Am 28.04.2014 19:36, schrieb Miloslav Trmač: > 2014-04-28 19:33 GMT+02:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>: > > Am 28.04.2014 19:27, schrieb Miloslav Trmač: > > 2014-04-28 19:13 GMT+02:00 Reindl Harald: > > you can make signed fedora packages trusted and allow them > > at install or first start to interact with firewalld > > > > I can't; ptrace() doesn't make such a distinction. > > than that needs to be improved > > We are working on improving it. It will still take quite a lot of time I'm afraid. so the status quo needs to be unchanged until then > > Still, the combined measures need to mitigate at least, say, 75% of cases, > > otherwise we're not really having enough impact > > in a perfect world yes, even more than 75% > > in reality: only *the one an donly* case which affects me untila update is released > we need the > 75% because we don't know what is needed when > > Good point, the "new system needs to be safely updatable" is an important case to consider. (It's also the easiest > one to handle, by not having the service start, and testing for that.) you can't do that even if you could in theory it must not be the only safety net you choose at installation software XYZ wich may listen on ports that's the whole argumentation of dropping the firewall to make these things working out-of-theb-box the easy way there is a timewindow between installation and get the latest updates well, you need the network to fetch that updates and what is permanently ignored here and proves that the proposal disable the firewall completly is a clueless ignoring reality is that "i want saba to share files" *never ever* means "oh and samba should be reachable from the internet" in no case - independent of possible vulerabilities which needs to be closed by fetch updates over the internet you want smaba be reachable on the WAN and the one idiot out of a million which wants that don't really so - he just don't know what he really wants one of the goals of sane and secure OS defaults is to protect users from themself even if the only thing you reach is a timewindow from start to find out how to disable the firewall until find how to do to think about that idea and come to the conclusion do that unconditionally is a bad idea you reached a lot -> a handful users not doing so
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
