On Wed, Aug 28, 2019 at 7:46 PM, Christopher
<ctubbsii@xxxxxxxxxxxxxxxxx> wrote:
Yeah, I also don't want a complicated installer. I just don't see this
disagreement going anywhere without some sort of compromise, and I
can't think of any others that will satisfy people. I think there's a
good chance this could be implemented without much complexity, though.
Thank you for giving the idea at least a little consideration, though,
and not outright dismissing it.
The potential compromise I see might involve exposing firewall zones in
some well-considered and thoughtful way, including a rethink of what is
blocked and allowed by the zones, and an understanding of what the goal
of having each zone is. That would have to be done in both gnome-shell
and gnome-control-center, and it'd need to receive buy-in from relevant
designers and developers.
Such an effort would need to be undertaken by developers who understand
and accept a requirement to not break installed applications or
services, to not expect users to be capable of editing firewall rules,
and to not require the installation of a firewall GUI application that
exposes technical details like ports. It would also need to firmly
reject the assumption that users know (or even that users *should*
know) the difference between a TCP port and a USB port. Otherwise, the
gulf between the two sides here is just too great, and there's no hope
for a useful discussion or compromise. But if these requirements are
OK, maybe we can agree on something.
The work would need to be undertaken by people actually interested in
the problem. Expecting existing Workstation developers to work on this
is not likely to turn out well, since we're busy, and I think most of
us are already OK with the status quo.
It'd also be helpful to get beyond this security myth that having a
firewall is somehow essential to have a secure workstation. I'm firmly
convinced this is not the case, and I'm unpersuaded by most of the
comments in this thread that assume otherwise. The best argument I've
seen so far in favor of a firewall was accidentally sharing your
Rhythmbox media library on a public network, so focusing on that or
similar issues would be helpful. Unplugging from trusted "wired
connection 1" (e.g. a home router) and plugging into a different
untrusted "wired connection 1" (e.g. a modem) is another good example
from this thread of where mistakes can currently occur. We probably
shouldn't allow users to share media on a network where the user has a
public IP, for instance. But just repeated claiming that a firewall is
essential for security isn't going to impress me.
Iñaki seems to be batting in this direction with the issues he's
filed. His approach seems constructive to me. I fear it might be easy
to have missed his comment in this noisy thread.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
