FESCo Meeting Minutes (2015-03-04)
Kevin Fenzi
kevin at scrye.com
Thu Mar 5 16:12:29 UTC 2015
On Thu, 5 Mar 2015 09:56:41 -0600
Chris Adams <linux at cmadams.net> wrote:
> Once upon a time, Adam Jackson <ajax at redhat.com> said:
> > False. It's entirely reasonable for a product to mandate an
> > appropriate security policy, so until and unless we move account
> > creation entirely to firstboot, it's something the installer will
> > have to expose.
>
> The installer should not enforce a policy that does not match the
> installed system. AFAIK the "passwd" command will still let root use
> any password (with just a warning), so the installer should do the
> same.
>
> It sounds like that's the decision FESCo approved.
No. The decision was that we need a better overall policy/story instead
of all the different parts doing their own thing and causing just the
above thing you note.
Would you like to help gather information and draft some policy? ;)
IMHO, it would need to gather in:
* sshd policy
* passwd policy
* policykit
* sudo
* anaconda
* gnome-keyring?
* DMs?
* tons of other stuff I am likely not thinking of.
Ideally we could have a base policy, then perhaps some
changes/differences for the various products. Also a way, much like the
recent ssl cert stuff to change the policy in one place instead of 50.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150305/00e34878/attachment-0001.sig>
More information about the devel
mailing list