On 12/17/2015 10:19 AM, Harald Hoyer wrote:
On 07.12.2015 20:57, Paul Wouters wrote:
> On Mon, 7 Dec 2015, Matthew Miller wrote:
>
>> I read your whole post. Those possibilities seem pretty limited, from
>> the point of view of serious regressions in Fedora usability. It isn't
>> that I "like" Fedora being less than technically correct (especially
>> around security-related features), but I don't think we can discount
>> the prevalence of "broken" schemes in the real world.
>
> But you gain nothing with waiting. There is no "fix" to wait for. Those
> stolen domains are broken and they will start to fail. The only difference
> could be that fedora won't be the first where this breaks on, but I
> thought "First" was one of our motto's ?
>
>> I don't really care about that. I care that we pick the solutions that
>> are best for our users.
>
> Supporting DNSSEC per default is best for the user. Not enabling DNSSEC
> is not a serious option. We delayed this feature a few times to ensure
> we would get better integration with gnome and VPNs so that we could
> address the _real_ problems.
>
> People using stolen or made up domain names is not a use case that can
> be supported anymore with Secure DNS.
If it causes problems you have no time to fix, you will do "selinux=0 dnssec=0"
Whoops.
Why "selinux=0"?
Do you think it would be better to tell people to set "enforcing=0" and
collect AVCs with a report instead of saying "selinux=0"?
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.