On Wed, 2019-08-28 at 22:32 +0300, mcatanzaro@xxxxxxxxx wrote: > On Wed, Aug 28, 2019 at 9:56 PM, Christopher > <ctubbsii@xxxxxxxxxxxxxxxxx> wrote: > > 2) the Workstation WG has not only taken no action in response to the > > FESCo statement of trust at the conclusion of our last lengthy > > discussion on this matter, it has been explicitly stated in this > > thread that they have never had any intention of doing anything > > further, even though that was FESCo's clear expectation. > > In January 2015, FESCo said: > > """ > AGREED: FESCo trusts the Workstation WG to properly research and > develop a sensible firewall solution and will stay out of the way. (+5, > 3, -0) (sgallagh, 18:40:04) > """ > > <https://pagure.io/fesco/issue/1372#comment-27998> > > It reads to me like an affirmation of the work that had been done for > Fedora 21: > > <http://www.hadess.net/2014/06/firewalls-and-per-network-sharing.html> > > I don't think a reasonable person reading the thread could plausibly > conclude that FESCo expected further work. Here is the actual log of the meeting that produced that conclusion: https://meetbot-raw.fedoraproject.org/teams/fesco/fesco.2015-01-07-18.01.log.txt It's a pretty...messy discussion. I would say there was clearly an expectation at the start that there would be further ongoing work: 18:07:31 <sgallagh> I don't think anyone is perfectly happy with the current state (is that a fair statement?) 18:07:51 <mattdm> fair understatement, maybe even 18:08:01 <nirik> I'm not sure we need to discuss solutions here tho... 18:08:10 <t8m> nirik, +1 18:08:15 <nirik> unless we feel that it's worth overriding the workstation working group. 18:08:20 <mitr> sgallagh: I am reasonably happy with the current capabilities _of the firewall_ actually. I am very much wishing for reliable sandboxing which would replace some of the firewall uses but is not actually a firewall. 18:08:22 <nirik> which IMHO, I am -1 to 18:08:25 <sgallagh> nirik: Well, we need to try to agree on an end- experience, not necessarily an implementation 18:08:38 <t8m> mitr, +1 18:08:41 <hadess> the long term goals were mentioned in my mail to fedora workstation, definitely not finished, but certainly on the right path But at the same time, there's a fairly strong vein of feeling that FESCo shouldn't override the WG here and should basically leave the WG to do whatever it wanted to do. I think my interpretation would be that, as of the meeting, FESCo was willing to delegate this topic entirely to the WG; it was *expecting* further work to happen, but it did not *require* it, and I don't think you could say the conclusion at the meeting was incompatible with the WG simply leaving everything as- is. There are a couple of other interesting notes along the way, especially this one (for me): 18:33:08 <mitr> Proposal 2) The automated tests to make sure that nothing in Fedora is listening by default unless on a strictly maintained whitelist are a blocker for F22. That is talking about the whole idea that having a firewall enabled by default is not as important if there are no listening services by default; at that point you can make the argument that installing a service that listens on a port is a conscious decision to "open" that port. It seems there was an expectation around this time that testing to ensure that this was actually the case should be automated. At the time this was expected to happen in Taskotron, but I don't believe it ever has. I think we could implement this in openQA relatively easily, and check that it's in the release criteria and validation tests. Assuming folks still think this would be valuable, I'll file a ticket for us to work on that. I must also congratulate mclasen for this, given Christopher's comment that Michael replied to: "18:20:33 * mclasen waits for the suggestion to ask in the installer" It took four years, but here we are ;) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
