Re: remove polkit from core?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Steve,

On 12.11.2012 21:00, Steve Grubb wrote:

I think its a bad idea to have too much flexibility for access control systems.
They have to be verifiable. If you have to comply to PCI-DSS or the DISA STIG
or any other standard, you have to be able to demonstrate you are in the
approved config. No one can write a test that can tell if the rules really are
sound. So, what will happen is one set will be chosen for better or worse, it
will be SHA256 hashed. And no one can change anything in it without being out
of compliance.

The benefit of the name=value setup is that we can pick out the things that
matter and skip everything else which truly gives flexibility when needing to
demonstrate compliance.


My question is: Whether be acceptable the required compliance analysis to be performed on rules written in simplified rule language like Datalog instead of imperative scripted evaluation in some future version of polkit ... ?

(It seems to me that e.g. Datalog is good enough both as flexibility and static analysis (symbolic evaluation), furthermore IMO declarative rules are less error prone for sysadmins than scripting)

Kind Regards,
Alek

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux