antisnob (and others who think this is not an issue),
I think that there is a very basic misunderstanding here. I would like to
address some very specific items. Please don't take these as personal attacks
as I don't even know you so I have nothing against you.
On 24 February, 2014 - 15:55 antisnob said,
"It is not an issue. It's an option..."
Installing an SSH server that opens up a listening port on all network
interfaces by default, which allows communication to a commonly attacked and
exploited service, without warning the user, and in fact, giving them the
impression that no such condition exists, is NOT an option when installing
the Trisquel Desktop Environment when using the Trisquel 6.0 CD. The ONLY
option that I had selected when installing was Trisquel Desktop Environment.
There is an option at the top of the list to install an SSH server, but I did
NOT have that selected. To summarize, when someone uses the Trisquel 6.0
installation CD and ONLY selects the Trisquel Desktop Environment, they end
up with an SSH server running on their system.
On 24 February, 2014 - 16:17 antisnob said,
"There are just a few of them and they don't need to be disturbed on non
security issues."
I'm not sure if there is a language barrier here, but I am concerned about
your comments to not write the maintainers of Trisquel as It would seem quite
contrary to ask people not to input information to an Open Source project.
I'm assuming that you mean don't personally contact them, which I certainly
have no intention of doing. The correct thing would be to do would be to open
a bug. Perhaps you were suggesting an alternate method of communicating with
the developers would be appropriate. I'm also worried that you, and perhaps
others, are trying to convince themselves that there is no issue by simply
repeating the words "non security issue" or "there is no security issue". I
don't think that anyone would argue that if a person installed the Trisquel
Desktop Environment, and set their username to "bob", and their password to
"bob", and there was an SSH server running on the machine at the end of the
install unbeknownst to them, that this would be considered a security issue.
On 24 February, 2014 - 16:01 antisnob said,
"...related to the SSH server but of users knowledge..."
That is EXACTLY what this discussion should be about. User's knowledge.
User's are not informed that an SSH server will be installed when selecting
the Trisquel Desktop Environment package, and are in fact given the opposite
impression by the fact that the SSH Server option is not selected during the
install process. This would be akin to including an SSH server, by default,
without any notification, on every Windows XP installation.
Again, please don't anyone take this personally. I quoted antisnob because
the person seemed to be the most vocal, which is perfectly acceptable. I
think that the next appropriate step would be to open a bug on this, if
that's possible.
