On Sat, 13 Jun 2009 22:19:17 -0400 "Charles Butterfield" <charles.butterfield@xxxxxxxxxxxxxxx> wrote: > Okay, so I mostly love Fedora. However, here are 4 things that got by > blood really, really boiling, so I thought I'd share my emotions. > They are mostly policy issues, where I think you have gotten it very > very wrong. Well, "wrong" is a fairly subjective term, but each to their own. :-D > > Just installed F11 64 bit, here are the things I hate about it in the > first 30 minutes (of course there are a lot of things I like too, but > they work, these don't). No doubt more will crop up. > > * Root gdm login - gets harder every release - SHAME ON YOU > root nazis! Ich bin ein secure user and you should be too. Logging in as root into X directly (or the console for that matter) is a *bad idea*. Yes a *BAD IDEA* This isn't specific to Fedora or even Linux/UNIX for that matter (Savvy Windows admins have been trying this too to no avail. They do exist, in times past I was one..) With the likes of sudo / ConsoleKit / console-helper et. al you should never, ever need to run an extended session as root. Your day-to-day work can be done perfectly well as a standard non-privileged user, the applications that *need* root, especially in X, are hooked into consolehelper/ConsoleKit anyway and will prompt you for the root password in any case (when run as a regular user) As a systems administrator I applaud this idea, as it stops people from shooting themselves in the foot (which is more like a Howtizer, be it a desktop or server) As a BOFH I'd like to see it extended further, lecturing/LARTing the user for even attempting root login on X/direct tty :-P > * Samba (outbound) browsing requires firewall mods Turn off the firewall (if you're on a trusted local network) or punch the required holes (137-139,445,kerberos) via system-config-firewall otherwise. The default firewall is quite strict, which given that new users are often ignorant of UNIX security is not such a bad idea (see bullet/foot above) > * Jamming SELinux enforcing mode with no query during install I've done reinstalls and upgrades and not seen a denial AVC - I believe if it runs during the installer it would be a permissive / targeted mode. I did have SELinux break an upgrade but that was many releases back, and a relabel fixed it. > And a bug: > > * My "supported" NVIDIA card (Quadro NVS 295) is not detected - > okay this may not be due to overt, mulish arrogance, but I did check > the supported card list and it is really annoying. While noveau is better than prior releases, it's not perfect - I have a 8800GS - noveau works but it kernel panics and glitched out on me on a couple of occasions (suspect my system has a conflict somewhere) - the nvidia binary blob works, it's not my preference but got things going. I'll give it another whirl in a future update My card is supported too, but it doesn't mean it's perfect. > The first 3 items are just freaking absurd and represent some sort of > political agenda combined with astonishing arrogance. You forgot the "IMHO". Can you outline this "political agenda" you speak of, or are you being melodramatic? I happen to believe the reasons are much simpler - sound technical and *secure* usability. We're not being bastards for the sake of it. > Is a graphical root login dangerous -- of course! So are a lot of > things, which have obvious enable/disable controls. Was this this > discussed in the release note? - NO. Should it be inhibited by an > ever-increasing set of obscure work-arounds (in this case an new file > to edit in F11)? Of course not. Again, you forgot the "IMHO". Your case is (hopefully) a minority one - most users won't know or care, those that do will try and find out how to enable it if they *really* want it. Making it simple to do something that is inherently dangerous is just bad practice and WILL bite users on the backside. > (Well as was pointed out to me in > thread http://forums.fedoraforum.org/showthread.php?t=223793 this is > discussed... but in non-highlighted text at the end of the boring last > bullet suggesting you "save and close"). > > > And why on earth show the stupid "Windows Network" if it doesn't work > -- just gives an obscure error message "Failed to retrieve share list > from server". If you install the client, the reasonable man would > open the ports, OR provide a cluefull error message. Take up the error message with the nautilus developers - it's technically correct (if the firewall is closed then the browse list will not be retrievable from the DC/browse master) but not very specific. The firewall case is different again: The precise ports to open vary by environment (are you on an Active Directory domain or a Samba3/NT4 style domain? The ports differ slightly between versions) Also changing system security silently and dynamically in a package install, without the user/admin's knowledge is a definite no-no. > > SELinux - enforcing???? So all the bugs are worked out? I think not. > Where did it break? The SELinux guys are usually pretty keen to see any serious AVC / denials. > > > Regards > > -- Charlie Butterfield Michael Fleming. -- Michael Fleming <mfleming@xxxxxxxxxxxxxxxxxxx> - (EMail/XMPP/Jabber) WWW: http://www.thatfleminggent.com Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages Twitter: http://twitter.com/thatfleminggent -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
