2009/11/19 Rahul Sundaram <sundaram@xxxxxxxxxxxxxxxxx>: > Right. The alternative really is defining the roles and the target > audience clearly for distinct set of policies and allowing the user to > trivially select it during or post-installation. I disagree, most people will just go for the default option without understanding the subtle nuances of what they are being asked. > So if I pick "personal desktop", the change you made makes sense. If on > the other hand, I choose "workstation" profile, I would obviously need a > more locked down profile. Surely if you're deploying a workstation (1000s of workstations?) you would just ship an extra package that set the PolicyKit policies according to the domain policy, so if I was a school, I would allow the active users to unplug removable drives, but not detach physical drives. I would also stop them installing and upgrading (not even give them the option to enter a root password) and also lock down who can change the clock. I would also prevent them from installing debuginfo files and being able to set thier audio system to real-time priority. The real argument is what set of users upstream software should target. There's an argument for upstream to default to "no" for all actions and for the admin to install a policy for "desktop", "workstation" etc, but then there's just the related problem of what policy package to choose by default for "Fedora". Richard. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
