On Thu, Aug 6, 2015 at 4:43 PM, Andrew Walton <andrewfixcomputer@xxxxxxxxx> wrote: > Thank you both for your replies, Chris and Kurt. > > Chris suggested shorter posts and this is obviously necessary. As I > mentioned previously, by default I disable packagekitd and remove > gnome-packagekit and gnome-software-installer. And I don't use wine. > > The problem is not a personal one, it's about other people gaining the > confidence to have a go themselves. > > Chris also rightly questioned wether or not this is a firewall issue, the > answer is both yes and no. For people migrating from Windows this is where > they are used to finding such a feature, and firewalld is already monitoring > network ports. I don't often use Windows, but I have done a lot of installations and updates of Windows, and I only recall ever going to Windows Update to configure whether to always automatically do updates, or to ask me, or do nothing (never update). I never touched the firewall: Vista, 7, 8 or 10. I do think Gnome Software needs a UI switch to disable at least automatic updates (which includes downloading the packages) and limit refreshing metadata to something like once a week. This should be raised again on devel@ or desktop@ it's come up before and I just see a lot of foot dragging making this happen. I think a lot of developers are not that sensitive to this because they have good bandwidth. I realized this problem just out of general frustration doing testing and seeing PackageKit download 1GiB of data every time I did a test install; but that was with fast Internet. Now that I'm in the sticks and have not just shit, but intermittent shit, the default behavior actually rather pisses me off as OS X and Windows are friendlier in this regard about how they conserve bandwidth and aren't hogging.... Anyway, now I'm being verbose. It'd stick this on desktop@ and in all likelihood I'll see it and put in my 1.5 cents. But this definitely does not strike me as a firewall issue. The firewall on Fedora opens any port for a client side application that requests it, it only blocks external requests (and not all of them on all ports, which is a Workstation working group policy). > When it becomes a security issue, and it will, is when people need to > install propriety drivers for devices. At some stage these drivers are going > to become more popular and more sophisticated, sophisticated enough to > include spyware. That's a different thing. At the moment proprietary drivers are domain of a sysadmin, not a user. And the sysadmin should be checking to make sure the downloaded package hash matches what the manufacturer provides, or the package itself should come signed (and dnf can verify the package signature). As for verifying the integrity of binaries once installed, that's the domain of UEFI Secure Boot right now. If that's not being used, there's no restriction on kernel or application binaries being executed. But it's a valid question whether and when there's an opt in for a sysadmin to enforce only the execution of signed application binaries (with an approved list that can be pushed to each workstation). -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
