| the first and easiest to deal with is which daemons are left on as part of standard install.
Just have a checklist of the benefit/security
risk these services represent, ie the positive and
negative consequences of turning them off or leaving them on, and suggested alternatives.
This could be the last thing the install does.
At the very least, the Install should have a reminder of the existence of, and a pointer to this list ( be it a man or a pop up box whatever )
A check list would assuage those who feel that
Portmap should always be installed.
Personally, I feel that it should be neither
automatically included or excluded.
Just have it as an install option, right at the
end. As a default? Sure, why not, but give the user the option to nix it right from the get go.
The second issue of auditing code for security
bugs is a much more difficult and massive undertaking.