[conspire] xz exploit and backdoor
Rick Moen
rick at linuxmafia.com
Fri Apr 5 17:20:14 PDT 2024
Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
> So you agree with me, but you don't want to. You're moving know-how
> and complexity from one domain to another ;)
There are always tradeoffs, but the bar to be cleared in _merely_
reading configuration files and init scripts, and then shutting off
functionality you don't want and won't use, is a very low one.
Yes, most Linux users cannot be bothered, because Linux users in the
main are like all other OS users, people who never even look at the
default setting, let alone consider changing anything. But I'm
referring to the subset who are server sysadmins.
I don't want to go all greybeard and pull out the "When I was young, we
walked to school through the snow both ways" routine, but back when I
started, that was routine. Beyond that, the standard way to learn what
you needed running was: Switch it off in the runtime state, and see if
you miss it. If the system goes 'splody, reboot and regroup.
Once one grasps the value of taking charge of software runtime
configuration, it's not exactly brain surgery, on most distros, to read
the docs about how to modify a distro source package to change that _one
darned thing_ that annoys you, compile a local package, and install it.
And, in that context, saying one day "I think I want to try NSD instead
of BIND9" is easy-peasy by comparison.
You say that's "moving complexity". OK. But I call it "actually doing
the system administration task you came to do".
But please note that nowhere am I urging this onto anyone else. It's
none of my business what if any local policy a different sysadmin
implements -- unless he/she is paying my wages or vice-versa.
> Compiling [e.g., Postfix] yourself just to reduce
> attack surface will make things more complicated, hard to manage
> etc... doesn't come for free and it has its own draw backs even in
> terms of security.
Clearly, there must be enough benefit to offset the nuisance and extra
work. And that is an individual judgement -- as I would have thought
obvious.
--
Cheers, Everything is gone;
Rick Moen Your life's work has been destroyed.
rick at linuxmafia.com Squeeze trigger (yes/no)?
McQ! (4x80) -- David Carlson (winner, haiku error message contest)
More information about the conspire
mailing list