Stuff that should be our target going forward ?

Simo Sorce simo at redhat.com
Thu Oct 31 14:11:37 UTC 2013 

On Thu, 2013-10-31 at 09:53 -0400, Máirín Duffy wrote:
> On 10/31/2013 09:39 AM, Simo Sorce wrote:
> > I think a good server experience will require that yum install firefox
> > on a headless system installs all required packages to make it work, is
> > this something we need to take care of going forward ?
> 
> So stepping back, the use-case being proposed here is:
> 
> 'Users of Fedora server will be able to install - at their option -
> software with graphical interfaces, and they will be able to
> successfully use these graphical interfaces via trusted X-forwarding
> (ssh -Y).'
> 
> I think that this doesn't work for the particular example you gave is a
> bug; maybe there's a problem with the package.

Yeah I filed https://bugzilla.redhat.com/show_bug.cgi?id=1025331
it seem that doing something like:
yum install liberation-* which installs at least one font unbreaks
firefox.

> From my perspective though, the use case is a good one, particularly if
> we're trying to make our server accessible to Microsofty admin types
> with minimal Linux experience. To use myself as an example: I suck as a
> sysadmin, but I have needed this in the past (particularly to use
> system-config-firewall on a remote system because I suck at editing
> iptables config by hand!)

Yes my concern is that we allow to install a package that is commonly
used exported and it just doesn't work. The desktop people don't see nor
will have high priority for this type of bugs, but it really breaks the
user experience for headless systems, that only need occasionally a
graphical interface, but when you need it is a blocking issue.

> The only concern that the more technical folks like you could address
> here - there are security implications on installing the whole set of
> stacks/libraries necessary to get a GUI app running on a server, right?

In fact I am not installing the whole thing, just the needed packages.
But mostly for space and cpu/efficiency concerns, not necessarily for
security reasons.

> If so,
> 
> (1) Do we care, or is it the user opting in to this that needs to take
> responsibiltiy.

Do we care about giving a good experience when the admin is forced to
use on of this packages for whatever reason ?

> (2) Do we have any kind of mechanism we can use to help account for the
> potential damage? (E.g, just a stupid random idea, but, if the user is
> just going in for a one-time / infrequent iptables config, have the GUI
> stuff set an expiration date at which time it gets removed to lessen the
> risk of having it installed?)

I do not think automatically removing packages is a good idea. The fact
the package is installed is not itself a security issue. If it were to
start automatically daemons or jobs that's something else of course. Bu
that is not that common for GUI applications, yet.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the server mailing list