On Tue, Jun 16, 2020 at 04:22:42PM -0400, Gerald Henriksen wrote:
Given the number of cases of evil people getting access to computer
systems, and the fallout of said attacks, any package left on a system
after it no longer is being maintained is not only broken but a
"no longer packaged by fedora" is not the same as being "broken" or
"insecure". Just as "packaged by fedora" doesn't mean that it
is kept secure. So please, please do not conflate the two.
(Case in point: dokuwiki, which was only "secure" in the sense that it
was completely broken for 2-3 fedora releases, so exploiting the
multiple outstanding CVEs in the packaged version was impossible..)
"Security" is a process, not a state; it has to be balanced against
What good is a security policy that requires me to disable it to
continue using software that I find necessary? Or worse, a policy that
auto-removes software I might still be using? That is actively
user-hostile, and you'll rapidly see instructions on how to disable it
crop up on the inevitable "how to make your fedora system usable"
instructions. Right after "disable selinux" but before "enable
freshrpms", "install google chrome", and the inevitable "sudo curl
| bash" at the end.
Meanwhile, let's be honest. Is my main server more likely to get
compromised through my use of mailgraph (dead upstream for over a decade
and retired after F29 because nobody bothered to fix its selinux
integration) or because one of my users had a shared password
compromised in $massive_data_breach_du_jour?
You as a user may wish to explicitly make the decision to ignore
risk and keep or re-install that software, and that is your choice.
But it should not be the default behaviour of the distribution.
"Fedora knows better than its users" represents a massive shift in
Fedora policy, and should be discussed as such before anyone talks about
how to implement it.
If Fedora drops a package, that package currently gets relegated to the
same position as any other software the user installed from non-Fedora
sources -- which I'd wager is the overwhelming majority of
workstation-type installs and a significant chunk of server-type
Upgrades still have to handle non-Fedora-supplied packages sanely, and
the only sane, user-friendly way to handle those is to inform the user
of the issue and let them decide what to do. On a per-package basis,
because no matter what the default is, it's going to be wrong when
applied across the board.
(Of the dozen-ish Fedora installs I'm responsible for, exactly one would
be fine with this new policy. Every other one, workstation and server
alike, is a special snowflake. Folks not running snowflake systems
don't do in-place OS upgrades; they spin up new instances from scratch)
Solomon Peachy pizza at shaftnet dot org (email&xmpp)
@pizza:shaftnet dot org (matrix)
High Springs, FL speachy (freenode)