Can you name some reasons why you believe that nss-mnds and avahi are compromising security? I don't see any, they just help you to make it easier to find and use network services, they do not enable any service themselves. The security implications come with the question whether you actually trust and *use* a service (like DAAP in Rhythmbox, or sshing to foo.local instead of an IP number). nss-mdns and avahi do not, and cannot, change anything in your personal trust relations.
Calling avahi "pernicious and insidious" is unfounded, and to be honest, it's just plain FUD. It might indicate that you misunderstood the purpose of it? Avahi just provides a service catalog, nothing more. Nothing in the desktop depends on it, or even assumes that it provides correct information, and desktop services like DAAP music sharing are not even enbaled by default. We only enable libnss-mnds by default, because it doesn't change any security properties of name resolution. So I strongly object against dropping avahi and libnss-mdns from the seeds (mind that the entire purpose of *-desktop is to pull in packages, which makes Suggests: totally worthless). Avahi and nss-mdns ease the usage of network services, which is an important thing in a "make it just work" desktop distribution. However, I do agree that they should be changed from Depends: to Recommends: (like libnss-mdns already), so that you can uninstall them without removing *-desktop. I don't think there is a particular reason for making them strong dependencies, that's more or less just because of historical reasons. ** Summary changed: - avahi should be downgraded to Suggests dependency + avahi should be downgraded to Recommends: -- avahi should be downgraded to Recommends: https://bugs.launchpad.net/bugs/192258 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
