[Fedora-livecd-list] A French Fedora LiveCD.

J. Hartline jasperhartline at adelphia.net
Wed Mar 8 22:00:33 UTC 2006 

Jeremy Katz wrote:

>On Wed, 2006-03-08 at 23:26 +0530, Rahul Sundaram wrote:
>  
>
>>Jeremy Katz wrote:
>>    
>>
>>>On Wed, 2006-03-08 at 08:29 -0500, J. Hartline wrote:
>>>      
>>>
>>>>Provide fedora and root usernames with blank passwords. Security is not 
>>>>a concern for a Live CD
>>>>        
>>>>
>>>No!  Security is very much a concern here.  We need to make sure we
>>>don't start a spread of worms from our live CD.
>>>
>>>      
>>>
>>Auto login to a non administrative user called Fedora. How is that bad 
>>for security?
>>    
>>
>
>If you have ways to log in remotely, then it could allow for people to
>log in and start running, eg, eggbots or any of a number of other things
>if there's a blank password.
>
>So it's not necessarily that auto-login to a non-administrative account
>is bad (it probably does make sense).  But just that thinking "oh,
>security isn't a concern for a live cd" is not wise.
>  
>
I am not a fan of blank root passwords, or blank passwords altogether, I 
am just quoting what is
in the Kadischi/Schedule as of when the email was written. I personally 
am more interested in
SquashFS and am waiting to see if busybox can be rebuilt with losetup 
since 1.10 emplys this feature
and busybox-anaconda-1.01 is the last update available.

Really.. I mean when I first talked to Elliot Lee about maintaining an 
RPM of Kadischi
(On my own time or even a package that could eventually go into Extras) 
he asked me
certainly I wasn't patching Anaconda from the RPM %post scripts, of 
course not.

In this same sense I don't see how a community project benefits without 
several inputs
like second person points of view.. will the "Unofficial" CD Chitlesh is 
putting out
have sshd started by default.. blank root passwords? This certainly 
doesn't spell anything good.

My point is I don't believe non-input is the way to go about getting 
_something_ out to the public.
Personally I'm confused, I started into this project wanting to see the 
fedora-livecd-list in the already
established mailing lists, list. Now we are (going to?) pushing out 
insecure, non-community driven
CDs. I've obviously missed something since August.

J. Hartline

More information about the Fedora-livecd-list mailing list