On 12/17/2015 10:19 AM, Harald Hoyer wrote: > On 07.12.2015 20:57, Paul Wouters wrote: >> On Mon, 7 Dec 2015, Matthew Miller wrote: >> >>> I read your whole post. Those possibilities seem pretty limited, from >>> the point of view of serious regressions in Fedora usability. It isn't >>> that I "like" Fedora being less than technically correct (especially >>> around security-related features), but I don't think we can discount >>> the prevalence of "broken" schemes in the real world. >> >> But you gain nothing with waiting. There is no "fix" to wait for. Those >> stolen domains are broken and they will start to fail. The only difference >> could be that fedora won't be the first where this breaks on, but I >> thought "First" was one of our motto's ? >> >>> I don't really care about that. I care that we pick the solutions that >>> are best for our users. >> >> Supporting DNSSEC per default is best for the user. Not enabling DNSSEC >> is not a serious option. We delayed this feature a few times to ensure >> we would get better integration with gnome and VPNs so that we could >> address the _real_ problems. >> >> People using stolen or made up domain names is not a use case that can >> be supported anymore with Secure DNS. > > If it causes problems you have no time to fix, you will do "selinux=0 dnssec=0" Whoops. Why "selinux=0"? Do you think it would be better to tell people to set "enforcing=0" and collect AVCs with a report instead of saying "selinux=0"? > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
