On Tue, Aug 27, 2019 at 9:27 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > On Tue, Aug 27, 2019 at 6:23 PM John Harris <johnmh@xxxxxxxxxxxxx> wrote: > > > > sshd was enabled by default back in F23, unless my install was completely > > broken. I wouldn't remember that well, unfortunately, as I've been running KDE > > since the end of the F24 release cycle. > > I don't think so. Let's please focus on the topic at hand. > * Fri Mar 13 2015 Dennis Gilmore <dennis@xxxxxxxx> - 23-0.4 > - add preset file for workstation to disable sshd > https://src.fedoraproject.org/rpms/fedora-release/blob/f23/f/fedora-release.spec > > The Workstation technical specification document says in part: Where is the full technical specification document, so one can read it not in part, but in full? > > A firewall in its default configuration may not interfere with the > normal operation of programs installed by default. Using "public" as the zone default instead of "FedoraWorkstation" would satisfy this and provide much more reasonable secure defaults. > We should detect when the system is on a public or untrusted network > and prevent the user from unwanted sharing... "public" would prevent unwanted sharing. Auto-detection is a hard problem... and I'm not convinced it's possible to solve without annoying the user interactively on new network connections (and possibly even reconnecting to previous connections). Either way, that sounds like the problem of some other component... NetworkManager perhaps... or something else. Such an auto-detection mechanism doesn't seem to exist reliably. When it does, the secure assumption should be to fail safe and assume untrusted unless otherwise specified. The issue at hand is the default firewalld configuration. Any other user-interactive experience, or network safety assessment, or whatever, is a problem to be solved by other components in the future. For now, firewalld should default to "public" or some similar secure zone, IMO. > > Whereas the KDE spin isn't subject to that spec. > > -- > Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
