On Thu, 2013-10-31 at 09:53 -0400, Máirín Duffy wrote:
On 10/31/2013 09:39 AM, Simo Sorce wrote:
> I think a good server experience will require that yum install firefox
> on a headless system installs all required packages to make it work, is
> this something we need to take care of going forward ?
So stepping back, the use-case being proposed here is:
'Users of Fedora server will be able to install - at their option -
software with graphical interfaces, and they will be able to
successfully use these graphical interfaces via trusted X-forwarding
(ssh -Y).'
I think that this doesn't work for the particular example you gave is a
bug; maybe there's a problem with the package.
Yeah I filed
https://bugzilla.redhat.com/show_bug.cgi?id=1025331
it seem that doing something like:
yum install liberation-* which installs at least one font unbreaks
firefox.
From my perspective though, the use case is a good one, particularly
if
we're trying to make our server accessible to Microsofty admin types
with minimal Linux experience. To use myself as an example: I suck as a
sysadmin, but I have needed this in the past (particularly to use
system-config-firewall on a remote system because I suck at editing
iptables config by hand!)
Yes my concern is that we allow to install a package that is commonly
used exported and it just doesn't work. The desktop people don't see nor
will have high priority for this type of bugs, but it really breaks the
user experience for headless systems, that only need occasionally a
graphical interface, but when you need it is a blocking issue.
The only concern that the more technical folks like you could
address
here - there are security implications on installing the whole set of
stacks/libraries necessary to get a GUI app running on a server, right?
In fact I am not installing the whole thing, just the needed packages.
But mostly for space and cpu/efficiency concerns, not necessarily for
security reasons.
If so,
(1) Do we care, or is it the user opting in to this that needs to take
responsibiltiy.
Do we care about giving a good experience when the admin is forced to
use on of this packages for whatever reason ?
(2) Do we have any kind of mechanism we can use to help account for
the
potential damage? (E.g, just a stupid random idea, but, if the user is
just going in for a one-time / infrequent iptables config, have the GUI
stuff set an expiration date at which time it gets removed to lessen the
risk of having it installed?)
I do not think automatically removing packages is a good idea. The fact
the package is installed is not itself a security issue. If it were to
start automatically daemons or jobs that's something else of course. Bu
that is not that common for GUI applications, yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York