Hey!
Few questions regarding our default offering:
1) Why is icedtea-web installed by default? I really don't think a java browser plugin is something we want by default. Software makes it very easy to install it for those who need it.
2) Do we want to replace Rhythmbox with gnome-music?
3) Do we really need a firewall configuration UI?
Related:
Can we hide nm-connection-editor from the application view? It's not an app. See upstream bug https://bugzilla.gnome.org/show_bug.cgi?id=682456
Hi
On Mon, Aug 18, 2014 at 2:54 PM, Elad Alfassa elad@fedoraproject.org wrote:
Hey!
Few questions regarding our default offering:
- Why is icedtea-web installed by default? I really don't think a java
browser plugin is something we want by default. Software makes it very easy to install it for those who need it.
Does it? Some banking sites mysteriously fails if there is no Java plugin installed and I am not sure GNOME Software is tied in with Firefox to be able to install it on demand when a website requests to load it.
Rahul
On Mon, Aug 18, 2014 at 10:33 PM, Rahul Sundaram metherid@gmail.com wrote:
Hi
On Mon, Aug 18, 2014 at 2:54 PM, Elad Alfassa elad@fedoraproject.org wrote:
Hey!
Few questions regarding our default offering:
- Why is icedtea-web installed by default? I really don't think a java
browser plugin is something we want by default. Software makes it very easy to install it for those who need it.
Does it? Some banking sites mysteriously fails if there is no Java plugin installed and I am not sure GNOME Software is tied in with Firefox to be able to install it on demand when a website requests to load it.
Rahul
-- desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
GNOME Software is not (and, unfortunately, will probably never be) integrated with Firefox in such way. However, if you search for Java (assuming your metadata is new enough, this didn't land in Fedora yet) you could just search for java, click on the java plugin item in the Software page for Firefox / Epiphany, and you'd get Java installed.
From my point of view including a Java browser plugin by default is a
security risks, as most users tend to approve whatever pops up on their screen, and malicious websites are known to abuse that.
If we do decide to include icedtea-web by default, this bug must be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=1131248
On Mon, 2014-08-18 at 22:39 +0300, Elad Alfassa wrote:
From my point of view including a Java browser plugin by default is a security risks, as most users tend to approve whatever pops up on their screen, and malicious websites are known to abuse that.
Java on the desktop is harmless; Java in the web browser is a security nightmare. I don't remember how many years it's been since any site I've seen a site with a Java applet, so I think we should not have it by default. But I also don't think it's a big deal one way or the other.
Anyway, we're primarily concerned here with applications that do not belong in the overview. Currently the IcedTea control panel shows up in the overview, which is a big deal and needs to go.
Hi
On Mon, Aug 18, 2014 at 3:39 PM, Elad Alfassa wrote:
If we do decide to include icedtea-web by default, this bug must be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=1131248
I cringe when I read the bug report. It doesn't read like a conversation but a threat to comply with a vague undocumented guideline. Can someone step in and talk to the Java maintainers?
Rahul
On 18 Aug 2014 20:02, "Elad Alfassa" elad@fedoraproject.org wrote:
- Do we really need a firewall configuration UI?
What do you propose instead? If there's a firewall installed I don't want to have to learn how to use iptables, or any other CLI tool, to configure it. I'm a web developer, that doesn't mean I'm a networking guru.
R
On Mon, Aug 18, 2014 at 10:36 PM, Richard Turner rjt@zygous.co.uk wrote:
On 18 Aug 2014 20:02, "Elad Alfassa" elad@fedoraproject.org wrote:
- Do we really need a firewall configuration UI?
What do you propose instead? If there's a firewall installed I don't want to have to learn how to use iptables, or any other CLI tool, to configure it. I'm a web developer, that doesn't mean I'm a networking guru.
I propose configuration that works out of the box.
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default. If you need a webserver running on port 80, I assume the best way of fixing this would be bundling a firewalld configuration file in webserver packages that will open port 80 and port 443 for you - but that might be out of scope for the Workstation WG and more in the Server WG realm.
Also, if we don't install it by default you'd still be able to install it, or install cockpit instead (I don't remember if cockpit has firewall controls, but it sounds like it's something it probably would benefit from having).
On 18 Aug 2014 20:44, "Elad Alfassa" elad@fedoraproject.org wrote:
I propose configuration that works out of the box.
A laudable goal, but difficult to achieve for all use cases.
Right now in the firewalld policy in Fedora Workstation any non-root port
is unblocked by default. If you need a webserver running on port 80, I assume the best way of fixing this would be bundling a firewalld configuration file in webserver packages that will open port 80 and port 443 for you - but that might be out of scope for the Workstation WG and more in the Server WG realm.
Yes, and that's a good point: when thinking about the needs of developers the lines between workstation and server are a bit fuzzy sometimes.
I'm running PostgreSQL on my box, and need to have some VMs I run connect to it. I'd not propose that port 5432 was open by default though. I don't think what I'm doing is terribly esoteric, but neither would I expect it to work out of the box because I can imagine the opposite configuration (port 5432 closed, PostgreSQL listening only for local connections) being more common.
Also, if we don't install it by default you'd still be able to install
it, or install cockpit instead (I don't remember if cockpit has firewall controls, but it sounds like it's something it probably would benefit from having).
Having realised that the firewall is responsible for a silent failure, needing to install an app to reconfigure it is an additional pain. These days I'm just as likely to uninstall the firewall and be damned. I'm trying to work, and the need to configure the firewall is preventing that; having to install an app to do so compounds the problem.
(I'm playing Devil's Advocate a bit of course, I'd not be spitting nails if I had to install a UI app to configure the firewall, but I might think "well, that could have been easier".)
R
On Mon, 2014-08-18 at 21:09 +0100, Richard Turner wrote:
I'm running PostgreSQL on my box, and need to have some VMs I run connect to it. I'd not propose that port 5432 was open by default though.
As Elad said in the email you replied to:
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default.
I haven't checked yet, but to me that means that port 5432 is open by default.
On 19 Aug 2014 08:35, "Mathieu Bridon" bochecha@fedoraproject.org wrote:
On Mon, 2014-08-18 at 21:09 +0100, Richard Turner wrote:
I'm running PostgreSQL on my box, and need to have some VMs I run connect to it. I'd not propose that port 5432 was open by default though.
As Elad said in the email you replied to:
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default.
I haven't checked yet, but to me that means that port 5432 is open by default.
Duh! Yes, of course; I wasn't thinking.
The reason that example was in my mind is that very day I ran into the problem of a VM being unable to connect via port 5432. Admittedly I'd had to start postgresql manually (using systemctl) owing to a stale lock file, might that have made a difference? The port definitely wasn't open.
R
On Tue, 2014-08-19 at 09:27 +0100, Richard Turner wrote:
On 19 Aug 2014 08:35, "Mathieu Bridon" bochecha@fedoraproject.org wrote:
On Mon, 2014-08-18 at 21:09 +0100, Richard Turner wrote:
I'm running PostgreSQL on my box, and need to have some VMs I run connect to it. I'd not propose that port 5432 was open by default though.
As Elad said in the email you replied to:
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default.
I haven't checked yet, but to me that means that port 5432 is open
by
default.
Duh! Yes, of course; I wasn't thinking.
The reason that example was in my mind is that very day I ran into the problem of a VM being unable to connect via port 5432. Admittedly I'd had to start postgresql manually (using systemctl) owing to a stale lock file, might that have made a difference? The port definitely wasn't open.
Having them open is the behaviour on Fedora 21, and it's a relatively new behaviour there.
Did you observe the port being closed on earlier Fedora releases?
Ah, that could be it; I'm still running F20.
On 19 August 2014 09:33, Mathieu Bridon bochecha@fedoraproject.org wrote:
On Tue, 2014-08-19 at 09:27 +0100, Richard Turner wrote:
On 19 Aug 2014 08:35, "Mathieu Bridon" bochecha@fedoraproject.org wrote:
On Mon, 2014-08-18 at 21:09 +0100, Richard Turner wrote:
I'm running PostgreSQL on my box, and need to have some VMs I run connect to it. I'd not propose that port 5432 was open by default though.
As Elad said in the email you replied to:
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default.
I haven't checked yet, but to me that means that port 5432 is open
by
default.
Duh! Yes, of course; I wasn't thinking.
The reason that example was in my mind is that very day I ran into the problem of a VM being unable to connect via port 5432. Admittedly I'd had to start postgresql manually (using systemctl) owing to a stale lock file, might that have made a difference? The port definitely wasn't open.
Having them open is the behaviour on Fedora 21, and it's a relatively new behaviour there.
Did you observe the port being closed on earlier Fedora releases?
-- Mathieu
-- desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/18/2014 03:43 PM, Elad Alfassa wrote:
On Mon, Aug 18, 2014 at 10:36 PM, Richard Turner <rjt@zygous.co.uk mailto:rjt@zygous.co.uk> wrote:
On 18 Aug 2014 20:02, "Elad Alfassa" <elad@fedoraproject.org mailto:elad@fedoraproject.org> wrote:
- Do we really need a firewall configuration UI?
What do you propose instead? If there's a firewall installed I don't want to have to learn how to use iptables, or any other CLI tool, to configure it. I'm a web developer, that doesn't mean I'm a networking guru.
I propose configuration that works out of the box.
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default. If you need a webserver running on port 80, I assume the best way of fixing this would be bundling a firewalld configuration file in webserver packages that will open port 80 and port 443 for you - but that might be out of scope for the Workstation WG and more in the Server WG realm.
Also, if we don't install it by default you'd still be able to install it, or install cockpit instead (I don't remember if cockpit has firewall controls, but it sounds like it's something it probably would benefit from having).
Cockpit does not currently have a firewall UI, but it's certainly something worth having there. I'll open an RFE.
On 08/18/2014 10:10 PM, Stephen Gallagher wrote:
On 08/18/2014 03:43 PM, Elad Alfassa wrote:
I propose configuration that works out of the box.
Right now in the firewalld policy in Fedora Workstation any non-root port is unblocked by default. If you need a webserver running on port 80, I assume the best way of fixing this would be bundling a firewalld configuration file in webserver packages that will open port 80 and port 443 for you - but that might be out of scope for the Workstation WG and more in the Server WG realm.
Also, if we don't install it by default you'd still be able to install it, or install cockpit instead (I don't remember if cockpit has firewall controls, but it sounds like it's something it probably would benefit from having).
Cockpit does not currently have a firewall UI, but it's certainly something worth having there. I'll open an RFE.
There is now an issue in Cockpit's issue tracker open about adding Firewall controls. https://github.com/cockpit-project/cockpit/issues/1094 - Andreas
On Mon, 2014-08-18 at 20:36 +0100, Richard Turner wrote:
What do you propose instead? If there's a firewall installed I don't want to have to learn how to use iptables, or any other CLI tool, to configure it. I'm a web developer, that doesn't mean I'm a networking guru.
I'm not sure about removing the firewall GUI either. It looks way too confusing to allow in the default install, but we can't block users' network connections without giving them a way to configure it. :/
The rest of the changes I agree with.
Another question, why the hell do we have *both* gnome-logs and gnome-system-log installed by default?
On Monday, August 18, 2014, Elad Alfassa elad@fedoraproject.org wrote:
Another question, why the hell do we have *both* gnome-logs and gnome-system-log installed by default?
History.
desktop@lists.fedoraproject.org