Am 12.09.2013 08:25, schrieb Pierre-Yves Chibon: >> Application should request the ports to be opened and the firewalld >> layer should then confirm with the user stating which ports and >> which app requested said ports. The app can't lie if the firewall >> layer is the one asking for confirmation. > > But a malicious app can pretend to be another one, unless there is a way for the > firewall to know which app is asking in a way that cannot be forged the problem is that people refuse to understand security implications until it is too late and in context of a firewall this is fatal proven by 80 out of 100 alerts on securityfocus for *any* sort of software and before someone comes out with "but konqueror is from a package" well, and you be 100% sure that you not treat /usr/local/bin/ or ~/bin/konqueror the same trusted way and how do you make it sure?
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
