Re: A Topic that needs to be discussed on next the QA meeting..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jon Stanley wrote:
On Mon, Mar 17, 2008 at 5:49 PM, Johann B. Gudmundsson <johannbg@xxxxx> wrote:
See bugs
 https://bugzilla.redhat.com/show_bug.cgi?id=437811
 https://bugzilla.redhat.com/show_bug.cgi?id=136289
 https://bugzilla.redhat.com/show_bug.cgi?id=147557

 In my books this fails QA bigtime and poses a MAJOR security risk for
 the end user(s).

Your book is not everyone's, nor probably even the majority of
people's.  I for one use sshd on *every* machine that I own (yes, I
even login to my desktop remotely - that's how I IRC).

As I said I needed to know who were the target audience were
and I see it's not desktop users thats why Ubuntu succeeded were Fedora should
have long ago ( yes I have had high hopes for a long time )...

Thanks for making that one clear I have actually been waiting for some one to give me a straight answer regarding that matter and this just proves that Fedora will never be dominating the world :) .

That kinda also explains all this whole RTFM for the end users and he has to be and is expected to be an "Linux Guru " attitude that still exists here ( Bug 436227 for example )...

And I who apparently is so ignorant and foolish in thinking our main goal was to let Fedora grow and our main target was the home/desktop user and expecting those who are gonna use it for server or other things actually would know how to setup Fedora to do so silly me...

 Either a respins with this *feature* needs to be done or a
 reintroduction of Desktop/Server install
 with the server install enabling this feature..

Nah, it's a sane default.  If you wanna go down this road, choose
something that has *actual* security implications (beyond someone
possibly brute-forcing a poorly chosen password - users can shoot
themselves in the foot via many means.  Anaconda even warns of a
poorly chosen rootpw now).

I would say leaving sshd running with punch hole in a firewall poses a great security risk If a noob users clicks next next ok done through out the installation process and ends up leaving himself open to brute force attacks which his machine then can be used to attack other machines ( M$ )
but hey apparently that's just me..

I would actually think this "not a security risk" should be mentioned each time somebody hands out a Fedora DVD.
or somebody that walks passed the Fedora booth and graps one.

But if it is one of Fedora objectives to distribute easy rootable boxes to the internet fine...

 It's good that some one in QA board can contact Fedora Security team and
 get their input on this issue.

QA Board???  I didn't know such a thing existed.  I nominate myself :)
 Seriously, Jeremy would be about the closest thing that you come to
that (Will and Jesse as well).



Will was the one I actually thought were a member of that board and
kinda the "Head of the QA department,"( sorry Jeremy or Jesse or Bill )
( I Actually thought there were a QA Board, Testers reporting to the board
and QA board coordinating tests/bug hunts logic right..).
Hence I reopen reassigned status and was waiting for them to step in..

Since there is none I suggest one is created to address
issue like this which consist of not only developers.
There can be more conflicts like this..
 Are we targeting Desktop/Home user or not?

Along with many other segments.

If we are targeting a whole bunch of "segments" then we should
release specifically tuned to those "segments"

M$ has a server version Mac OS X has a server version
there is a reason for it!

<whisper>Even Redhat has few *versions*....

So why cant Fedora release a server version?

This whole TRY TO PLEASE ALL concept is flawed..
 If so then we have to make it hard for them to accidentally  shoot them
 self in foot security wize...

Users can shoot themselves in the foot via lots of methods.  I don't
see this one being particularly egregious.

I said it once and I say it again only service that are needed for "running system + networking" should be enabled by default the rest should the user configure on firstboot!
Even filed an RFE for this!
 I mean a noob user accidentally turned of his firewall during install
 with the current default installation options leaves
 him open to how many security risks?  ( none is the right answer )...

Well, that's no longer a default installation then, is it?  Should we
disable CUPS too? (that at least has a recent history of issues).

YES ALONG WITH AVAHI BLUETOOTH AND MORE...
until the system can proparly detect HW and enable services on demand...

Fedora cant be tuned to everybody's needs!

The end user should be making that chose not Fedora trying to make "guesses" on how
he's gonna setup his system.

We should be delivering a solid secure product then it's on the users hands if he messes it up
not us delivering it already unsecure.

Since this is the whole attitude why are we shipping Fedora with SElinux enabled since users
are already good enought to shoot them selves in the foot????


 I'm gonna reopen this mark Anaconda as FAILED_QA  then after this has
 had a proper discussion
 with input from Fedora-Security-Team a QA board member can CLOSE this or
 it will be FIXED.

It is already CLOSED NOTABUG, and should remain that way.

I still strongy disagree not that it matters my efforts are in vain....

Best regards
                  Johann B.

You win some, you lose some....

--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux