Feature Request "secure by default"
Rahul Sundaram
sundaram at fedoraproject.org
Sun Jun 10 15:39:17 UTC 2007
Charles Curley wrote:
> On Sun, Jun 10, 2007 at 08:15:49PM +0530, Rahul Sundaram wrote:
>> Andras Simon wrote:
>>
>>> Right, but I think that it is relevant in a discussion about "secure
>>> by default". (I'd be more than happy to be corrected about this.)
>> I can't see how it is relevant. It isn't a daemon and it doesn't connect
>> to the network. If you did disable it and it was turned that is indeed a
>> bug that not one that really affects security.
>
> I respectfully disagree. I realize that the ipv6 kernel module is not
> a daemon and does not itself connect to the network. It is part of the
> kernel.
>
> You've heard of "security by obscurity"? I prefer the opposite:
> security by simplicity. I have a very simple rule of security: if it
> isn't there, they can't crack it. If IPV6 is not requested, the module
> should not be loaded.
Like I said if it does load when disabled it is a bug but loading such a
kernel module has very different impact on security compared to a
network daemon. Let's not dilute the discussion by comparing them in the
same breadth.
Rahul
More information about the fedora-list
mailing list