l...@liw.fi wrote:
On to, 2011-03-03 at 11:54 +0100, Klaus Ethgen wrote:
Am Do den 3. Mär 2011 um 11:25 schrieb Tollef Fog Heen:
Then just don't use it? Nobody is forcing you to.
[...]
| And even if you not care about, then that
On Thu, Mar 3, 2011 at 12:33 PM, Sujit Karatparambil
sujit.kmadha...@gmail.com wrote:
However, could we please end the FUDfest? This thread seems to be quite
unconstructive, with unspecific claims of security problems, unwarranted
slurs on users based on their operating system, and accusations
On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
some package announce their existance to the world without any admin decision!
It is not a fud and a security hole!
That's a vague generality... which packages? You mentioned phpmyadmin.
What are the actual problems that results from
On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius l...@liw.fi wrote:
On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
some package announce their existance to the world without any admin
decision!
It is not a fud and a security hole!
That's a vague generality... which packages? You
On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek olafvds...@gmail.com wrote:
On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius l...@liw.fi wrote:
On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
some package announce their existance to the world without any admin
decision!
It is not
On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek olafvds...@gmail.com
wrote:
On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius l...@liw.fi wrote:
On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
some package
On Thu, Mar 3, 2011 at 2:35 PM, Mike Hommey m...@glandium.org wrote:
On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek olafvds...@gmail.com
wrote:
On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius l...@liw.fi wrote:
On to,
Le jeudi 03 mars 2011 à 00:33 +0100, Adam Borowski a écrit :
As Philipp pointed out, only gnome depends on it, and that’s not
gnome-desktop-environment. You can use the latter if you want only the
official GNOME desktop.
gnome-desktop-environment
Depends: gnome-user-share
Ah right,
On Thu, 03 Mar 2011 at 15:17:14 +0100, Josselin Mouette wrote:
I have never in my life felt the need
to do anything provided by either gnome-user-share or telepathy-salut
Note that until you configure gnome-user-share, only avahi is started;
gnome-user-share itself is not.
The same for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Do den 3. Mär 2011 um 12:22 schrieb Lars Wirzenius:
So you contradict yourself within two paragraphs. It makes it less
useful to enable it only on manual intervention (say, it should be
enabled automatic) but on the other hand you say that
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
some package announce their existance to the world without any admin
decision
It should be a site policy.
It is not a fud and a security hole!
I disagree.
--
Stig Sandbeck Mathisen s...@debian.org
--
To UNSUBSCRIBE, email to
On Thu, Mar 3, 2011 at 3:33 PM, Stig Sandbeck Mathisen s...@debian.org wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
some package announce their existance to the world without any admin
decision
It should be a site policy.
And set to no by default or a least well documented
On 2011-03-03, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
Giving information on my system without admin concent is an
information leak, and thus tag security...
Information leaks are leaks of *sensitive* information. If I want to know if
you run phpmyadmin at its default location I
]] Bastien ROUCARIES
| main security problem is resolver,
| $host -v www.local
| www.local
| www.local.mydomain.com
So the security problem you see is that if you have a domain called
«local» the entries in it might be spoofed due to how the resolver
works?
To the extent this is a bug, it's a
On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
]] Bastien ROUCARIES
| main security problem is resolver,
| $host -v www.local
| www.local
| www.local.mydomain.com
So the security problem you see is that if you have a domain called
«local» the entries in it might be
]] Ben Hutchings
Hi,
| On Thu, Mar 03, 2011 at 05:20:37PM +0100, Tollef Fog Heen wrote:
|
| To the extent this is a bug, it's a bug in the resolver that it does not
| treat names with dots in them as absolute, but relative. I know this is
| how it's been done in the past, but perhaps
so doing «getent hosts foo.bar» will only generate a query for
«foo.bar.», not for «foo.bar.$searchpath.»
Could you be more specific with what you are looking.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
hi,
More and more packages depend on avahi aka zeroconf. I have found some
information on http://wiki.debian.org/ZeroConf
Because I work in a untrusted work place and home network (public networks,
wifi...) I whish to purge zeroconf functionnality.
however a lot of package depends (or
Hi,
I won't comment on the possible insecurity of avahi-daemon, but...
On 2011-03-02, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
More and more packages depend on avahi aka zeroconf. I have found some
information on http://wiki.debian.org/ZeroConf
Because I work in a untrusted work
Le mercredi 02 mars 2011 à 18:25 +0100, Bastien ROUCARIES a écrit :
And more specifically from an administrator point of view does avahi
could library could be made purgeable and no more than suggest
dependencies (I am willing to fill a mass bug report because purging
avahi will purge gnome
On Wed, Mar 02, 2011 at 09:11:40PM +, Philipp Kern wrote:
The other thing where it's not clear to me is padevchooser. Not sure it's
really desperatly needed there.
For padevchooser it probably makes sense, as network sound sink/sources are
certainly a case you may want to use pulseaudio
Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
Hi,
Because I work in a untrusted work place and home network (public
networks, wifi...) I whish to purge zeroconf functionnality.
Looks like you want a firewall. Just sayin'.
JB.
--
Julien BLACHE - Debian GNU/Linux Developer -
On Wed, 2011-03-02 at 23:09 +0100, Julien BLACHE wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
Hi,
Because I work in a untrusted work place and home network (public
networks, wifi...) I whish to purge zeroconf functionnality.
Looks like you want a firewall. Just sayin'.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Mi den 2. Mär 2011 um 23:09 schrieb Julien BLACHE:
Because I work in a untrusted work place and home network (public
networks, wifi...) I whish to purge zeroconf functionnality.
Looks like you want a firewall. Just sayin'.
Ehem, no.
A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Mi den 2. Mär 2011 um 18:25 schrieb Bastien ROUCARIES:
More and more packages depend on avahi aka zeroconf. I have found some
information on http://wiki.debian.org/ZeroConf
Because I work in a untrusted work place and home network (public
On Wed, Mar 02, 2011 at 10:24:36PM +0100, Josselin Mouette wrote:
Le mercredi 02 mars 2011 à 18:25 +0100, Bastien ROUCARIES a écrit :
And more specifically from an administrator point of view does avahi
could library could be made purgeable and no more than suggest
dependencies (I am
On Thursday 03,March,2011 06:56 AM, Klaus Ethgen wrote:
Am Mi den 2. Mär 2011 um 23:09 schrieb Julien BLACHE:
Because I work in a untrusted work place and home network (public
networks, wifi...) I whish to purge zeroconf functionnality.
Looks like you want a firewall. Just sayin'.
Ehem,
On Do, 03 Mär 2011, Adam Borowski wrote:
On Wed, Mar 02, 2011 at 10:24:36PM +0100, Josselin Mouette wrote:
As Philipp pointed out, only gnome depends on it, and that’s not
gnome-desktop-environment. You can use the latter if you want only the
official GNOME desktop.
72 matches
Mail list logo