Functionality vs Security

James Feist james.feist at
Thu Feb 13 08:16:28 AEDT 2020

In IRC yesterday I proposed the question of whether to change the 
default of bmcweb to disable REST D-Bus, or to change it in our 
meta-layers only. I created the patch here: and I am 
looking for feedback. While REST D-Bus does expose many useful APIs, and 
phosphor-webui depends heavily on it, it does leak information to any 
logged in user. This comes to the question, should we prefer 
functionality by default or security by default? It is a compile switch 
either way, so each user can still decide which they prefer. I have the 
opinion that the default should be the safest configuration, and if 
someone wants to change that, then they can accept the risk and change 
the build flag.




More information about the openbmc mailing list