On Fri, 2012-11-09 at 15:06 -0800, Adam Williamson wrote: > Right now it seems like anaconda actually just throws firewalld into the > target package set in absolutely all cases, like it does with > authconfig, which I think is wrong. As the above makes clear, it only > really makes sense to use anaconda's mechanism for adding packages to > the to-be-installed set when they may or may not need to be installed > depending on the path taken through installation. If we really want > these to be in all installs, unconditionally, we should just put them in > the @core group in comps. For authconfig, this may be the correct way to > go. But for firewalld, it seems to me that so far as anaconda is > concerned, it only needs to go into the installed system if the user has > requested firewall configuration as part of the install, which I don't > believe is the default and in fact is only available through kickstarts > (so it's probably an uncommon case). It should be made conditional in > anaconda, anaconda should not be forcing it into the to-be-installed > package set in all cases. > > We already have firewalld in the 'standard' set in comps, which seems > like about the right place for it - it'll be in most installs, but not > minimal ones, if anaconda gets fixed up. So I just followed this up in IRC. It turns out that right now, anaconda always (or at least by default) *does* touch the firewall: it opens up port 22. So that's why firewalld is getting added to the to-be-installed package set unconditionally. Given the current behaviour, that's correct. However, it seems like somewhat silly behaviour. If our default firewall configuration is supposed to be 'port 22 open' we should express that in our firewall package, not set a default in the firewall package then have the installer change it. That's just needless complexity (and results in the problem of firewalld being in the minimal install, where it maybe doesn't actually need to be). So perhaps we should change firewalld to default to opening port 22. Jesse points out that this kind of discussion usually gets derailed in spectacularly unhelpful directions: <jlk> right this usually gets us into an argument with the "community" and people suggesting, then arguing against, packages shipping their own firewall config so whether ssh is open or not depends on if you install ssh <jlk> then somebody mentions German privacy laws and the whole thread goes nowhere. So if you're going to follow up on this - there are fun discussions to be had about the pros and cons of letting packages ship firewall configs, but please don't do it in this thread, start a new one if you must. Having firewalld ship a 'port 22 open' default may not be the best way to do things in the best of all possible worlds, but it is at least _more_ sensible than having the installer set the default firewall policy. And for the love of God, please don't bring up German privacy laws. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
