On Mon, Aug 25, 2014 at 3:39 AM, Bastien Nocera <bnocera@xxxxxxxxxx> wrote: > Hey Thomas, > > ----- Original Message ----- >> Hello, >> >> On 08/21/2014 09:03 PM, Elad Alfassa wrote: >> > Hello. >> > >> > I propose we remove firewall-config (the graphical firewall >> > configuration utility) from the default install of Fedora Workstation. >> > Rationale: >> > >> > * The default Workstation zone file allows incoming connection to >> > non-root ports. This means most of the common usecases will "just work" >> > out of the box. Thus, most users will not need to touch their Firewall >> > settings. >> > >> >> thank you for reaching out here on the firewall-devel mailing list. I >> really appreciate that you keep us in the loop regarding this request >> for Fedora Workstation. >> >> I am a bit surprised by this request, because from what I recall about >> Fedora Workstation, the idea was to focus on server and client >> application developers as a target audience, right? >> >> At least according to http://fedoraproject.org/wiki/Workstation: >> >> "The system will primarily be aimed at providing a platform for >> development of server side and client applications that is attractive to >> a range of developers - from hobbyists and students to developers >> working in corporate environments." >> >> So that means that server application developers without the firewall >> configuration tool would have to either use the command line or even >> completely disable the firewall in order to develop networked services >> that use privileged ports, right? >> >> And that would in my humble opinion be a really bad user experience for >> server application developers trying to use Fedora Workstation. > > I think that using the command-line to poke open a hole in the firewall is > going to be a better experience than running firewall-config. > > There's no explanations of the zone concept, and the interface is basically > a graphical interface for firewalld, not a firewall configuration tool. > >> > * People who do need it will be able to install it from GNOME Software >> > quite easily. Just search for "Firewall". There will be no confusion as >> > this is the only firewall configuration tool shown in GNOME Software. >> > >> >> Searching for a firewall configuration tool and the need to install it >> over the network would not be a good user experience in my opinion. >> Additionally it would not be possible for the user to configure the >> firewall with a graphical configuration tool according to the security >> requirements of the environment before going on line. > > Citation needed. In any case, unless the person using Fedora Workstation is > the person putting those restrictions in place, I don't think the user would > have access to the firewall configuration (or that would defeat the point, no?) > >> > * In general, we should avoid having app launchers for things that are >> > configuration utilities in the default install. >> > >> To have a system without being able to configure it before actively >> searching for configuration tools is hopefully not the goal. > > They would have a system where a configuration tool is not necessary in most cases, > as, as Elad mentioned, most frameworks will take care of using high ports when > running as a normal user. > > In the future, I'd like to see things like Apache and MySQL running on high ports in > the session, rather than having to configure the firewall. > >> > Unless there's major objection to this change in the following few days, >> > I'll remove it from the gnome-desktop group in comps. >> > >> >> I would personally strongly recommend to keep the firewall configuration >> utility in Fedora Workstation to allow server application developers and >> also others to have an easy way to configure their firewall settings >> according to their needs. > > I don't think that developers need it, not any more than they'd need some of > the other tools we ship as add-ons rather than in the Workstation image. > >> Would you mind if we continue this discussion on fedora-devel as I >> strongly believe that the broader community should give more input to >> this decision. > > The whole point of the separate versions of Fedora is for us to avoid deferring to > Server, Cloud or fedora-devel when making decisions about Workstation. OK, so with the information that Bastien and others have provided, we need to make a decision quickly on this. Workstation WG members, the proposal as it stands is to remove the firewall-config tool from the default install. Could you please review and vote on this as soon as possible? josh -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
