"Workstation" Product defaults to wide-open firewall
pselists at mindspring.com
Mon Dec 8 20:20:30 UTC 2014
On 8 Dec 2014, at 10:33, Matthew Miller wrote:
> On Mon, Dec 08, 2014 at 02:31:58PM +0000, Ian Malone wrote:
>> There are three products: workstation, server, cloud. Workstation is
>> the one for desktop use. That leaves server to aim for the
>> fedora user base, since cloud is (understandably) a very different
>> thing. So if you want a desktop system with a security focus where do
>> you look now?
> So, it's important to understand — here on the devel list, certainly —
> that these three are part of a marketing strategy, and in order for
> such a thing to be effective and not just fluffy talk, it does involve
> technical changes to match the plan.
> Right now, "desktop system with a security focus for new users"
> isn't a
> key part of that effort. I certainly don't dispute that user security
> and education are good goals, and I don't think anyone on the
> workstation team does either — it's just a matter of the steps we take
> to get there.
It is fine and well to target a new group of users -- developers who
want developer features. Remember, though, that Fedora has been
used, and continues to be used, as a general desktop OS by many folks
and in many organizations. Indeed, Fedora's old market positioning
was primarily as a desktop OS suitable for a range of users. Do not
make the oft-repeated and often fatal mistake of burning your old
market when trying to grow a new one. From a marketing standpoint,
that is just crazy. In a for-profit company, where products are
connected to revenue streams, it would be a "you just bet your
career" move which nine times out of ten you would lose.
Opening up the firewall by default, and omitting the user interface
to change it, all to satisfy the assumed needs of the user base you
wish to add -- a user base that is tech savvy enough to customize the
firewall rules they want -- seems misguided and is certainly hostile
to your old market which had a very different expectation of the
> So, if you're not in the target of that focus, where do you look?
> you can certainly pick one of our other desktop spins, which have
> different firewall defaults.
In recent years Fedora has been known primarily as a secure by
default Gnome desktop OS. To suggest that anyone interested in a
secure by default Gnome desktop OS should have to resort to a not-yet-
existent spin is to admit that you are abandoning your current market
in search of greener fields elsewhere.
> Or, you can do what I do: start with Fedora Workstation and then
> configure it in a way that makes sense for my needs, or if you're
> deploying for users into a managed environment, use the tools the OS
> provides to preconfigure the system for whatever makes sense there.
My take-away is that Fedora next isn't yet ready for wide deployment
by me. The Workstation group has made a significant, and unexpected
by many of us, change in firewall defaults. It is probably not their
only decision that will surprise us. Some of the decisions made by
the server and cloud teams may also be surprising. Until all of the
defaults, and the embedded thinking they represent, are better known,
the only product I intend to support is "product=nonproduct" built on
a minimal install.
Understand that I am not hostile to Fedora next. As one who has run
Fedora on servers since FC2, I do applaud the additional thought and
consideration being given to servers and clouds. They are truly
different use cases. It is good that the needs of server and cloud
admins are being more fully addressed.
As one who has also supported Fedora on general desktops for a number
of years, I think you are making a mistake in not tending the user
base you already have on the desktop. Whether you can grow a new
developer-centric user base segment is an open question, but you
already have a general desktop user base which you can keep and grow
on -- at least until those who provide support to that user base lose
confidence in Fedora as a suitable OS for those users out-of-the-box.
Perhaps the Workstation team thought that opening up the firewall
defaults was the best compromise. I disagree. Perhaps a better
compromise would have been to leave the old defaults in place, and
add a new pre-configured "more open" zone for those who want fewer
More information about the devel