Fedora 22 update security

[Chris Murphy]

On Thu, May 14, 2015 at 12:21 AM, Richard Hughes <hughsient at gmail.com> wrote:
> On 14 May 2015 at 01:57, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
>> It never even occurred to me that we might make this change downstream,
>> since we make changes upstream whenever we can. PackageKit is
>> maintained by a Fedora developer (Richard Hughes) so it's natural that
>> the default settings are what Fedora wants them to be.
>
> I'm certainly hope I'm a friendly upstream, and it's true that I want
> to ship sane policy by default. It doesn't mean upstream *has* to bend
> and flex to every diktat from FESCo. If someone can explain to me in
> an upstream bug why changing the policy would be more secure for users
> then I'll happily change it for the next release. I'm not horribly
> keen on the "lock down by default" arguments, as PackageKit upstream
> is at targeting these users
> http://www.freedesktop.org/software/PackageKit/pk-profiles.html

Suzan should be a standard user, not admin, her brother is admin and
does OS updates, she shouldn't be able to initiate them. She can
install apps from approved sources and update them.

Brevan is admin of his own computer and can do whatever he wants.

Graham should not be using Fedora. But if he is, he's a standard user.
He can install software from approved sources, and those applications
can be updated. OS  updates are off limits, his son will have to do
that for him.

And I'm saying this as an OS X user, with parents with OS X systems.
They can install app store and signed applications. I *think* they can
do drag and drop application installs for their user only, I haven't
tested that in a while. But they definitely can't do system updates. I
do that. And OS X system updates are 1-2 orders magnitude more stable
and sane than Windows updates, in my estimation. There is absolutely
zero possibility I'd subject Suzan, Graham, or my parents to automatic
OS updates, be it Windows, OS X or Fedora.


-- 
Chris Murphy