"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Mon Dec 8 23:41:51 UTC 2014


Am 09.12.2014 um 00:31 schrieb Stephen John Smoogen:
> On 8 December 2014 at 16:17, Mike Pinkerton <pselists at mindspring.com
> <mailto:pselists at mindspring.com>> wrote:
>
>
>
>         We could have decided to double-down on growing that enthusiast
>         segment, but, first, that's not what the people who showed up to
>         do the
>         work decided; and second, I actually think we continue to serve the
>         hackers and tinkerers very nicely with the spins and nonproduct
>         option.
>         What we're not doing is expanding
>
>
>     I'm not suggesting that Fedora not expand into a new market
>     segment.  I'm simply suggesting that you not abandon existing users
>     in order to do so.
>
> That works in a standard commercial environment where you are able to
> get the original users to 'give payment' which helps continual funding
> that work. However in a volunteer organization.. if people don't do the
> work, then it isn't going to get done. And there is always a lot of work
> in keeping something going from release to release.

the opposite is true

in a commercial environment you need to release new features and 
versions (even if nobody really needs them) and marketing as well as EOL 
all the time to force users buy updates

in a opensource environment that pressure don't exist because you sell 
nothing more or less by a change, you have even users switched to a 
opensource OS to get rid of the ongoing bloat of new versions while you 
are happy with the existing software but need to upgrade because 
otherwise you have no support, bugfixes and security updates

i see that massive all the time around me with Apple and Adobe products 
where users are angry most of the time because things are changed, new 
bugs introduced, old ones not fixed but you need to update

the same for commercial office products and so on

sometimes even the only reason forcing you to upgrade is because the 
vendor changed the default file-format in a incompatible way and you get 
more and more documents from the outside world created with the new 
versions and you can't open them

>         I also think you're also kind of setting up an argument against
>         something no-one is for. "Secure by default" is a not a well-defined
>         term,
>
>     I can't quite parse that, but I think you are intentionally
>     misunderstanding what I wrote.  "Secure by default" might not be a
>     detailed specification, but it is certainly understood as a general
>     user expectation, one that I think Fedora has heretofore generally met.
>
> No, even in the security community.. it has no single idea. I have spent
> more time getting multiple teams to define each's version of "secure by
> default" so that they quit arguing that the other guys aren't that way..
> I don't agree with how the firewall is setup on workstation, but I have
> seen multiple definitions that match "secure by default" that it still
> meets

the security community is usually very clear:

* forbid as much as you can by default
* allow only what *really* is needed to get the work done
* start as less processes as possible
* keep code as small and understandable as possible

what is not open, not loaded and not running is hard to attack

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/004ba0ef/attachment.sig>


More information about the devel mailing list