Re: "Workstation" Product defaults to wide-open firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 08.12.2014 um 13:02 schrieb Aleksandar Kurtakov:

----- Original Message -----

From: "Reindl Harald" <h.reindl@xxxxxxxxxxxxx>
To: devel@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Monday, December 8, 2014 1:26:29 PM
Subject: Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 12:22 schrieb Bastien Nocera:

Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select
another (more unsecure) firewall zone"?


1) It is secure enough and Eclipse listening to a port by default is a bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)
2) Good defaults


again: the *purpose* of a Firewall is to protect from application bugs
or unintentional user faults - frankly the early KDE4 setups in 2008 had
a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
hence a firewall to protect the user against such bugs

it is not a bug that "ZendStudio" is listening on a high UDP port for
license verification (only one instance in the same network via broadcasts)

it is intentional by the software


I'm not going to comment what is good, what is intentional and etc.
All I'm asking for is for precise wording aka when something is done by ZendStudion or any other Eclipse plugin is to name it unless it's something that Eclipse Platform/RCP does.
As both Fedora and upstream Eclipse platform developer I really care about negative press we get because of such statements. "Eclipse listens on some port by default" translates into "Eclipse is insecure" and etc. is entirely not-true. We have a very strict privacy policy (http://www.eclipse.org/legal/privacy.php and http://wiki.eclipse.org/Policies/Uploading_and_Downloading_from_Eclipse_Software_Policy) so I sincerely ask people to not spread false statements like the one.


the point is not Eclipse
it was just an example of "netstat -l" as user and that the purpose of an OS is *not* to have defaults only sane in a default install 

any application running as user can open a high port
that's the purpose of non-privileged ports
that means finally *any* bad piece of code with the current settings can open a listening port and contacted from a botnet *directly* instead open a active connection to the outside (which is bad enough)
spammer will love that opportunity because they need no longer to rely on single points easy taken offline where the bot-nodes connect to, no they just need to send their commands directly to the machines

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux