Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 30, 2020 at 03:14:10PM +0200, Graham Leggett wrote:
> I am required by these regulations and many other regulations in 
> multiple jurisdictions to make sure my users comply. If you have gone 
> out of your way to break secure operation on Fedora, we will have to 
> ban the use of Fedora by our users. I do not want to do that.

Then don't ban them, and do your job instead?

The fact of the matter is that using out-of-the-box Fedora 
configurations *today* can leak "private" DNS queries, and if VPNs are 
in use, it is a virtual certainty.

To make Fedora "Compliant" using your definition, one already has to 
adjust the system configuration.  This new approach, at worst, requires 
a slightly different configuration change to achieve the same results.

> As I said, this is not a technical discussion. You need to defer this 
> to compliance people, who I predict will simply tell you “comply”.

My $dayjob is headquartered in Europe and is in a _highly_ regulated, 
risk-adverse industry, with compliance officers coming out of the 
woodwork.  Suffice it to say that what it means to "Comply" is highly 
context-sensitive.

But you are correct, this is not a problem that can be solved via 
technical means -- Many legitimate use cases have diametrically-opposed 
needs, and there is no way for Fedora to know out-of-the-box which use 
case should apply as the general default.  Moreover, at the granularity 
of specific DNS lookups, the general default can easily be wrong.

 - Solomon
-- 
Solomon Peachy			      pizza at shaftnet dot org (email&xmpp)
                                      @pizza:shaftnet dot org   (matrix)
High Springs, FL                      speachy (freenode)

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux