Removing firewall-config from the default install of Fedora Workstation

Sat Aug 23 14:52:11 UTC 2014

On Fri, 2014-08-22 at 17:08 +0200, Christoph Wickert wrote:
> So if the goal of the platform is development and our target audience
> are hobbyists, students, and developers, how can "simple enough for
> non-technical users" be a criteria for inclusion of apps?

I agree with you that targeting developers means we might indeed want to
allow some complicated programs into the default install, but I also
agree with Elad: we should still think really hard before doing so.
devassistant, for example, is a complicated technical program that I
have a lot of second thoughts about, but I haven't seen any objections
to shipping it -- there seems to be consensus that that one is worth it
for us.

We should be extremely suspicious of complex technical programs like
devassistant and firewall-config, including them only if the advantages
are significant. This guideline will serve us well regardless of whether
or not we decide to make an exception for firewall-config. Picking
simple default programs is something we're much better at than other
major distros, and should contribute to the appeal of Fedora
Workstation.

Frankly, I think firewall-config is probably too complicated for many
hobbyists and the majority of students. Actually, many developers to.
It's a power tool that looks like the sort of thing I would love if I
was an expert in firewall configuration. I find it really hard to
believe we need port forwarding on desktop machines, for example: that's
just going to confuse the heck out of some pour soul who actually needs
to forward a port from his router to his computer.

Regardless of whether we keep it or not, I think we've done a good job
selecting our default applications. This is a detail. :)

> Accessing the internet does work out of the box, but FWIW a lot of
> client and server development will not. Therefor I suggest we keep
> firewall-config for now and continue to improve it's UI. 

Our understanding is that client and server development WILL work out of
the box, unlike F20. The goal is that very few users ever need to
configure the firewall. Our configuration can be seen at [1] and it
looks sufficiently permissive to me. (Is there something else we need to
address?) Whereas in F20 I spent much frustrating time trying to figure
out why my network programs worked on other Linuxes but not Fedora, in
F21 everything should just work, unless you're trying to use a system
port. I frankly cannot think of any reason I would ever want to open
firewall-config.

Michael

[1]
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/desktop/attachments/20140823/80f66727/attachment.sig>