On Tue, Jun 16, 2020 at 04:22:42PM -0400, Gerald Henriksen wrote: > Given the number of cases of evil people getting access to computer > systems, and the fallout of said attacks, any package left on a system > after it no longer is being maintained is not only broken but a > security risk. "no longer packaged by fedora" is not the same as being "broken" or "insecure". Just as "packaged by fedora" doesn't mean that it works or is kept secure. So please, please do not conflate the two. (Case in point: dokuwiki, which was only "secure" in the sense that it was completely broken for 2-3 fedora releases, so exploiting the multiple outstanding CVEs in the packaged version was impossible..) "Security" is a process, not a state; it has to be balanced against "usability" What good is a security policy that requires me to disable it to continue using software that I find necessary? Or worse, a policy that auto-removes software I might still be using? That is actively user-hostile, and you'll rapidly see instructions on how to disable it crop up on the inevitable "how to make your fedora system usable" instructions. Right after "disable selinux" but before "enable freshrpms", "install google chrome", and the inevitable "sudo curl http://github.com/blabla | bash" at the end. Meanwhile, let's be honest. Is my main server more likely to get compromised through my use of mailgraph (dead upstream for over a decade and retired after F29 because nobody bothered to fix its selinux integration) or because one of my users had a shared password compromised in $massive_data_breach_du_jour? > You as a user may wish to explicitly make the decision to ignore that > risk and keep or re-install that software, and that is your choice. > But it should not be the default behaviour of the distribution. "Fedora knows better than its users" represents a massive shift in Fedora policy, and should be discussed as such before anyone talks about how to implement it. If Fedora drops a package, that package currently gets relegated to the same position as any other software the user installed from non-Fedora sources -- which I'd wager is the overwhelming majority of workstation-type installs and a significant chunk of server-type installs too. Upgrades still have to handle non-Fedora-supplied packages sanely, and the only sane, user-friendly way to handle those is to inform the user of the issue and let them decide what to do. On a per-package basis, because no matter what the default is, it's going to be wrong when applied across the board. (Of the dozen-ish Fedora installs I'm responsible for, exactly one would be fine with this new policy. Every other one, workstation and server alike, is a special snowflake. Folks not running snowflake systems don't do in-place OS upgrades; they spin up new instances from scratch) - Solomon -- Solomon Peachy pizza at shaftnet dot org (email&xmpp) @pizza:shaftnet dot org (matrix) High Springs, FL speachy (freenode)
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
