Security policy oversight needed?
Adam Williamson
awilliam at redhat.com
Thu Nov 19 20:43:35 UTC 2009
On Thu, 2009-11-19 at 13:38 +0000, Richard Hughes wrote:
> 2009/11/19 Paul W. Frields <stickster at gmail.com>:
> > It makes sense to me for the upstream defaults to be fairly
> > restrictive, with changes being made downstream in distros (and their
> > remixes/spins) to loosen those up as needed. In other words, our
> > desktop package group would include whatever was needed to induce the
> > desired behavior in the Desktop spin. A good bit of this issue would
> > need to be addressed upstream though. (Maybe I just repeated what you
> > said, not sure if I caught the nuance.)
>
> Yes, this makes a lot of sense, and if I was to redo the F12
> experience again this is what I would have done. At the moment we're
> asking the server spin to essentially close the door, when maybe we
> should start with a closed door, and be asking the desktop spin to
> open it up a little more.
It's a point I've made elsewhere, but I'm not sure it's perfectly okay
to keep talking about 'the desktop spin'. First of all, this does not
only affect the desktop live image: it also affects a default install
from either the DVD image or a network install. PackageKit is installed
by default in both those cases.
(I wouldn't be surprised if it's also on the Xfce and LXDE spins too,
btw).
Second of all, the general perception of 'the desktop spin' is not 'the
desktop spin'. The general perception, helped by how our download page
set up, is that 'the desktop spin' is Fedora, or at least the three
methods mentioned above - desktop spin, DVD, network install - are
Fedora. Most people who are not quite active Fedora project members, and
probably even a lot of those, see the desktop spin as 'default Fedora',
not as a special-interest spin like the KDE or XFCE spins. Whether
that's right or not is a question to be looked at, but we have to take
into account that that's how things are generally seen at present.
Third of all, though this has been implied already, it's worth
explicitly stating: the policy change was not made in 'the desktop
spin'. It wasn't even made in Fedora's PackageKit package. It was made
upstream. Upstream PackageKit comes configured to allow trusted package
installation without authentication.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list