On Wed, 2009-11-18 at 18:03 -0500, Jeff Garzik wrote:
On 11/18/2009 05:51 PM, Rahul Sundaram wrote:
> On 11/19/2009 04:19 AM, Richard Hughes wrote:
>> 2009/11/18 Seth Vidal<skvidal(a)fedoraproject.org>:
>>> Richard,
>>> to be fair, when I asked you how to edit a .pkla file you couldn't
tell me.
>>> So, if our engineers don't know the basics, how should our users?
>>
>> Fair comment. Release notes additions might be good in this regard.
>
> It should have been announced and documented with the rationale for the
> change *before* the release. Just pretending that everyone should know
> about how PolicyKit works when documentation is just lacking doesn't cut
> it. You didn't even respond to by bugzilla comment and just closed the
Agreed 100.1%.
> bug. We will still do a post-release update for the release notes now
> but that's scrambling to minimize damage.
The only thing that will fix the damage is to update PK, reverting the
default-insecure policy.
May I remind folks that it is easy to UPGRADE INTO INSECURITY here.
Admins with servers, coming from F10/F11, can very easily fall into this
trap simply by updating their current systems.
Jeff
Has anyone drafted a notice to go out on the Announce List explaining
this vulnerability? If admins don't know to fix/remove PK then they are
putting their systems at risk.
--Eric