On Mon, Mar 16, 2009 at 08:10:20PM -0400, Matthias Clasen wrote: > On Mon, 2009-03-16 at 15:25 -0600, Michal Jaegermann wrote: > > > > > The general issue is that while on one hand things are getting > > tightened up with SELinux policies, from time to time beyond a point > > of usability, at the same moment big holes are opened due to a > > byzantine maze of dependencies between PolicyKit and DeviceKit and > > Nautilus and generally desktop things. > > Care to explain where you see a maze of dependencies ? Let's make that very specific. When I brought up https://bugzilla.redhat.com/show_bug.cgi?id=489397, which has clear security consequences, the first reaction from a person which _should_ be pretty familiar with the subject was (this is a literal quote): "Your beef is with Nautilus" and to close the bug. I was somewhat persistent and presumably a fix is now in the works but do you think that this came from a deep understanding? When on 2008-06-06 a security hole to drive a truck through was reported as https://bugzilla.redhat.com/show_bug.cgi?id=450304 do you think this hole was created because it was not perceived what effects will be or this was a deliberate sabotage? What is more that hole is still open, there are no traces of any activity on this bug even if a basic fix is really trivial, so presumably one should not expect that a thorough review was undertook to make sure that similar surprises are not lurking somewhere else. If you think that you are controlling an access but it turns out that it is possible to bypass your barrier by an extra passage here and a trapdoor over there then this is hard to call that a straightforward construction and if you are running into surprises in security then most likely you are not secure at all but you are never sure one way or another. > The mere fact > that some things are new and not very well-known to you does not make > them byzantine. If you will memorize the whole nethack layout then moving around there will also be quite simple. Michal -- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
