A Topic that needs to be discussed on next the QA meeting..

Johann B. Gudmundsson johannbg at hi.is
Tue Mar 18 01:32:55 UTC 2008 

Jon Stanley wrote:
> On Mon, Mar 17, 2008 at 5:49 PM, Johann B. Gudmundsson <johannbg at hi.is> wrote:
>   
>> See bugs
>>  https://bugzilla.redhat.com/show_bug.cgi?id=437811
>>  https://bugzilla.redhat.com/show_bug.cgi?id=136289
>>  https://bugzilla.redhat.com/show_bug.cgi?id=147557
>>
>>  In my books this fails QA bigtime and poses a MAJOR security risk for
>>  the end user(s).
>>     
>
> Your book is not everyone's, nor probably even the majority of
> people's.  I for one use sshd on *every* machine that I own (yes, I
> even login to my desktop remotely - that's how I IRC).
>
>   
As I said I needed to know who were the target audience were
and I see it's not desktop users thats why Ubuntu succeeded were Fedora 
should
have long ago ( yes I have had high hopes for a long time )...

Thanks for making that one clear I have actually been waiting for some 
one to give me a straight
answer regarding that matter and this just proves that Fedora will never 
be dominating the world :) .

That kinda also explains all this whole RTFM for the end users and he 
has to be and is expected to be
an "Linux Guru " attitude that still exists here ( Bug 436227 for 
example )...

And I who apparently is so ignorant and foolish in thinking our main 
goal was to let Fedora grow and our main target was the home/desktop user
and expecting those who are gonna use it for server or other things 
actually would know how to setup Fedora to do so silly me...

>>  Either a respins with this *feature* needs to be done or a
>>  reintroduction of Desktop/Server install
>>  with the server install enabling this feature..
>>     
>
> Nah, it's a sane default.  If you wanna go down this road, choose
> something that has *actual* security implications (beyond someone
> possibly brute-forcing a poorly chosen password - users can shoot
> themselves in the foot via many means.  Anaconda even warns of a
> poorly chosen rootpw now).
>
>   
I would say leaving sshd running with punch hole in a firewall poses a 
great security risk
If a noob users clicks next next ok done through out the installation 
process and ends up
leaving himself open to brute force attacks which his machine then can 
be used to attack other machines ( M$ )
but hey apparently that's just me..

I would actually think this "not a security risk" should be mentioned 
each time somebody hands out a Fedora DVD.
or somebody that walks passed the Fedora booth and graps one.

But if it is one of Fedora objectives to distribute easy rootable boxes 
to the internet fine...

>>  It's good that some one in QA board can contact Fedora Security team and
>>  get their input on this issue.
>>     
>
> QA Board???  I didn't know such a thing existed.  I nominate myself :)
>  Seriously, Jeremy would be about the closest thing that you come to
> that (Will and Jesse as well).
>
>   


Will was the one I actually thought were a member of that board and
kinda the "Head of the QA department,"( sorry Jeremy or Jesse or Bill )
( I Actually thought there were a QA Board, Testers reporting to the board
and QA board coordinating tests/bug hunts logic right..).
Hence I reopen reassigned status and was waiting for them to step in..

Since there is none I suggest one is created to address
issue like this which consist of not only developers.
There can be more conflicts like this..
>>  Are we targeting Desktop/Home user or not?
>>     
>
> Along with many other segments.
>
>   
If we are targeting a whole bunch of "segments" then we should
release specifically tuned to those "segments"

M$ has a server version Mac OS X has a server version
there is a reason for it!

<whisper>Even Redhat has few *versions*....

So why cant Fedora release a server version?

This whole TRY TO PLEASE ALL concept is flawed..
>>  If so then we have to make it hard for them to accidentally  shoot them
>>  self in foot security wize...
>>     
>
> Users can shoot themselves in the foot via lots of methods.  I don't
> see this one being particularly egregious.
>
>   
I said it once and I say it again only service that are needed for 
"running system + networking"
should be enabled by default the rest should the user configure on 
firstboot!
Even filed an RFE for this!
>>  I mean a noob user accidentally turned of his firewall during install
>>  with the current default installation options leaves
>>  him open to how many security risks?  ( none is the right answer )...
>>     
>
> Well, that's no longer a default installation then, is it?  Should we
> disable CUPS too? (that at least has a recent history of issues).
>
>   
YES ALONG WITH AVAHI BLUETOOTH AND MORE...
until the system can proparly detect HW and enable services on demand...

Fedora cant be tuned to everybody's needs!

The end user should be making that chose not Fedora trying to make 
"guesses" on how
he's gonna setup his system.

We should be delivering a solid secure product then it's on the users 
hands if he messes it up
not us delivering it already unsecure.

Since this is the whole attitude why are we shipping Fedora with SElinux 
enabled since users
are already good enought to shoot them selves in the foot????


>>  I'm gonna reopen this mark Anaconda as FAILED_QA  then after this has
>>  had a proper discussion
>>  with input from Fedora-Security-Team a QA board member can CLOSE this or
>>  it will be FIXED.
>>     
>
> It is already CLOSED NOTABUG, and should remain that way.
>
>   
I still strongy disagree not that it matters my efforts are in vain....

Best regards
                   Johann B.

You win some, you lose some....

More information about the fedora-test-list mailing list