Few questions here:

What does this scope include?  Is it merely the LiveCD for GNOME and KDE?  Does it also include the DVD install selections for both of these packages?  (They are different)

What about clearly vulnerable areas, like "Web Sever" that is push-button selectable on install?

Do we make a list of what is installed in these situations and create a watch-list like “crit-path”?

IMHO, Local and remote privilege escalation issues with the default configurations should block the release if they are known prior to making the release.  My only questions are scope definitions that would clarify exactly what packages we are talking about here.

Earlier, someone kindly wrote a STIG script to analyze an installed system.  Fixing these permission defaults would go a ways to mitigating issues.

Poly-instantiated-tmpdirs would also be NTH by default.  Confined users by default would also be an awesome plan.  (I can go on, but the big plan is to have a "secure by default" install, and let the users define where they want to open access up.  Anything the user does after firstboot should really not be covered here.)

We have to define a clear scope before a decent decision.


 -dj




On Wed, May 18, 2011 at 1:51 PM, Adam Williamson <awilliam@redhat.com> wrote:
On Wed, 2011-05-18 at 14:40 -0400, Simo Sorce wrote:

> Is it unthinkable to respin the images with those fixes ?
> Usually the patches are quite simple to backport, and we are talking
> about a limited set of bugs (remote root exploit on install) after all.

Unthinkable, no, but there are various practical issues with doing
official re-spins which have meant it's never actually happened, and the
project for doing it semi-externally - Unity - is often way behind. One
that I wasn't previously aware of, which Spot explained to me recently,
is U.S. export regulations; we have to go through a long and tedious
regulatory process for official builds, and no-one's particularly keen
to start doing that multiple times per cycle for respins.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel