Bug#761658: Please do not default to using Google nameservers

Christoph Anton Mitterer calestyo at scientia.net
Sun Mar 29 06:18:43 BST 2015


On Sun, 2015-03-29 at 06:55 +0200, Michael Biebl wrote: 
> Am 29.03.2015 um 06:35 schrieb Christoph Anton Mitterer:
> > I'm really not inclined to start another security discussion, since
> > that's already lost cause in Debian... but the appropriate way would be
> > to reopen this bug, solve it so that no data/privacy leakage happen...
> > or perhaps to retitle Debian Windows,
> I don't really appreciate this tone. You're not really convincing anyone
> this way only putting people off.
The "tone" wasn't impolite or offensive to anyone,... and that security
is just amongst further goals in Debian is simply a matter of fact.

And AFAIU the problem of data/privacy leakage isn't just made up, is it?
If the system falls back to google nameservers they will now anything
one tries to resolve.
And
$ geoiplookup 8.8.8.8
GeoIP Country Edition: US, United States
shows that it won't be only Google who knows ;-)

So what exactly is it that you don't like, cause I don't understand it.

Seriously, Michael, just because someone didn't start a message with
hugs and cookies doesn't mean he meant anything offensive or unfriendly.
Or are there already Code of Conflict cases running against me now or
Marco because he used the word "lunacy" on someone else's work o.O


> Marco told you specifically, how you can configure this explicitly.
Uhm? I just accidentally stumbled over this bug and I don't think he has
told me anything in specific.


> So how exactly are you no longer in control?
Maybe I just got it wrong and this is a non-issue:
My understanding was that resolved defaults to 
DNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Right?

So if resolved is used - and I'd guess that's the long term goal - then
people would automatically get resolving - always.
Even when they have /etc/resolv.conf (possibly intentionally) left empty
and AFAIU the manpage, one cannot unset it.


If this is all the case, than it's asas Martin has quite correctly
identified in the beginning:
We shouldn't provide a default fallback.


IMO, OpenNIC or anything else would have the same issues than Google:
- it's a privacy leak
- it specially "blesses" a single company/organisation as being the
  nameserver provider for Debian, and I think we should be neutral here


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20150329/e8f97a01/attachment-0002.bin>


More information about the Pkg-systemd-maintainers mailing list