Feature Request "secure by default"

Rahul Sundaram sundaram at fedoraproject.org
Sun Jun 10 15:39:17 UTC 2007


Charles Curley wrote:
> On Sun, Jun 10, 2007 at 08:15:49PM +0530, Rahul Sundaram wrote:
>> Andras Simon wrote:
>>
>>> Right, but I think that it is relevant in a discussion about "secure
>>> by default". (I'd be more than happy to be corrected about this.)
>> I can't see how it is relevant. It isn't a daemon and it doesn't connect 
>> to the network. If you did disable it and it was turned that is indeed a 
>> bug that not one that really affects security.
> 
> I respectfully disagree. I realize that the ipv6 kernel module is not
> a daemon and does not itself connect to the network. It is part of the
> kernel.
> 
> You've heard of "security by obscurity"? I prefer the opposite:
> security by simplicity. I have a very simple rule of security: if it
> isn't there, they can't crack it. If IPV6 is not requested, the module
> should not be loaded.

Like I said if it does load when disabled it is a bug but loading such a 
kernel module has very different impact on security compared to a 
network daemon. Let's not dilute the discussion by comparing them in the 
same breadth.

Rahul




More information about the fedora-list mailing list