On 8/28/19 1:01 AM, Adam Williamson wrote: > On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote: >> mcatanzaro@xxxxxxxxx píše v Út 27. 08. 2019 v 15:07 +0300: >>> On Tue, Aug 27, 2019 at 4:22 AM, John Harris <johnmh@xxxxxxxxxxxxx> >>> wrote: >>>> No, that is not how this works, at all. First, let's go ahead and >>>> address the >>>> idea that "if the firewall blocks it, the app breaks, so it's the >>>> firewall's >>>> fault": It's not. If the firewall has not been opened, that just >>>> means it >>>> can't be accessed by remote systems until you EXPLICITLY open that >>>> port, with >>>> the correct protocol, on your firewall. That's FINE. That's how >>>> it's designed >>>> to work. There's nothing wrong with that. >>>> >>>> This means that the system administrator (or owner, if this is >>>> some >>>> individual's personal system) must allow the port to be accessed >>>> remotely, >>>> before the app can be reached remotely, increasing the security of >>>> the system. >>> >>> You've already lost me here. Sorry, but we do not and will not >>> install a firewall GUI that exposes complex technical details like >>> port numbers. Expecting users to edit firewall rules to use their >>> apps is ridiculous and I'm not really interested in debating it. >> >> Yeah, when you ask users questions they're not qualified to answer, >> you're just creating bad design. >> I always imagine my mom (who BTW has been a Fedora user for years) how >> she'd deal with that and I can't really imagine her opening/closing >> firewall ports. She'd be puzzled even by "Do you trust this network?" >> and would probably just click "Yes" to make it go away. No additional >> security, just annoying UX. > > However, Fedora Workstation is an edition. Which means it has a > *policy-defined* target audience. That target audience is defined here: > https://fedoraproject.org/wiki/Workstation/Workstation_PRD#Target_Audience > > Case 1: "Engineering/CS student" > Case 2: "Independent Developer" > Case 3: "Small Company Developer" > Case 4: "Developer in a Large Organization" > > Are those people we believe do not understand the concepts associated > with firewalls? > Let's get real. It doesn't matter if you understand firewalls or not. Reality is that developers run applications they are working on in development configurations on their local system. With some luck they are properly configured but as far as I know most dev setups, they are not considered secure or "production-ready" and that for good reasons. But what do we do after a long day? We take our notebook and close the lid at the end of a long day or when we head over to this annoying meeting with the new customer. We probably don't close and shut down all services we are developing/testing in background. Then we head over there, open the notebook and of course need some kind of presentation/picture/data we stored on the cloud storage provider of our trust. We connect to the public/unknown WiFi and *boom* suddenly we have unexpected open ports on a public network we didn't to expose them to. This is not something that people do on purpose but it simply happens. It's how we use devices nowadays. So I guess it would already improve the situation when we would only open the ports on install, which by far isn't a perfect solution but would already prevent the scenario mentioned above. Which appears no matter if someone is aware of firewall concepts or not. Let's work on solving this problem for everyone, because it's a general problem. -- Signed Sheogorath
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx