On Thu, 2013-10-31 at 09:53 -0400, Máirín Duffy wrote:
On 10/31/2013 09:39 AM, Simo Sorce wrote:
I think a good server experience will require that yum install firefox on a headless system installs all required packages to make it work, is this something we need to take care of going forward ?
So stepping back, the use-case being proposed here is:
'Users of Fedora server will be able to install - at their option - software with graphical interfaces, and they will be able to successfully use these graphical interfaces via trusted X-forwarding (ssh -Y).'
I think that this doesn't work for the particular example you gave is a bug; maybe there's a problem with the package.
Yeah I filed https://bugzilla.redhat.com/show_bug.cgi?id=1025331 it seem that doing something like: yum install liberation-* which installs at least one font unbreaks firefox.
From my perspective though, the use case is a good one, particularly if we're trying to make our server accessible to Microsofty admin types with minimal Linux experience. To use myself as an example: I suck as a sysadmin, but I have needed this in the past (particularly to use system-config-firewall on a remote system because I suck at editing iptables config by hand!)
Yes my concern is that we allow to install a package that is commonly used exported and it just doesn't work. The desktop people don't see nor will have high priority for this type of bugs, but it really breaks the user experience for headless systems, that only need occasionally a graphical interface, but when you need it is a blocking issue.
The only concern that the more technical folks like you could address here - there are security implications on installing the whole set of stacks/libraries necessary to get a GUI app running on a server, right?
In fact I am not installing the whole thing, just the needed packages. But mostly for space and cpu/efficiency concerns, not necessarily for security reasons.
If so,
(1) Do we care, or is it the user opting in to this that needs to take responsibiltiy.
Do we care about giving a good experience when the admin is forced to use on of this packages for whatever reason ?
(2) Do we have any kind of mechanism we can use to help account for the potential damage? (E.g, just a stupid random idea, but, if the user is just going in for a one-time / infrequent iptables config, have the GUI stuff set an expiration date at which time it gets removed to lessen the risk of having it installed?)
I do not think automatically removing packages is a good idea. The fact the package is installed is not itself a security issue. If it were to start automatically daemons or jobs that's something else of course. Bu that is not that common for GUI applications, yet.
Simo.