On Thu, Aug 21, 2014 at 3:56 PM, Owen Taylor <otaylor@xxxxxxxxxx> wrote: > On Thu, 2014-08-21 at 15:11 -0400, Josh Boyer wrote: >> On Thu, Aug 21, 2014 at 3:03 PM, Elad Alfassa <elad@xxxxxxxxxxxxxxxxx> wrote: >> > Hello. >> > >> > I propose we remove firewall-config (the graphical firewall configuration >> > utility) from the default install of Fedora Workstation. >> > Rationale: >> > >> > * The default Workstation zone file allows incoming connection to non-root >> > ports. This means most of the common usecases will "just work" out of the >> > box. Thus, most users will not need to touch their Firewall settings. >> > >> > * People who do need it will be able to install it from GNOME Software quite >> > easily. Just search for "Firewall". There will be no confusion as this is >> > the only firewall configuration tool shown in GNOME Software. >> > >> > * In general, we should avoid having app launchers for things that are >> > configuration utilities in the default install. >> > >> > Unless there's major objection to this change in the following few days, >> > I'll remove it from the gnome-desktop group in comps. >> >> I object for now. I'd like to hear more from Matthias, Christian, and >> the firewalld contributors first. We already discussed this a while >> ago and there has been work to make it more Workstation appropriate. >> I don't think we should remove it without consensus from everyone that >> has already been discussing this. > > That's why the list was mailed ... to get some discussion and build > consensus :-) Yep! That's why I said "for now". I just didn't want Elad to remove it in a few days before we actually discussed it. > One main idea of putting a lot of work into GNOME Software is to reduce > the difference between "installed by default" and "not installed by > default" - there are a ton of things that we want to allow a user to do > easily with Fedora that we can't have in the default install. Sure. > Having something in the default install to me means two things: first, > we think that the activity it enables is something that a large > percentage of users will want to do. Second we want to actively > encourage the user to stumble on the application, start it up, find what > it does. > > If you start firewall-config I don't think it meets the second objective > - you get prompted for authentication before it even loads, and you are > immediately confronted with a pretty complex UI that depends on > understanding concepts (zones, runtime vs. static config, trusted vs. > untrusted services, etc.) that most technical users probably won't > understand without some study. Correct. That interaction is what was highlighted as not being suitable, but I thought there were plans to address it. > But if we need firewall-config for the first objective - if a large > fraction of users will need to use it, then the right response to the > complexity is to try and make it friendly for non-firewall-experts, > rather than removing it from the default install. The *idea* here is > that that's not the case as of Fedora Workstation 21 - the average > developer won't need to configure their firewall - e.g., when developing > a web app, a developer will almost always be running on a high port. Right, and I thought the firewalld team and others were working on a UI that _is_ appropriate. Did that work happen? What state is it in? etc. josh -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
