Ubuntu
tremulous package

Bug #109434
Comment #19

Comment 19 for bug 109434

Revision history for this message

Troy James Sobotka (troy-sobotka) wrote on 2009-01-20:

#19

The bureaucracy is unfortunate.

I reported this a year and a half ago. I'd like to think that we in Free Software are capable of making swift decisions when the situation warrants it. While we wait, how many systems are running daemons that a typical user is unaware of? Consider the following negatives:

1) As note above, a game server can pose a potential serious security hole.
2) As noted above, some game servers report to master servers clogging up the network.
3) As noted above, the server will use up vital system resources.

While I largely agree with Jonathan Marsden ( https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/109434/comments/16 ), I'd also point out that even _typical_ servers would be illogical to immediately run as there is generally no infrastructure in place to make the running of the server _immediately_ useful. Apache might be a good example here as you are presented with an immediately running daemon despite likely having zero content established. Alas, that is potentially another subject.

I find _any_ server that is run by default as soon as a package is installed extraordinarily foolish. OpenBSD has an absolutely astonishing security track record in this regard, and as such, perhaps we should examine Debian's policy on this matter. Let us not forget that it wasn't that long ago nasty worms such as Blaster and its ilk made their way into systems with default open ports.

I would hazard a guess that a typical audience member expects applications to be installed in a usable state when using their package managers. I sincerely doubt that the same audience member expects the application to be immediately run as with the case of a server. Do we expect application xxx to immediately run after selecting the checkmark in Synaptic and pressing "Apply"?

By stalling and endlessly discussing this matter, we are opening up yet one more hole for security blunders as Free Software becomes a larger player, and as a result, a larger target for malicious attacks. _IF_ Ubuntu seeks to bring Linux and Free Software to a more typically mainstream audience, it should consider the implications thereof. Considering the historical (Windows Blaster and like exploits) and similar contextual (OpenBSD's default policy for packages) data, I would hope that the most rational choice is clear.

To ignore the historical and contextual information seems not only foolish but destined to repeat the same mistakes all over again.

The bureaucracy is unfortunate.

I reported this a year and a half ago.  I'd like to think that we in Free Software are capable of making swift decisions when the situation warrants it.  While we wait, how many systems are running daemons that a typical user is unaware of?  Consider the following negatives:

While I largely agree with Jonathan Marsden ( https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/109434/comments/16 ), I'd also point out that even _typical_ servers would be illogical to immediately run as there is generally no infrastructure in place to make the running of the server _immediately_ useful.  Apache might be a good example here as you are presented with an immediately running daemon despite likely having zero content established.  Alas, that is potentially another subject.

I find _any_ server that is run by default as soon as a package is installed extraordinarily foolish.  OpenBSD has an absolutely astonishing security track record in this regard, and as such, perhaps we should examine Debian's policy on this matter.  Let us not forget that it wasn't that long ago nasty worms such as Blaster and its ilk made their way into systems with default open ports.

I would hazard a guess that a typical audience member expects applications to be installed in a usable state when using their package managers.  I sincerely doubt that the same audience member expects the application to be immediately run as with the case of a server.  Do we expect application xxx to immediately run after selecting the checkmark in Synaptic and pressing "Apply"?

By stalling and endlessly discussing this matter, we are opening up yet one more hole for security blunders as Free Software becomes a larger player, and as a result, a larger target for malicious attacks.  _IF_ Ubuntu seeks to bring Linux and Free Software to a more typically mainstream audience, it should consider the implications thereof.  Considering the historical (Windows Blaster and like exploits) and similar contextual (OpenBSD's default policy for packages) data, I would hope that the most rational choice is clear.

To ignore the historical and contextual information seems not only foolish but destined to repeat the same mistakes all over again.

Ubuntutremulous package

Comment 19 for bug 109434

Ubuntu
tremulous package