"Workstation" Product defaults to wide-open firewall

Mike Pinkerton pselists at mindspring.com
Mon Dec 8 20:20:30 UTC 2014

On 8 Dec 2014, at 10:33, Matthew Miller wrote:

> On Mon, Dec 08, 2014 at 02:31:58PM +0000, Ian Malone wrote:
>> There are three products: workstation, server, cloud. Workstation is
>> the one for desktop use. That leaves server to aim for the  
>> traditional
>> fedora user base, since cloud is (understandably) a very different
>> thing. So if you want a desktop system with a security focus where do
>> you look now?
> So, it's important to understand — here on the devel list, certainly —
> that these three are part of a marketing strategy, and in order for
> such a thing to be effective and not just fluffy talk, it does involve
> technical changes to match the plan.
> Right now, "desktop system with a security focus for new users"  
> isn't a
> key part of that effort. I certainly don't dispute that user security
> and education are good goals, and I don't think anyone on the
> workstation team does either — it's just a matter of the steps we take
> to get there.

It is fine and well to target a new group of users -- developers who  
want developer features.  Remember, though, that Fedora has been  
used, and continues to be used, as a general desktop OS by many folks  
and in many organizations.  Indeed, Fedora's old market positioning  
was primarily as a desktop OS suitable for a range of users.  Do not  
make the oft-repeated and often fatal mistake of burning your old  
market when trying to grow a new one.  From a marketing standpoint,  
that is just crazy.  In a for-profit company, where products are  
connected to revenue streams, it would be a "you just bet your  
career" move which nine times out of ten you would lose.

Opening up the firewall by default, and omitting the user interface  
to change it, all to satisfy the assumed needs of the user base you  
wish to add -- a user base that is tech savvy enough to customize the  
firewall rules they want -- seems misguided and is certainly hostile  
to your old market which had a very different expectation of the  
firewall defaults.

> So, if you're not in the target of that focus, where do you look?  
> Well,
> you can certainly pick one of our other desktop spins, which have
> different firewall defaults.

In recent years Fedora has been known primarily as a secure by  
default Gnome desktop OS.  To suggest that anyone interested in a  
secure by default Gnome desktop OS should have to resort to a not-yet- 
existent spin is to admit that you are abandoning your current market  
in search of greener fields elsewhere.

> Or, you can do what I do: start with Fedora Workstation and then
> configure it in a way that makes sense for my needs, or if you're
> deploying for users into a managed environment, use the tools the OS
> provides to preconfigure the system for whatever makes sense there.

My take-away is that Fedora next isn't yet ready for wide deployment  
by me.  The Workstation group has made a significant, and unexpected  
by many of us, change in firewall defaults.  It is probably not their  
only decision that will surprise us.  Some of the decisions made by  
the server and cloud teams may also be surprising.  Until all of the  
defaults, and the embedded thinking they represent, are better known,  
the only product I intend to support is "product=nonproduct" built on  
a minimal install.

Understand that I am not hostile to Fedora next.  As one who has run  
Fedora on servers since FC2, I do applaud the additional thought and  
consideration being given to servers and clouds.  They are truly  
different use cases.  It is good that the needs of server and cloud  
admins are being more fully addressed.

As one who has also supported Fedora on general desktops for a number  
of years, I think you are making a mistake in not tending the user  
base you already have on the desktop.  Whether you can grow a new  
developer-centric user base segment is an open question, but you  
already have a general desktop user base which you can keep and grow  
on -- at least until those who provide support to that user base lose  
confidence in Fedora as a suitable OS for those users out-of-the-box.

Perhaps the Workstation team thought that opening up the firewall  
defaults was the best compromise.  I disagree.  Perhaps a better  
compromise would have been to leave the old defaults in place, and  
add a new pre-configured "more open" zone for those who want fewer  

Mike Pinkerton

More information about the devel mailing list