dnssec-trigger + GNOME + NetworkManager integration
Igor Gnatenko
i.gnatenko.brain at gmail.com
Fri Jun 26 15:22:21 UTC 2015
On Jun 26, 2015 6:14 PM, "Matthias Clasen" <mclasen at redhat.com> wrote:
>
> On Tue, 2015-06-23 at 18:43 +0200, Tomas Hozza wrote:
>
> Hey, I was out for a week, so this may be a bit of a late reply.
>
> As Michael and Bastien already stated, all the GNOME networking UI
> relies on information gotten from NetworkManager, and we'd like to keep
> it that way. In particular, NetworkManager has an existing API to
> inform us about captive portals - if at all possible, you should keep
> that working.
>
> [...]
>
> > This boils down to what we need from some new version of the UI that
> > we
> > need to be well integrated with GNOME:
>
> > 1. Be able to inform user about some situations (Captive portal
> > detected, network blocks all DNS communication, ...) and enable the
> > user
> > to take an action. (This could be possibly done by the notifications
> > system in latest GNOME)
> >
> > -> this may be solved also in GNOME already, and may be OK if done
> > technically correctly. Please note my note earlier on NM notifying
> > other
> > services when Captive Portal is detected
>
> My perspective on this is that we already have a UI: GNOME shell
> displays network status, including captive portal. If NetworkManager
> needs to add a few more connection states related to DNSSEC, we can
> adapt to that.
>
> GNOME shell also launches a browser when needed for captive portal
> login. If we need to tweak the way the browser is launched to make it
> work on a dnssec-enabled system, that should be possible.
Unfortunately on my system it doesn't launch browser, but I see captive
portal icon on shell panel. Where to report bug, what info is needed?
>
> > 2. Possibly have some indicator showing if the system is in "Secure"
> > or
> > "Insecure" state.
> >
> > 3. Enable the user to switch between those two states manually
>
> This seems dubious, at best. What does it mean if my system is
> 'insecure' ? Will my credit card number be stolen ? Will my system be
> taken over by intruders if I don't disconnect immediately ? Most users
> will have no idea, and have to treat such a switch either as "scary,
> don't touch" or as the "fix the internet" button.
>
> I could see adding information regarding the dnssec status of
> connections to the network panel. For that to happen, the information
> needs to be represented in the nm connection configuration, e.g. in
> NmSettingIP4Config, which already has settings like "ignore-auto-dns".
>
> > 4. Additionally enable the user to trigger the reprobe of
> > connection-provided DNS resolvers and display result of the probe
> > (last
> > one).
> >
> > -> this should not be needed for regular use. It is more of a
> > debugging tool
>
> I would encourage you to ship it separately as such, then. I don't even
> think it needs to be a graphical tool, a commandline utility would be
> just fine for this purpose.
>
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150626/28addaf0/attachment.html>
More information about the devel
mailing list