Andrew Farris wrote:
Douglas McClendon wrote:
<rant>
I wish I could say that I'm sorry to crush your hopes, but I'm really
not. Despite what I've said in the past, I have the utmost respect
for selinux and security. But what I don't have any respect for is
people of your mind, who myopically just see "increased security".
People who view security that way IMO contribute to some of the worst
cancers against humanity.
This is just standard rhetoric that I shouldn't be wasting my time
repeating here, but security is ALWAYS a balance and a tradeoff
against other *values*, and never an absolute.
Sounds like politically charged nonsense, not rhetoric related to
computer security.
When selinux is the right tool for the job, bringing a greater benefit
to the system at hand than the costs involved with using it, then
great. But to claim that it should remain in "*all* of the fedora
spins" is IMO utterly wrong, and a narrow vision of what fedora could
be useful for. There are times and applications where selinux is JUST
NOT WORTH IT. I'm not saying it's the majority of the time, or even
>1%. But if fedora is (to be) used in tens of millions of systems, 1%
of that is actually a *significant* number.
If only I could waterboard the fuck out of all the loyal bushies that
see "national security" as the *only* value to be measured when making
a decision.
Humanity and liberty are so important to you that you want to torture
people (and evidently not to gather information because you know it
already). Clearly we're learning something here.
There are times when you let innocent people die and get hurt by
terrorists, because the values sacrificed in making a decision that
could and does stop the terrorists, are MORE IMPORTANT than a narrow
short term view of "national security".
"Essential Liberty vs. Temporary Freedom". Yes, liberty is important,
but largely unrelated to whether you have selinux present in your
favorite spin.
SELinux *should* be in every official Fedora spin, especially those to
be used on networked computer systems. But it should also be possible
to turn it off and/or uninstall it, and be possible to build custom
packages for embedded processing applications without it... but if I
want an embedded linux with selinux enabled why shouldn't it be there
available?
Since I love politically charged discussions- What you just said is
similar to the logical difference between
a) not mandating that evolution to be taught as a theory in schools
vs
b) mandating that evolution not be taught as a theory in schools.
I.e., I whole heartedly agree with you that if you want an embedded
linux with selinux enabled, it SHOULD be available.
But my holding that opinion does not change the fact that I also hold
the opinion that at some point down the road, there should be an
official fedora spin that comes with selinux disabled.
Clearly since I work on livecd-tools and the like, I am all for making
it as easy as possible to create variants.
But really, since I know how easy it is to just spin a distro of linux
wiht 99.9999% the same code base as fedora, that just isn't called
fedora, I don't *REALLY* care about this technical issue very much, and
I *REALLY* was just doing some soapboxing. But I think the political
and technical points I made (computer security, national security) are
not so disjoint that it is useless to speak of them in the same breath.
Choice (somehow related to Liberty in your rant) does not mean you get
to choose what is present all the time, it means you get to choose
whether to use it or not. The presence of selinux does not infringe on
your 'choice'. The preference of one person to have it in all spins
does not infringe on your 'choice'. More importantly, the desire of
some to improve computer security around the globe does not prevent you
from running open boxes with blank root passwords... the choice is yours
how insecure you want it.
I agree with every bit of that. Not sure what you thought I meant that
was different.
I sincerely hope that what I've said will cause you to think a little
more before uttering "I hope everyone agrees with me that more
security is always better" again. But I welcome you to crush my hopes
as I've just crushed yours.
SELinux can and very likely will protect computer systems for
terrorist's use just as easily as anyone else, since it is 1) free, 2)
available to the entire known universe; it therefore has nothing
whatsoever to do with US national security in the context of your
'rhetoric' and poorly argued politics.
I was really talking about whether the choice to use torture to improve
national security, without considering the other values lost in the
decision, was a wise one to make.
The parallel was whether or not the choice to *ALWAYS* use selinux to
improve computer security, without considering the other values
(bloat/performance degradation/user frustration), was not a wise one to
make.
But sometimes the subtlety of my logic goes over people's heads.
-dmc
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
