Am 21.04.2014 00:22, schrieb drago01: > On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > >> * there are network services enabled by default > > Again that's a bug and a viloation of the guidelines. Which services > are you talking about? > Please file bugs. please stop to prove even more that you have no clue of security a firewall and security layers are to prevent from *UNKNOWN* mistakes in the future they are to prevent expose network services to the WAN which most likely are intented for the local netwotk by the user (SMB and so on) hope that the ISP is blocking incoming SMB connections from the WAN is not enough * file bugs don't help in that context * the damned ISO image don't get fixed * even if it is replaced it takes way too long * the already existing setups are insecure "If you really know what you are doing you do *not* enable network facing services without installing updates first" was honestly enough to prove your missing understanding of the ordinary user because the ordinary users install his OS and starts whatever he wants to do with his computer - thinking that the first he does before start network aware services is too seek for security updates is laughable to say it in nice words >> * avahi is one of them > > You keep listing this as an example but avahi is not only installed > and enabled by default > but also allowed configured to work in the default firewall setup > since F18 [1] ... bad enough > So the current default firewall won't protect you against avahi flaws. > >> * you nor i can say for sure avahi never ever get a critical security update > > See above. see above >> * you nor i can be sure that there is not another network-service is running >> * even if it is not running by intention it may be running by mistake as default >> * so after you installed a new system avahi is running and the firewall down > > See above there is nothing to read above you don't understand what a "safe default" means you even refuse try to understand it which is horrible in 2014 >> * how do you genius install the updates without a network >> and to *not* have to consider what is safe and what you have to stop after >> a fresh install before you can plug your machine to the network for install >> security relevant updates a firewall has to be enabled by default > > Again you > > 1) assume that we enable random services by default and the firewall > is the only thing that protects freshly installed systems > 2) that given the user options that do not work and force him to learn > about computer networks to do basic tasks is how things should work > > both are false. for you not for people care about default security > Sure disabling the firewall is not the only way to solve 2) but the > "silently make things not work" i.e the status quo or "ask a user > questions that he does not understand" > are no solutions. until you come up with better ones they are disable the firewall is no solution > There have been other suggestions in this thread that are helpful like > the network zones thing (but we still have too many zones) or enabling > services should make them work i.e > just enable the firewall rules. which make sense your "if you are know what you are doing you don't" does not make sense the user knowing whate he is doing don't need hand holding in any case we are talking about terrible defaults >> honestly it's good that you are out of this discussion because you seem >> to not have you clue about security nor understand the implications of >> "who knows hat he is doing and why the one who don't need sane defaults" > > No the reason is simply that talking to you is very annoying most of the time talking to people with a clue what they are talking about is annoying - well, there are two choices. try to understand what they are talking about or keep annoyed > you resort to baseless attacks (like the this one) and strawmans. > > 1: http://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop well, maybe Avahi is a bad example because the major mistake in that case already happened, but that's a weak excuse to make more wrong decisions and throw the whole security of the distribution in a default setup away
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
