On 21 December 2014 at 09:45, Björn Persson <Bjorn@rombobjörn.se> wrote:
> Mattia Verga wrote: > >Since I'm not good to write complex sentences in English, here is a > >schema that explains how I think firewalld should work as I wrote in > >the previous post. > > A "trusted app" to me would mean that I trust that it's secure enough > to communicate even on *untrusted* networks. I don't usually trust any > That is personal semantics versus actual semantics. You define "trusted" as X, someone defines it as Y. They may or may not overlap which causes all kinds of arguments over words versus actual usage. What Mattia is saying is that you set levels of trust for programs or acceptance (again another overloaded word that will causes arguments over definitions). Program A is 'accepted' or 'trusted' or 'fill in your word here' to work on network A without intervention. If the system is not on that network then before Program A can have a port open, it needs the user to determine whether or not that is allowed. Program B is not 'accepted' in any white list and so the user needs to be notified. I think in the end a firstboot or anaconda module on user security settings should be put in. In places where the environment is preset up, it can be turned off easily in kickstart or a boot time flag. User A wants to be notified of all programs opening ports even if he is going to whitelist them. User B does not want to be notified and could care less about security. etc. > network, but in the rare cases when I do, I'll let any bug-ridden junk > communicate because I'm confident that there isn't anything on the > network that will exploit any security holes. If Gnome-user-share (your > example) can't be trusted on untrusted networks, then including it in a > "trusted app list" seems very wrong. Since you didn't even give the user > an option to allow Gnome-user-share to communicate on the untrusted > network, your list seems more ĺike a list of known defective apps. > > -- > Björn Persson > > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > -- Stephen J Smoogen.
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
