FESCo Meeting Minutes (2015-03-04)

Kevin Fenzi kevin at scrye.com
Thu Mar 5 16:12:29 UTC 2015

On Thu, 5 Mar 2015 09:56:41 -0600
Chris Adams <linux at cmadams.net> wrote:

> Once upon a time, Adam Jackson <ajax at redhat.com> said:
> > False.  It's entirely reasonable for a product to mandate an
> > appropriate security policy, so until and unless we move account
> > creation entirely to firstboot, it's something the installer will
> > have to expose.
> The installer should not enforce a policy that does not match the
> installed system.  AFAIK the "passwd" command will still let root use
> any password (with just a warning), so the installer should do the
> same.
> It sounds like that's the decision FESCo approved.

No. The decision was that we need a better overall policy/story instead
of all the different parts doing their own thing and causing just the
above thing you note. 

Would you like to help gather information and draft some policy? ;) 

IMHO, it would need to gather in: 

* sshd policy
* passwd policy
* policykit
* sudo
* anaconda
* gnome-keyring?
* DMs? 
* tons of other stuff I am likely not thinking of. 

Ideally we could have a base policy, then perhaps some
changes/differences for the various products. Also a way, much like the
recent ssl cert stuff to change the policy in one place instead of 50. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150305/00e34878/attachment-0001.sig>

More information about the devel mailing list