Hey Thomas, ----- Original Message ----- > Hello, > > On 08/21/2014 09:03 PM, Elad Alfassa wrote: > > Hello. > > > > I propose we remove firewall-config (the graphical firewall > > configuration utility) from the default install of Fedora Workstation. > > Rationale: > > > > * The default Workstation zone file allows incoming connection to > > non-root ports. This means most of the common usecases will "just work" > > out of the box. Thus, most users will not need to touch their Firewall > > settings. > > > > thank you for reaching out here on the firewall-devel mailing list. I > really appreciate that you keep us in the loop regarding this request > for Fedora Workstation. > > I am a bit surprised by this request, because from what I recall about > Fedora Workstation, the idea was to focus on server and client > application developers as a target audience, right? > > At least according to http://fedoraproject.org/wiki/Workstation: > > "The system will primarily be aimed at providing a platform for > development of server side and client applications that is attractive to > a range of developers - from hobbyists and students to developers > working in corporate environments." > > So that means that server application developers without the firewall > configuration tool would have to either use the command line or even > completely disable the firewall in order to develop networked services > that use privileged ports, right? > > And that would in my humble opinion be a really bad user experience for > server application developers trying to use Fedora Workstation. I think that using the command-line to poke open a hole in the firewall is going to be a better experience than running firewall-config. There's no explanations of the zone concept, and the interface is basically a graphical interface for firewalld, not a firewall configuration tool. > > * People who do need it will be able to install it from GNOME Software > > quite easily. Just search for "Firewall". There will be no confusion as > > this is the only firewall configuration tool shown in GNOME Software. > > > > Searching for a firewall configuration tool and the need to install it > over the network would not be a good user experience in my opinion. > Additionally it would not be possible for the user to configure the > firewall with a graphical configuration tool according to the security > requirements of the environment before going on line. Citation needed. In any case, unless the person using Fedora Workstation is the person putting those restrictions in place, I don't think the user would have access to the firewall configuration (or that would defeat the point, no?) > > * In general, we should avoid having app launchers for things that are > > configuration utilities in the default install. > > > To have a system without being able to configure it before actively > searching for configuration tools is hopefully not the goal. They would have a system where a configuration tool is not necessary in most cases, as, as Elad mentioned, most frameworks will take care of using high ports when running as a normal user. In the future, I'd like to see things like Apache and MySQL running on high ports in the session, rather than having to configure the firewall. > > Unless there's major objection to this change in the following few days, > > I'll remove it from the gnome-desktop group in comps. > > > > I would personally strongly recommend to keep the firewall configuration > utility in Fedora Workstation to allow server application developers and > also others to have an easy way to configure their firewall settings > according to their needs. I don't think that developers need it, not any more than they'd need some of the other tools we ship as add-ons rather than in the Workstation image. > Would you mind if we continue this discussion on fedora-devel as I > strongly believe that the broader community should give more input to > this decision. The whole point of the separate versions of Fedora is for us to avoid deferring to Server, Cloud or fedora-devel when making decisions about Workstation. Cheers -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
