On 12/06/2010 06:40 PM, seth vidal wrote: > On Mon, 2010-12-06 at 16:10 -0700, Orion Poplawski wrote: > >> But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS, >> aren't we also talking about kickstart and other automated management tools >> with which configuring things away from their default values is a standard and >> fairly straightforward thing to do? > > > I am mostly concerned with surprising folks who have expected it to be > on. > > But you know -what - you have a fair point. > > if we make this change, as long as we make it a feature and publicize > the heck out of it, I'm fine w/that. * My firewalls have a lot of rules - huge number really - they are hand crafted and scripted directly into iptables-restore format so they load extremely fast. * We are perfectly happy doing this and it is tested and robust. * On my laptop I could be convinced to use a more 'dynamic' tool .. provided it did not reduce security (by some appropriate measure). * As long as it continues to be easy to continue to use standard static iptables I'd be fine with the additions. Static should be the default on any 'server' like install as sv suggested - * This reminds me to ask .. is ipset available on f14 yet? That is something that could be very useful for us .... it is not in f13 and would be a lovely addition to f14 .. :-) * Will fedora bring app-armor (and GUI's tools perhaps) as an selinux partner for f15 now that its accepted in upstream kernel too ? gene/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
