Security related defaults process

Stephen Gallagher sgallagh at
Tue Apr 1 16:57:22 UTC 2014

Hash: SHA1

On 04/01/2014 12:15 PM, Simo Sorce wrote:
> On the meeting today we briefly discussed how to address defaults
> that may be appropriate for a server and may differ from other
> Fedora products, how to find them, how to change them in the
> product.
> I am personally more looking to determine a process, when we find
> out something may need to change. How do we analyze the issue,
> what guidelines will drive our decision and finally how,
> technically, changes are made that affect just the server product.

Working backwards from the end here. I don't think that security
defaults are anything but a special case of products wanting different
configuration defaults. I think that conversation has been held ad
nauseam on the fedora-devel list[1] at this point. As far as the
technical changes to address this are concerned, I think it should
follow whatever policy we adopt there.

As for how we process the need, I think the process can probably be
very simple (and similar to the Change process):
1) Open a discussion on the fedora-server mailing list.
2) After a week, it gets added to the Server WG meeting agenda and is
voted on (or deferred for additional discussion on the list).

As far as guidelines to drive us, I really can think of only two:
1) Default to deny in the absence of explicit permission grant.
2) See rule one.

> I'd like ideas and discussion around this topic so we can determine
> if it is important, and how to deal with this 'stuff'.

Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -


More information about the server mailing list