Security related defaults process
sgallagh at redhat.com
Tue Apr 1 16:57:22 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 04/01/2014 12:15 PM, Simo Sorce wrote:
> On the meeting today we briefly discussed how to address defaults
> that may be appropriate for a server and may differ from other
> Fedora products, how to find them, how to change them in the
> I am personally more looking to determine a process, when we find
> out something may need to change. How do we analyze the issue,
> what guidelines will drive our decision and finally how,
> technically, changes are made that affect just the server product.
Working backwards from the end here. I don't think that security
defaults are anything but a special case of products wanting different
configuration defaults. I think that conversation has been held ad
nauseam on the fedora-devel list at this point. As far as the
technical changes to address this are concerned, I think it should
follow whatever policy we adopt there.
As for how we process the need, I think the process can probably be
very simple (and similar to the Change process):
1) Open a discussion on the fedora-server mailing list.
2) After a week, it gets added to the Server WG meeting agenda and is
voted on (or deferred for additional discussion on the list).
As far as guidelines to drive us, I really can think of only two:
1) Default to deny in the absence of explicit permission grant.
2) See rule one.
> I'd like ideas and discussion around this topic so we can determine
> if it is important, and how to deal with this 'stuff'.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the server