Few questions here:
What does this scope include? Is it merely the LiveCD for GNOME and KDE? Does it also include the DVD install selections for both of these packages? (They are different)
What about clearly vulnerable areas, like "Web Sever" that is push-button selectable on install?
Do we make a list of what is installed in these situations and create a watch-list like “crit-path”?
IMHO, Local and remote privilege escalation issues with the default configurations should block the release if they are known prior to making the release. My only questions are scope definitions that would clarify exactly what packages we are talking about here.
Earlier, someone kindly wrote a STIG script to analyze an installed system. Fixing these permission defaults would go a ways to mitigating issues.
Poly-instantiated-tmpdirs would also be NTH by default. Confined users by default would also be an awesome plan. (I can go on, but the big plan is to have a "secure by default" install, and let the users define where they want to open access up. Anything the user does after firstboot should really not be covered here.)
We have to define a clear scope before a decent decision.
-dj
On Wed, May 18, 2011 at 1:51 PM, Adam Williamson awilliam@redhat.comwrote:
On Wed, 2011-05-18 at 14:40 -0400, Simo Sorce wrote:
Is it unthinkable to respin the images with those fixes ? Usually the patches are quite simple to backport, and we are talking about a limited set of bugs (remote root exploit on install) after all.
Unthinkable, no, but there are various practical issues with doing official re-spins which have meant it's never actually happened, and the project for doing it semi-externally - Unity - is often way behind. One that I wasn't previously aware of, which Spot explained to me recently, is U.S. export regulations; we have to go through a long and tedious regulatory process for official builds, and no-one's particularly keen to start doing that multiple times per cycle for respins. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel