F15 - status of /run/user, /dev/shm, and potential for a DoS attack

Thu May 19 18:44:49 UTC 2011

On Thu, 2011-05-19 at 22:53 +0530, Ashwin Mansinghka wrote:

> > Yes, we know it.
> > But it helps to be open with your user base, who are your testers, users, and
> > supporters.
> > And do not forget that many users share their knowledge with you and other
> > users here. You should not ignore them.
> > Make the most out of it while you have them around here !
> 
> Is it worth making an effort ? Read Adams postings it is full of "don't" 
> and "do not". If some one asks the question "why ?" or "why not ?" the 
> query is ridiculed. So it is time both Redhat and Fedora should think 
> again, and check if Adam is tasked with too much ? Why is he settings 
> goals which are not acceptable to so many ? Why is he not explaining his 
> position ? If he explains his position does it indirectly reveal some 
> thing else ?

I'm sorry if you feel this way; it's certainly not something I'm trying
to do.

I think you are misunderstanding some issues, though. One: I don't get
to set any goals; no one person does, for major issues for Fedora. I
don't set the security requirements for Fedora. What I tried to do was
to explain what the current security requirements are, and what points
someone would need to consider in an argument likely to persuade the
project as a whole that they should change. You don't need to persuade
me - or not ONLY me (and my opinion doesn't carry any more weight than
anyone else's, as I'm not a member of any relevant boards or
committees). If you want to change major things about Fedora, you need
to persuade enough people to produce a broad consensus (for things such
as the specific release criteria), or to persuade the appropriate body -
e.g. FESCo or the Board. 

As far as the security issue goes, I created a thread for discussion of
that, "Security release criterion proposal", cross-posted here, to devel
and to the security list, as they're the obvious groups likely to have
input. I hope it's clear from that thread that the goal is to produce a
broad consensus; in the initial post I tried to frame a criterion which
matched our current practice, and highlighted the axes along which it
could be varied for discussion. Now lots of people are contributing to
that discussion, and I'm hoping a clear consensus will arise in time.

As far as supported desktops goes, all I've said all along is that *QA
doesn't get to make that decision*. I've already said that *my personal
opinion* is that it would be a good idea to broaden out the base of
supported desktops; if I were going around making all the decisions,
then, we'd already be doing that. It's not hard to find evidence of
this: I tried last year to have LXDE and Xfce added to the list of
release-blocking desktops, and proposed the desktop validation process
by which we now do planned testing of five major desktops for each
release point (we previously did only a small amount of planned testing
on GNOME and KDE, and did no testing at all on LXDE or Xfce).

But neither I nor the QA group as a whole gets to make all the
decisions; we work within the processes of the Fedora project as a
whole. When I made the proposal to broaden the scope of supported
desktops other groups had reservations, so it didn't happen. If you, I,
Johann, all of us, or any other group of people within Fedora want that
change to happen, we have to convince the appropriate people.

I'm very sorry that I didn't explain my position well enough and gave
the impression I was handing down decisions from on high, but that is
definitely not what I'm doing, and it's my fault for giving that
impression. I hope this email clarifies those situations.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net