Fedora Feature Proposal: Yum Integration

Matthew Miller mattdm at mattdm.org
Fri Jul 20 15:05:43 UTC 2007 

On Fri, Jul 20, 2007 at 10:54:16AM -0400, Horst H. von Brand wrote:
> > > Nope. If it has to be installed/configured/managed by root, it is system
> > > software, regardless of it being the kernel or a game. The stuff in
> > > $HOME is yours to mess around with.
> > You mean "by root", or "by a process with root privileges"? Because that's a
> > whole different question.
> No, it isn't. Not really.

Sure it is, because the later can be controlled by policy.

> > "Foo kind of packages" from an approved repository of
> > cryptographically-signed rpms.
> Checked by whom for sanity? Who decides which ones can be installed and

Fedora.

> which ones can't (e.g., chat style applications are banned here, other
> places will disallow all games, ...)? If the user decides freely, she's
> root for all purposes. If there is any policy on what to install and
> what not, she can't be allowed to install stuff, period.

Hence the ability to define policy.

But can you elaborate more on "root for all purposes"? I'm not aware of any
programs in Fedora which, when installed, make a user root. Barring any
security holes, of couse. One still wouldn't be able to start or configure
services without further authorization.


> Besides, you very well can set up a sudo(1) entry that allows Jane
> R. User to run *only* yum with designated repositories. I just fail to

If you're limiting to installation, sure. But more fine-grained control than
repository level might be desirable.


> see why such (local policy) has to be integrated into the system, when
> it is not universally required (or even wanted). Remember: Unix
> philosophy is having tools that do one thing, and do it well. Leave the
> infinite combinations in the capable hands of the user.

This is a good argument *for* the idea.



> Managing a computer isn't trivial, if the users don't know how to do it
> right, better keep their hands in the pockets. Random stuff installed by
> (well-meaning) users or random passers-by caused inmense grief here with
> Windows, until we just gave the users restricted accounts.

Users can currently install whatever random stuff they want in their home
directories. They can build their own local versions of network clients and
then fail to upgrade them to fix security flaws. Much better to allow them
to install selected programs from the official Fedora repository.

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>

More information about the fedora-devel-list mailing list