Am 15.04.2014 19:05, schrieb Andrew Lutomirski: > On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> Am 15.04.2014 18:51, schrieb Andrew Lutomirski: >>> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >>>> >>>> >>>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski: >>>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >>>> >>>>> How about having an API where things like DLNA can simply >>>>> not run until you're connected to your home network? >>>> >>>> you can prove that this will always happen the right way? >>>> you can implement software *for sure* knowing the fact >>>> what my home network is? if you can do that you get rich! >>> >>> Does the firewall really help? >> >> yes, because there is no single port reachable after the >> installation and you can at least install security updates >> released after the GA of the current Fedora setup until >> you have a port open > > This is true even without the firewall. I'd argue that one of the > Workstation release requirements should be that a default installation > opens no ports to the outside world and i argue that this does *not* help in case of a later happening bug after an update nor if you install any application later opening ports not intended for the WAN and you are not aware of the missing firewall because nobody right in his mind assumes that in 2014 a operating system comes out with dsiabled packet filters what you propose is hope and pray security don't work that way security can only work if one single bug somewhere does not lead to a disaster because nobody looked at the whole picture and assumed all is working as intended it is *proven* that this does not work and it is *really* scary that we have to discuss that in the year 2014 and especially one weak after Heartbleed WTF do somebody proposing to disable the firewall imagine would have happened if there has been a *highly secure application, allowing connections only with a matching SSL cert and using OpenSSL would have faced the public internet last week* why do people not realize what *big difference* between opening that port only *willingly* to the WAN because playing locally with that application and have it open by default would have made? and guess what: exactly the people with no clue about security and how to take care are the ones *not able* to turn on shields because they don't ask for it - if something don't work because the shields these people asking usually or better leave the shields up
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct