Functionality vs Security
James Feist
james.feist at linux.intel.com
Thu Feb 13 08:16:28 AEDT 2020
In IRC yesterday I proposed the question of whether to change the
default of bmcweb to disable REST D-Bus, or to change it in our
meta-layers only. I created the patch here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29344 and I am
looking for feedback. While REST D-Bus does expose many useful APIs, and
phosphor-webui depends heavily on it, it does leak information to any
logged in user. This comes to the question, should we prefer
functionality by default or security by default? It is a compile switch
either way, so each user can still decide which they prefer. I have the
opinion that the default should be the safest configuration, and if
someone wants to change that, then they can accept the risk and change
the build flag.
Thoughts?
Thanks,
James
More information about the openbmc
mailing list