Removing firewall-config from the default install of Fedora Workstation
Josh Boyer
jwboyer at fedoraproject.org
Thu Aug 21 20:18:30 UTC 2014
On Thu, Aug 21, 2014 at 3:56 PM, Owen Taylor <otaylor at redhat.com> wrote:
> On Thu, 2014-08-21 at 15:11 -0400, Josh Boyer wrote:
>> On Thu, Aug 21, 2014 at 3:03 PM, Elad Alfassa <elad at fedoraproject.org> wrote:
>> > Hello.
>> >
>> > I propose we remove firewall-config (the graphical firewall configuration
>> > utility) from the default install of Fedora Workstation.
>> > Rationale:
>> >
>> > * The default Workstation zone file allows incoming connection to non-root
>> > ports. This means most of the common usecases will "just work" out of the
>> > box. Thus, most users will not need to touch their Firewall settings.
>> >
>> > * People who do need it will be able to install it from GNOME Software quite
>> > easily. Just search for "Firewall". There will be no confusion as this is
>> > the only firewall configuration tool shown in GNOME Software.
>> >
>> > * In general, we should avoid having app launchers for things that are
>> > configuration utilities in the default install.
>> >
>> > Unless there's major objection to this change in the following few days,
>> > I'll remove it from the gnome-desktop group in comps.
>>
>> I object for now. I'd like to hear more from Matthias, Christian, and
>> the firewalld contributors first. We already discussed this a while
>> ago and there has been work to make it more Workstation appropriate.
>> I don't think we should remove it without consensus from everyone that
>> has already been discussing this.
>
> That's why the list was mailed ... to get some discussion and build
> consensus :-)
Yep! That's why I said "for now". I just didn't want Elad to remove
it in a few days before we actually discussed it.
> One main idea of putting a lot of work into GNOME Software is to reduce
> the difference between "installed by default" and "not installed by
> default" - there are a ton of things that we want to allow a user to do
> easily with Fedora that we can't have in the default install.
Sure.
> Having something in the default install to me means two things: first,
> we think that the activity it enables is something that a large
> percentage of users will want to do. Second we want to actively
> encourage the user to stumble on the application, start it up, find what
> it does.
>
> If you start firewall-config I don't think it meets the second objective
> - you get prompted for authentication before it even loads, and you are
> immediately confronted with a pretty complex UI that depends on
> understanding concepts (zones, runtime vs. static config, trusted vs.
> untrusted services, etc.) that most technical users probably won't
> understand without some study.
Correct. That interaction is what was highlighted as not being
suitable, but I thought there were plans to address it.
> But if we need firewall-config for the first objective - if a large
> fraction of users will need to use it, then the right response to the
> complexity is to try and make it friendly for non-firewall-experts,
> rather than removing it from the default install. The *idea* here is
> that that's not the case as of Fedora Workstation 21 - the average
> developer won't need to configure their firewall - e.g., when developing
> a web app, a developer will almost always be running on a high port.
Right, and I thought the firewalld team and others were working on a
UI that _is_ appropriate. Did that work happen? What state is it in?
etc.
josh
More information about the desktop
mailing list