[arch-dev-public] Inetutils cleanup

Florian Pritz bluewind at xinu.at
Thu Apr 19 08:04:25 EDT 2012


On 19.04.2012 10:56, Tom Gundersen wrote:
> On Apr 19, 2012 10:37 AM, "Thomas Bächler" <thomas at archlinux.org> wrote:
>>
>> Am 18.04.2012 21:20, schrieb Eric Bélanger:
>> > Hi,
>> >
>> > Currently, the inetutils packages provide the old unsecure r* family
>> > of tools. There is currently a bug report [1] asking for the removal
>> > of rexec as it it particularly unsecure. As these things are old and I
>> > suppose everyone has moved to more secure apps like ssh/sftp, I'm
>> > thinking about removing all these r* tools.
>>
>> Just because they're insecure doesn't mean we shouldn't provide them.
>> There are probably enough people that use this, and it is their choice.
> 
> There's always the AUR...

So we should put shadow and sshd into the AUR because the user could
enable sshd with simple password authentication (our default), create an
account called "test", set it's password to "test" and forget about it?

Most systems are behind a NAT router or hopefully at least a simple
stateful firewall so even if someone enables rexec you can't connect to
it from the outside. If you don't trust your LAN you are likely already
screwed anyway.

-- 
Florian Pritz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20120419/0f6b6ac2/attachment.asc>


More information about the arch-dev-public mailing list