Removing firewall-config from the default install of Fedora Workstation

Elad Alfassa elad at fedoraproject.org
Sat Aug 23 10:45:01 UTC 2014 

On Fri, Aug 22, 2014 at 6:08 PM, Christoph Wickert <
christoph.wickert at gmail.com> wrote:

>
> I don't think we missed that point, in fact it was already addressed
> earlier by Thomas, when he quoted the workstation's mission statement:
> "The system will primarily be aimed at providing a platform for
> development of server side and client applications that is attractive to
> a range of developers - from hobbyists and students to developers
> working in corporate environments."
>
> So if the goal of the platform is development and our target audience
> are hobbyists, students, and developers, how can "simple enough for
> non-technical users" be a criteria for inclusion of apps?
>
>
We need to eradicate this dangerous notion that a "technical user" or a
"developer" knows everything about the ins and outs of an operation system
or computer networks.
 It leads to bad design.


If your OS is good enough for non-technical users to use it without being
intimidated or confused by it, then it will be easy and simple for
developers too. If you design your software thinking your users will know
immidiately how to operate it and how it works because they are "technical"
you will have software that is extremely painful to use.

Another point is that our product definition states we should support all
these usecases while still being usable for the non-technical users.

> If it's really important then we should keep it, but if it just works
> > out of the box as I've heard (thanks to the firewalld team for working
> > on this!), then hopefully it can go.
>
> Accessing the internet does work out of the box, but FWIW a lot of
> client and server development will not. Therefor I suggest we keep
> firewall-config for now and continue to improve it's UI.
>

You are wrong, I'm sorry.
Our default firewall configuration allows any port higher than 1024 (ie.
high ports / non-root ports) to accept incoming connections, as well as
some very specific services such as avahi or samba-client. This means that
the following will work out of the box:
 * Network printing
 * Avahi zeroconf auto-discovery
 * Samba network shares
 * Web browsing
 * Python / Ruby web stacks which default to using a non-root port when
running as a non root user, which is the normal way in which Python / Ruby
web developer test their applications.
 * Anything else that listens on a non-root port

Most developers will not need to touch the firewall configuration because
everything will just work. And as emphasized before, we are not aiming this
product at linux system developers, we are aiming it at web developers,
android developers, application developers, game developers and such. Non
of these target usecases will ever need to use a port lower than 1024.

So if most of are target users might not know what a firewall is or how to
operate one, might not know about protocols, ports, or how computer
networking actually works, and will probably not need to change the default
configuration *ever*, including this tool by default seems silly to me. And
again, people who for some reason don't want the default can install the
tool from GNOME Software easily enough, so there's no real reason why it
should be included by default.


-- 
-Elad Alfassa.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/desktop/attachments/20140823/1860a20a/attachment.html>

More information about the desktop mailing list