Hi,

W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
<mkkp4x4@gmail.com> napisał:
[..]
> What services are installed by default when installong form Live
> GNOME/KDE/etc and DVD?

Ok, let's ask the question differently - what services should be run
by default to provide working system for desktop user?

IMO ssh can be off by default and should be started only if user tries
to connect over port 22.

Do we really need to install iptables/ip6tables by default (it's in core group)?

--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Hi,

On 12/06/2010 06:34 AM, Michał Piotrowski wrote:
> Hi,
>
> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
> <mkkp4x4@gmail.com> napisał:
> [..]
>> What services are installed by default when installong form Live
>> GNOME/KDE/etc and DVD?
>
> Ok, let's ask the question differently - what services should be run
> by default to provide working system for desktop user?
>
> IMO ssh can be off by default and should be started only if user tries
> to connect over port 22.
>
> Do we really need to install iptables/ip6tables by default (it's in core group)?
>

Do we really need a firewall configured ?

Yes we do because of <blink><b>SECURITY</b></blink>

I'm sorry but asking if we really need iptables by default is just stupid!

Regards,

Hans
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

W dniu 6 grudnia 2010 10:43 użytkownik Hans de Goede
<hdegoede@redhat.com> napisał:
> Hi,
>
> On 12/06/2010 06:34 AM, Michał Piotrowski wrote:
>> Hi,
>>
>> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
>> <mkkp4x4@gmail.com> Â*napisaÅ‚:
>> [..]
>>> What services are installed by default when installong form Live
>>> GNOME/KDE/etc and DVD?
>>
>> Ok, let's ask the question differently - what services should be run
>> by default to provide working system for desktop user?
>>
>> IMO ssh can be off by default and should be started only if user tries
>> to connect over port 22.
>>
>> Do we really need to install iptables/ip6tables by default (it's in core group)?
>>
>
> Do we really need a firewall configured ?
>
> Yes we do because of <blink><b>SECURITY</b></blink>
>
> I'm sorry but asking if we really need iptables by default is just stupid!

LOL

There are no stupid questions

On most desktop systems firewall is not needed. Many users do not even
know how to configure it. In fact I disable it in most of my systems,
because there is no real use for it. So I asked a simple question
whether there is a need to install iptables by default?

Your answer is not satisfactory for me - because not configured
firewall has nothing to do with security. In fact, it can only bring
false sense of security.

>
> Regards,
>
> Hans
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Mon, 6 Dec 2010 06:34:45 +0100
Michał Piotrowski <mkkp4x4@gmail.com> wrote:

> Hi,
>
> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
> <mkkp4x4@gmail.com> napisał:
> [..]
> > What services are installed by default when installong form Live
> > GNOME/KDE/etc and DVD?
>
> Ok, let's ask the question differently - what services should be run
> by default to provide working system for desktop user?

Perhaps we can ask this even more differently:

What are you trying to do? Whats your high level goal here?
Boot speed? Number of packages installed?

> IMO ssh can be off by default and should be started only if user tries
> to connect over port 22.

If systemd will allow us to do that, sure.

> Do we really need to install iptables/ip6tables by default (it's in
> core group)?

Yes, I think so. Either firewall by default, or we need to make sure
nothing is running that listens externally to reduce security
footprint, IMHO.

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Kevin Fenzi (kevin@scrye.com) said:
> > IMO ssh can be off by default and should be started only if user tries
> > to connect over port 22.
>
> If systemd will allow us to do that, sure.

What's the point here? For example, this doesn't cut down on the number
of listening ports, obviously, nor on the requirements for root passwords
and potential root login. And if it's started in parallel, I doubt it's a
huge drain on resources.

Bill
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@scrye.com> napisał:
> On Mon, 6 Dec 2010 06:34:45 +0100
> Michał Piotrowski <mkkp4x4@gmail.com> wrote:
>
>> Hi,
>>
>> W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski
>> <mkkp4x4@gmail.com> napisał:
>> [..]
>> > What services are installed by default when installong form Live
>> > GNOME/KDE/etc and DVD?
>>
>> Ok, let's ask the question differently - what services should be run
>> by default to provide working system for desktop user?
>
> Perhaps we can ask this even more differently:
>
> What are you trying to do?

I'm trying to convert sysvinit scripts to systemd services (as many as possible)

> Whats your high level goal here?
> Boot speed? Number of packages installed?

I know it will not be possible to convert all sysvinit scripts for
F15, but at least we can try to provide "full systemd experience" for
most common configurations.

--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

2010/12/6 Bill Nottingham <notting@redhat.com>:
> Kevin Fenzi (kevin@scrye.com) said:
>> > IMO ssh can be off by default and should be started only if user tries
>> > to connect over port 22.
>>
>> If systemd will allow us to do that, sure.
>
> What's the point here? For example, this doesn't cut down on the number
> of listening ports, obviously, nor on the requirements for root passwords
> and potential root login. And if it's started in parallel, I doubt it's a
> huge drain on resources.

"For a fast and efficient boot-up two things are crucial:

* To start less.
* And to start more in parallel."

http://0pointer.de/blog/projects/systemd.html

IMO "start less" philosophy is a good thing.

>
> Bill
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Michał Piotrowski (mkkp4x4@gmail.com) said:
> >> If systemd will allow us to do that, sure.
> >
> > What's the point here? For example, this doesn't cut down on the number
> > of listening ports, obviously, nor on the requirements for root passwords
> > and potential root login. And if it's started in parallel, I doubt it's a
> > huge drain on resources.
>
> "For a fast and efficient boot-up two things are crucial:
>
> * To start less.
> * And to start more in parallel."
>
> http://0pointer.de/blog/projects/systemd.html
>
> IMO "start less" philosophy is a good thing.

Yes. However, I'm leery of adding too many drastic changes that don't have
upstream buy-in yet. What's upstream openssh's opinion on socket activation?

Bill
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Mon, 6 Dec 2010 18:17:51 +0100
Michał Piotrowski <mkkp4x4@gmail.com> wrote:

> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@scrye.com>
> napisał:

...snip...

> > What are you trying to do?
>
> I'm trying to convert sysvinit scripts to systemd services (as many
> as possible)

If you're trying to determine what units should be enabled by default,
please talk to the Fedora Packaging Comittee.

See also:
https://fedorahosted.org/fesco/ticket/504

Where fesco decided:

"Default is off, exceptions exist to allow proper functioning of the
os. FPC to document exceptions and process exception requests."

FPC was going to work on a exceptions list I think...

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin@scrye.com> napisał:
> On Mon, 6 Dec 2010 18:17:51 +0100
> Michał Piotrowski <mkkp4x4@gmail.com> wrote:
>
>> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@scrye.com>
>> napisał:
>
> ...snip...
>
>> > What are you trying to do?
>>
>> I'm trying to convert sysvinit scripts to systemd services (as many
>> as possible)
>
> If you're trying to determine what units should be enabled by default,
> please talk to the Fedora Packaging Comittee.
>
> See also:
> https://fedorahosted.org/fesco/ticket/504
>
> Where fesco decided:
>
> "Default is off, exceptions exist to allow proper functioning of the
> os. FPC to document exceptions and process exception requests."
>
> FPC was going to work on a exceptions list I think...

This list will be useful.

Dear FPC people, could you provide this list in the near future?

>
> kevin
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel