On 4/9/20 10:42 AM, Björn Persson wrote:
[snip] Fedora's defaults should be chosen to keep users reasonably secure every way we can. If you as a sysadmin trust the DHCP server and every other device on the local network – including any device that may be connected in the future – then you should have the option to configure the system to trust DHCP-provided NTP and DNS servers. Björn Persson
That's one part of my complaint (which, admittedly, doesn't have much to do with this proposal). We seem to be trending toward some awkward one-size-fits-some semi-trust system where parts of the network are trusted as provided, and other parts aren't.
What I would love to see take shape instead (and again, I acknowledge this has almost nothing at all to to with this proposal) is the ability for users to easily mark networks as trusted or untrusted, with trusted networks using network provided resources, and the system firewall wide open (the current workstation default). On untrusted networks, DNSSEC / DoH / DoT (rough order of preference) used for DNS from a trusted resolver, NTS, firewall locked down, and maybe even a connection to a VPN automatically established if configured by the user.
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
