On 12/09/2014 08:53 AM, Reindl Harald wrote:
Am 09.12.2014 um 14:16 schrieb Bastien Nocera:
On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote:
Why we can't have something like this? And if you don't want a popup
asking, have something in the NetworkManager applet menu, where people
can easily find the switch without having to search for it? A "[x]
allow sharing" checkbox? A firewall zone selector?
We can — we just need someone to design and write it.
A design for something that we don't want to implement.
and that is the point - you do not want and care because you seem to
think users are too stupid to make their own decisions - you know what
Linus said to that in direction of GNOME?
This was one of the
options when implementing the feature, one that we didn't pursue. We
chose
instead to use "user intent" as a way to do this.
If you start sharing something on a network, then we consider it safe
to share.
the problem is that you don't know *who* or *what* opened the port
Exactly, I think some people think we already reached the utopic world,
when everyone install FLOSS applications from the repositories, and no
one uses closed source applications, or worse where all sharing is done
using GNOME control panel, and there isn't applications that doesn't
take into account the GNOME way of doing things.
What I see frequently are applications that are installed from outside
the Fedora repositories, that can be forced to behave like Fedora
packaging rules, with secure defaults before sharing, being installed
and the user that don't know much about firewall settings but understand
that the firewall is active, then think: I feel "secure" because I know
the firewall is blocking external requests.
and then in that utopic world things fail, for example, Fedora packaging
rules prefer that packages are installed with sensitive defaults, I
reported a bug about all cron email output being sent by default and it
was discarded as a security bug (pulled by an update)
https://bugzilla.redhat.com/show_bug.cgi?id=1157727
https://bugzilla.redhat.com/show_bug.cgi?id=1158493
https://lists.fedoraproject.org/pipermail/devel/2014-October/203781.html
This is no open port, but shows that packages can have bugs and
something that is closed by default today, can in the future be pulled
as an update and start sharing things. Those are bugs, true, but the
idea of opening the firewall entirely defeats the measure of defense
already in place. To me it sounds like disabling SELinux on workstation
because people find it difficult and decide to disable it instead.
The problem that is being tried to "solve" is that people choose to
disable the firewall, Why not add a simple option to the GNOME sharing
tools to change the firewall zone to this one where ports >1024 are open
when the user decide to share something. with the possibility to
selecting no for those people that only want to open the only the needed
ports?
Note: I hope to not be called a troll here (joke, someone will understand)
If you connect to a public unencrypted Wi-Fi, you won't have the
option to. If
you connect to an encrypted Wi-Fi where sharing your holiday photos
isn't acceptable
then it won't, because you didn't ask it to in the first place
besides suspend / move machine
a sane firewall design (sadly Windows has that in the meantime) is that
if i open a port in my homenetwork, supsend the machine and wake it up
in a foreign network ports are closed until i decide to open them there
too, but Fedora goes the easy way "who cares how and why as long things
appear to work"
*who* told you that people don't share things *unintentional* by a wrong
click which is *not* a problem until you decide to open ports
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
