[Pkg-erlang-devel] Bug#585122: (no subject)
Sergei Golovan
sgolovan at nes.ru
Thu Apr 25 17:35:02 UTC 2013
Hi Roland.
Currently, epmd looks at the ERL_EPMD_ADDRESS environment variable
which contains a comma separated list of IP addresses to bind. So, you
can bind epmd to the loopback address only (for wheezy and future
releases, not for squeeze).
On Thu, Apr 25, 2013 at 7:04 PM, Roland Hieber <rohieb at rohieb.name> wrote:
> Is there any progress on this?
>
> I can only support the -loopback option. How many users do need to run
> distributed applications after all? And if they need to, they probably
> know how to configure epmd properly. On the other hand, every single
> user who chooses to install an Erlang application that does not
> neccessarily need distributed access (like ejabberd, and even gwibber
> through CouchDB) opens a security hole on their system WITHOUT EVEN
> KNOWING (where is the /usr/share/doc/erlang-base/README entry for that?)
>
> From a security standpoint, the strategy to bind to 0.0.0.0 by default
> is absolute nonsense and potentially hurts more users than it eases
> configuration. This is not the good old Debian way to do.
>
> - Roland
>
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list