Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Igor Gnatenko 
On Mon, Dec 8, 2014 at 10:58 AM, Andre Robatino
 wrote:
>
> Kevin Kofler  chello.at> writes:
>
> > I just happened to look at the firewalld default settings, and I was not
> > amused when I noticed this:
> > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > >  
> > >  
> > This "firewall" is a joke! ALL higher ports are wide open!
>
> I just did a check of all the service ports and various higher port ranges
> using ShieldsUP! ( https://www.grc.com/x/ne.dll?bh0bkyd2 ) and AFAICT, the
> only open higher port is the one random port that Transmission is currently
> using. (BTW, Transmission now seems to automatically open an incoming port -
> in F20 and below I had to tell Transmission to use a fixed port instead of a
> random one, and manually open that port in the firewall.) This is on a
> system clean installed from Fedora-Live-Workstation-x86_64-21-5.iso.
you forget about DLNA sharing, and some more GNOME services.
>
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct




-- 
-Igor Gnatenko
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Andre Robatino 
Igor Gnatenko  gmail.com> writes:

> you forget about DLNA sharing, and some more GNOME services.

I googled for "DLNA sharing" to find out which ports it uses, and it seems
that all of those ports are closed. Are there any specific ports you would
expect to be open?

BTW, I just realized that my router is probably blocking unsolicited
incoming packets, so it's possible the firewall itself might be as open as
Kevin says it is. I'd have to read up a bit to learn how to check. Still,
with the router doing its job, and Transmission not being a pain to set up
anymore, I'm happy.

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Paul Howarth 
On Mon, 08 Dec 2014 07:41:52 +0100
Kevin Kofler  wrote:

> Hi,
> 
> I just happened to look at the firewalld default settings, and I was
> not amused when I noticed this:
> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> >  
> >  
> This "firewall" is a joke! ALL higher ports are wide open!
> 
> There had been a prior discussion on this list where they wanted to
> disable the firewall entirely. We told them that that's a horrible
> idea (which it is, of course!). But the result is that they
> implemented this "solution" which is almost entirely as bad, and
> which additionally gives users a false sense of security, because a
> "firewall" is "enabled" (for a very twisted definition of "enabled").
> 
> IMHO, this is a major security issue that MUST be fixed. It also
> shows what horribly bad an idea per-Product configuration is.
> 
> Yet another reason why you should NOT use "--product=workstation" to
> upgrade your F20 to F21 (ALWAYS use "--product=nonproduct").
> Installing the "Workstation Product", or upgrading to it, will leave
> you with a totally insecure system.

FWIW, this is mentioned in the release notes:

http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation

2.3.3. Developer oriented firewall

Developers often run test servers that run on high numbered ports, and
interconnectivity with many modern consumer devices also requires these
ports. The firewall in Fedora Workstation, firewalld, is configured to
allow these things.

Ports numbered under 1024, with the exceptions of
sshd and clients for samba and DHCPv6, are blocked to prevent access to
system services. Ports above 1024, used for user-initiated
applications, are open by default. 

Paul.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Andre Robatino 
Andre Robatino  fedoraproject.org> writes:

> using. (BTW, Transmission now seems to automatically open an incoming port -
> in F20 and below I had to tell Transmission to use a fixed port instead of a
> random one, and manually open that port in the firewall.)

Forgot to mention that before, I also had to configure the router to allow
incoming packets for that one specific port. None of that is necessary now.
Presumably Transmission's "Use UPnP or NAT-PMP port forwarding from my
router" option is now working properly - before, it didn't do anything.



-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Igor Gnatenko 
tcp0  0 127.0.0.1:47147 0.0.0.0:*
LISTEN  15610/rygel
tcp0  0 192.168.122.1:59505 0.0.0.0:*
LISTEN  15610/rygel
tcp0  0 0.0.0.0:51413   0.0.0.0:*
LISTEN  13331/transmission-
tcp0  0 192.168.122.1:530.0.0.0:*
LISTEN  -
tcp0  0 192.168.254.16:357990.0.0.0:*
LISTEN  15610/rygel
tcp0  0 127.0.0.1:631   0.0.0.0:*
LISTEN  -
tcp6   0  0 :::51413:::*
LISTEN  13331/transmission-
tcp6   0  0 ::1:631 :::*
LISTEN  -
tcp6   0  0 :::59098:::*
LISTEN  15609/httpd

On Mon, Dec 8, 2014 at 11:18 AM, Andre Robatino
 wrote:
> Igor Gnatenko  gmail.com> writes:
>
>> you forget about DLNA sharing, and some more GNOME services.
>
> I googled for "DLNA sharing" to find out which ports it uses, and it seems
> that all of those ports are closed. Are there any specific ports you would
> expect to be open?
>
> BTW, I just realized that my router is probably blocking unsolicited
> incoming packets, so it's possible the firewall itself might be as open as
> Kevin says it is. I'd have to read up a bit to learn how to check. Still,
> with the router doing its job, and Transmission not being a pain to set up
> anymore, I'm happy.
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct



-- 
-Igor Gnatenko
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Ian Malone 
On 8 December 2014 at 08:38, Paul Howarth  wrote:
> On Mon, 08 Dec 2014 07:41:52 +0100
> Kevin Kofler  wrote:
>
>> Hi,
>>
>> I just happened to look at the firewalld default settings, and I was
>> not amused when I noticed this:
>> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
>> >  
>> >  
>> This "firewall" is a joke! ALL higher ports are wide open!
>>
>> There had been a prior discussion on this list where they wanted to
>> disable the firewall entirely. We told them that that's a horrible
>> idea (which it is, of course!). But the result is that they
>> implemented this "solution" which is almost entirely as bad, and
>> which additionally gives users a false sense of security, because a
>> "firewall" is "enabled" (for a very twisted definition of "enabled").
>>
>> IMHO, this is a major security issue that MUST be fixed. It also
>> shows what horribly bad an idea per-Product configuration is.
>>
>> Yet another reason why you should NOT use "--product=workstation" to
>> upgrade your F20 to F21 (ALWAYS use "--product=nonproduct").
>> Installing the "Workstation Product", or upgrading to it, will leave
>> you with a totally insecure system.
>
> FWIW, this is mentioned in the release notes:
>
> http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation
>
> 2.3.3. Developer oriented firewall
>
> Developers often run test servers that run on high numbered ports, and
> interconnectivity with many modern consumer devices also requires these
> ports. The firewall in Fedora Workstation, firewalld, is configured to
> allow these things.
>
> Ports numbered under 1024, with the exceptions of
> sshd and clients for samba and DHCPv6, are blocked to prevent access to
> system services. Ports above 1024, used for user-initiated
> applications, are open by default.
>

That's a rather confused explanation to me, developers are able to
adjust their firewalls or disable them for troubleshooting if they
wish. It then ropes in "interconnectivity with many modern consumer
devices".

Does feel rather like a fedora-no-longer-has-your-back moment.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 07:41 schrieb Kevin Kofler:

I just happened to look at the firewalld default settings, and I was not
amused when I noticed this:
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml

  
  

This "firewall" is a joke! ALL higher ports are wide open!


seriously?

how was i attacked as i called it repeatly not smart even consider lower 
the default security. a ton of services are listening on high ports 
these days and *incoming* the only needed rule is:


ACCEPT all  --  *  *   0.0.0.0/00.0.0.0/0 
 ctstate RELATED,ESTABLISHED





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 09:38 schrieb Paul Howarth:

FWIW, this is mentioned in the release notes:

http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation

2.3.3. Developer oriented firewall

Developers often run test servers that run on high numbered ports, and
interconnectivity with many modern consumer devices also requires these
ports. The firewall in Fedora Workstation, firewalld, is configured to
allow these things.

Ports numbered under 1024, with the exceptions of
sshd and clients for samba and DHCPv6, are blocked to prevent access to
system services. Ports above 1024, used for user-initiated
applications, are open by default.


WTF - "developer oriented firewall" on workstation?

i doubt it is smart that by default my running Eclipse
accepts incoming connections from the WAN (that i am
paied for IT security prevents that but only here)

tcp0  0 0.0.0.0:20080   0.0.0.0:* 
LISTEN  8669/java


tcp0  0 0.0.0.0:10137   0.0.0.0:* 
LISTEN  8669/java


tcp0  0 0.0.0.0:90000.0.0.0:* 
LISTEN  8669/java


udp0  0 0.0.0.0:43210.0.0.0:* 
8669/java





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Michael Spahn 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We don't need open or preconfigured high ports.

What we really need is a user notification with options to allow or
deny like we do with SELinux.

That would be a appropriate solution for a workstation.



On 08.12.2014 10:29, Reindl Harald wrote:
> 
> Am 08.12.2014 um 09:38 schrieb Paul Howarth:
>> FWIW, this is mentioned in the release notes:
>> 
>> http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation
>>
>>
>>
>> 
2.3.3. Developer oriented firewall
>> 
>> Developers often run test servers that run on high numbered
>> ports, and interconnectivity with many modern consumer devices
>> also requires these ports. The firewall in Fedora Workstation,
>> firewalld, is configured to allow these things.
>> 
>> Ports numbered under 1024, with the exceptions of sshd and
>> clients for samba and DHCPv6, are blocked to prevent access to 
>> system services. Ports above 1024, used for user-initiated 
>> applications, are open by default.
> 
> WTF - "developer oriented firewall" on workstation?
> 
> i doubt it is smart that by default my running Eclipse accepts
> incoming connections from the WAN (that i am paied for IT security
> prevents that but only here)
> 
> tcp0  0 0.0.0.0:20080   0.0.0.0:* LISTEN
> 8669/java
> 
> tcp0  0 0.0.0.0:10137   0.0.0.0:* LISTEN
> 8669/java
> 
> tcp0  0 0.0.0.0:90000.0.0.0:* LISTEN
> 8669/java
> 
> udp0  0 0.0.0.0:43210.0.0.0:*
> 8669/java
> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJUhXDCAAoJEGtRNj3Wo+zB7b8P/3wQdQUnqDKCO07NNEvTd3q4
u09zQeRsDJJggUU8frmJGHHjwIzoKQn4LOjh1P5y3LBRYrQJxB9l/GfVbqRm0B6V
47F0DNULSUYljey4Mbc608cxJHHyzIUVD1llxMem47EiwgJJcI/Le6fG0aJzYehp
NuvHG2D8fU89+BIHZESRhoYLcc9ryNfAQO8BM3bOATV1eHCHAMoRNsuBqyGEbVN6
hOcLLDvgkOyhgwPBmzIceguGQt1aWSVC2K5Jx0eF6gTJ5l67QFVSfPdINo4oyh7v
H04FeCQoaouVMM2ultdbAR2k8zaBPCPENjP/289nEP7QWzEkhKYEYGKYdCF5uoNe
Ngn9t9FK6n4tHUtQx3b/Ge50S3jrdvbiBcwkm5JlUhbTGf4o8XbXeRORAr+KKVmC
c/QZiyob4OcluIOkvEysE3eIylhsMYjxWf8uu7TFD49RKz/2YBT9DnkznqijIDTg
3NoyaBmU5AFIBsH93BBvp8vrSsNvtLSeqIvUt7aVSIchYlJfyoI+XN82yb3m06+1
PiqhMklqChZKmjHz9JjiXtfRVHokIw22ve9w75IK67EpCVwqBEtbWR1l1s4fyZJE
SQqWN83/pkeB/aM3sNCsuPRzy8SOdsaOoNnWShQ8vQ3+bz95COI/VQWN/MYTZBKk
7D8OcSx4g3a0rDSn3Mxb
=PInD
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> Hi,
> 
> I just happened to look at the firewalld default settings, and I was not
> amused when I noticed this:
> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> >  
> >  
> This "firewall" is a joke! ALL higher ports are wide open!
> 
> There had been a prior discussion on this list where they wanted to disable
> the firewall entirely. We told them that that's a horrible idea (which it
> is, of course!). But the result is that they implemented this "solution"
> which is almost entirely as bad, and which additionally gives users a false
> sense of security, because a "firewall" is "enabled" (for a very twisted
> definition of "enabled").
> 
> IMHO, this is a major security issue that MUST be fixed. It also shows what
> horribly bad an idea per-Product configuration is.

This was discussed, and implemented in the open, and I sent the details of the 
feature, and how it would be implemented to the fedora desktop list, as is
customary for Workstation features.

> Yet another reason why you should NOT use "--product=workstation" to upgrade
> your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the
> "Workstation Product", or upgrading to it, will leave you with a totally
> insecure system.

There are no services listening on upper ports enabled by default, all the
sharing services in Fedora will require actual enabling. See:
http://www.hadess.net/2014/06/firewalls-and-per-network-sharing.html

Next time, don't be 6 month late if you're going to be flippant.

Cheers
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> We don't need open or preconfigured high ports.
> 
> What we really need is a user notification with options to allow or
> deny like we do with SELinux.
> 
> That would be a appropriate solution for a workstation.

No it wouldn't be, because users don't like being asked security questions,
even less so when they don't have the skills to understand the consequences
of their choices.

The changes were vouched for by the Fedora and GNOME designers, as well as
the firewalld maintainers.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 10:34 schrieb Michael Spahn:

We don't need open or preconfigured high ports.

What we really need is a user notification with options to allow or
deny like we do with SELinux.

That would be a appropriate solution for a workstation.


* you know that
* i know that
* the same applies for many options chosen at install

sadly the goal is to ask users as less as possible because they may be 
overwhelmed - the attitude "a user is a user and don't need to know 
anything because all can work magically" is wrong, proven dangerous and 
leads in users don't know anything after not beeing bothered with anything


*finally* they are trained to *rely* in sane and secure defaults but 
everybody working in the IT knows that you enevr can't have both: secure 
by default and all magically working by default


people switched to Linux systems to go in the "secure by default" 
direction, sadly this times seems to be gone



On 08.12.2014 10:29, Reindl Harald wrote:


Am 08.12.2014 um 09:38 schrieb Paul Howarth:

FWIW, this is mentioned in the release notes:

http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation


2.3.3. Developer oriented firewall


Developers often run test servers that run on high numbered
ports, and interconnectivity with many modern consumer devices
also requires these ports. The firewall in Fedora Workstation,
firewalld, is configured to allow these things.

Ports numbered under 1024, with the exceptions of sshd and
clients for samba and DHCPv6, are blocked to prevent access to
system services. Ports above 1024, used for user-initiated
applications, are open by default.


WTF - "developer oriented firewall" on workstation?

i doubt it is smart that by default my running Eclipse accepts
incoming connections from the WAN (that i am paied for IT security
prevents that but only here)

tcp0  0 0.0.0.0:20080   0.0.0.0:* LISTEN
8669/java

tcp0  0 0.0.0.0:10137   0.0.0.0:* LISTEN
8669/java

tcp0  0 0.0.0.0:90000.0.0.0:* LISTEN
8669/java

udp0  0 0.0.0.0:43210.0.0.0:*
8669/java




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 09:38 schrieb Paul Howarth:
> > FWIW, this is mentioned in the release notes:
> >
> > http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation
> >
> > 2.3.3. Developer oriented firewall
> >
> > Developers often run test servers that run on high numbered ports, and
> > interconnectivity with many modern consumer devices also requires these
> > ports. The firewall in Fedora Workstation, firewalld, is configured to
> > allow these things.
> >
> > Ports numbered under 1024, with the exceptions of
> > sshd and clients for samba and DHCPv6, are blocked to prevent access to
> > system services. Ports above 1024, used for user-initiated
> > applications, are open by default.
> 
> WTF - "developer oriented firewall" on workstation?
> 
> i doubt it is smart that by default my running Eclipse
> accepts incoming connections from the WAN (that i am
> paied for IT security prevents that but only here)
> 
> tcp0  0 0.0.0.0:20080   0.0.0.0:*
> LISTEN  8669/java
> 
> tcp0  0 0.0.0.0:10137   0.0.0.0:*
> LISTEN  8669/java
> 
> tcp0  0 0.0.0.0:90000.0.0.0:*
> LISTEN  8669/java
> 
> udp0  0 0.0.0.0:43210.0.0.0:*
>  8669/java

That's an Eclipse bug, surely.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 10:48 schrieb Bastien Nocera:

I just happened to look at the firewalld default settings, and I was not
amused when I noticed this:
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml

  
  

This "firewall" is a joke! ALL higher ports are wide open!

There had been a prior discussion on this list where they wanted to disable
the firewall entirely. We told them that that's a horrible idea (which it
is, of course!). But the result is that they implemented this "solution"
which is almost entirely as bad, and which additionally gives users a false
sense of security, because a "firewall" is "enabled" (for a very twisted
definition of "enabled").

IMHO, this is a major security issue that MUST be fixed. It also shows what
horribly bad an idea per-Product configuration is.


This was discussed, and implemented in the open


but *nobody* cared for why it is a bad idea

if something is discusssed in the open and IT security people like me 
and others explain repeated why it is a bad idea you can't skip the 
whole discussion and do want you want



Yet another reason why you should NOT use "--product=workstation" to upgrade
your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the
"Workstation Product", or upgrading to it, will leave you with a totally
insecure system.


There are no services listening on upper ports enabled by default


that attitude is unacceptable

why do you then need it open?
because later a software is installed which may use it?
than "there are no..." is hypocritical and harmful

you can't secure a setup only for what is shipped as default and put 
your head in the sand knowing that there are tons of software ,istening 
on high ports in the repos and installing them *do not* mean "for the 
whole world"








signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 10:50 schrieb Bastien Nocera:

We don't need open or preconfigured high ports.

What we really need is a user notification with options to allow or
deny like we do with SELinux.

That would be a appropriate solution for a workstation.


No it wouldn't be, because users don't like being asked security questions


STOP THAT - you do NOT speak for "the users"

you speak just for the careless part but they are already trained 
monkeys click on "yes" and "OK", at least they are responsible for their 
click


for brand new PC users the sad in that attitude is they will never have 
a chance raise their voice about it - if you are aksing the right users 
in a survey you can always have the reulst you want


the rest is fine with think and answer a question of the OS and *after 
that* repsonsible for his own decision - making the decision implicit 
"we open that for you without asking" is dangerous and harmful





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 10:51 schrieb Bastien Nocera:

WTF - "developer oriented firewall" on workstation?

i doubt it is smart that by default my running Eclipse
accepts incoming connections from the WAN (that i am
paied for IT security prevents that but only here)

tcp0  0 0.0.0.0:20080   0.0.0.0:*
LISTEN  8669/java

tcp0  0 0.0.0.0:10137   0.0.0.0:*
LISTEN  8669/java

tcp0  0 0.0.0.0:90000.0.0.0:*
LISTEN  8669/java

udp0  0 0.0.0.0:43210.0.0.0:*
  8669/java


That's an Eclipse bug, surely


no - it is a OS bug if that ports ever becomes reachable unintentional 
from the WAN and there is no but or if - fankly "That's an Eclipse bug, 
surely" makes clear that you shoul don't be allowed to implement 
security related configurations until you had a lesson in IT security




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 10:51 schrieb Bastien Nocera:
> >> WTF - "developer oriented firewall" on workstation?
> >>
> >> i doubt it is smart that by default my running Eclipse
> >> accepts incoming connections from the WAN (that i am
> >> paied for IT security prevents that but only here)
> >>
> >> tcp0  0 0.0.0.0:20080   0.0.0.0:*
> >> LISTEN  8669/java
> >>
> >> tcp0  0 0.0.0.0:10137   0.0.0.0:*
> >> LISTEN  8669/java
> >>
> >> tcp0  0 0.0.0.0:90000.0.0.0:*
> >> LISTEN  8669/java
> >>
> >> udp0  0 0.0.0.0:43210.0.0.0:*
> >>   8669/java
> >
> > That's an Eclipse bug, surely
> 
> no - it is a OS bug if that ports ever becomes reachable unintentional
> from the WAN and there is no but or if

It's not an OS bug, it's an Eclipse bug.

> - fankly "That's an Eclipse bug,
> surely" makes clear that you shoul don't be allowed to implement
> security related configurations until you had a lesson in IT security

And it's a great shame you're allowed to post until you had some etiquette
lessons. Swings and roundabouts.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 10:50 schrieb Bastien Nocera:
> >> We don't need open or preconfigured high ports.
> >>
> >> What we really need is a user notification with options to allow or
> >> deny like we do with SELinux.
> >>
> >> That would be a appropriate solution for a workstation.
> >
> > No it wouldn't be, because users don't like being asked security questions
> 
> STOP THAT - you do NOT speak for "the users"

I do, when it's been researched that asking users security questions doesn't 
work.

> you speak just for the careless part but they are already trained
> monkeys click on "yes" and "OK", at least they are responsible for their
> click

Yeah, that's so useful. "Oh, you clicked it, it's your fault". That's not
the type of OS I want to help implement, sorry.

> for brand new PC users the sad in that attitude is they will never have
> a chance raise their voice about it - if you are aksing the right users
> in a survey you can always have the reulst you want

Because Internet surveys aren't biased. *eyeroll*

> the rest is fine with think and answer a question of the OS and *after
> that* repsonsible for his own decision - making the decision implicit
> "we open that for you without asking" is dangerous and harmful

How can users make their own decisions and be responsible for their own
decisions when they don't know about firewall ports? Or firewalls? Or
TCP/IP? You're starting with the wrong preconceptions.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 11:26 schrieb Bastien Nocera:

Am 08.12.2014 um 10:51 schrieb Bastien Nocera:

WTF - "developer oriented firewall" on workstation?

i doubt it is smart that by default my running Eclipse
accepts incoming connections from the WAN (that i am
paied for IT security prevents that but only here)

tcp0  0 0.0.0.0:20080   0.0.0.0:*
LISTEN  8669/java

tcp0  0 0.0.0.0:10137   0.0.0.0:*
LISTEN  8669/java

tcp0  0 0.0.0.0:90000.0.0.0:*
LISTEN  8669/java

udp0  0 0.0.0.0:43210.0.0.0:*
   8669/java


That's an Eclipse bug, surely


no - it is a OS bug if that ports ever becomes reachable unintentional
from the WAN and there is no but or if


It's not an OS bug, it's an Eclipse bug.


the *whole purpose* of a firewall is to *protect* for whatever bugs

that running Eclipse instance is not part of the distribution and *no* 
Fedora is not only for packages outside the repos - it is a operating system



- fankly "That's an Eclipse bug,
surely" makes clear that you shoul don't be allowed to implement
security related configurations until you had a lesson in IT security


And it's a great shame you're allowed to post until you had some etiquette
lessons. Swings and roundabouts.


that was as polite as possible



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Best way to use zram in Fedora 21?

2014-12-08 Thread Karel Zak 
On Tue, Nov 25, 2014 at 09:03:20PM +0100, Juan Orti wrote:
> Hi, I know how to manually configure the zram, but what's the best way
> to do it?
> 
> I've seen the unit zram.service of anaconda-core, and it gets activated
> when booting with inst.zram=on, but it looks like very anaconda-centric.
> 
> Should something like [1] be packaged and included in the distro? or
> maybe we should spin off the anaconda zram.service and do it more
> generic.
> 
> I think this is a very interesting feature for memory constrained VMs
> and other devices.
> 
> [1] https://github.com/mystilleef/FedoraZram


BTW, util-linux v2.26 (f22) is going to contain new command zramctl(8)

Karel


$ zramctl --help

Usage:
 lt-zramctl [options] 
 lt-zramctl -r  [...]
 lt-zramctl [options] -f |  -s 

Options:
 -a, --algorithm lzo|lz4   compression algorithm to use
 -b, --bytes   print sizes in bytes rather than in human readable 
format
 -f, --findfind a free device
 -n, --noheadings  don't print headings
 -o, --outputcolumns to use for status output
 --raw use raw status output format
 -r, --reset   reset all specified devices
 -s, --size  device size
 -t, --streams number of compression streams

 -h, --help display this help and exit
 -V, --version  output version information and exit

Available columns (for --output):
NAME  zram device name
DISKSIZE  limit on the uncompressed amount of data
DATA  uncompressed size of stored data
   COMPR  compressed size of stored data
   ALGORITHM  the selected compression algorithm
 STREAMS  number of concurrent compress operations
  ZERO-PAGES  empty pages with no allocated memory
   TOTAL  all memory including allocator fragmentation and metadata overhead
  MOUNTPOINT  where the device is mounted

For more details see zramctl(8).



-- 
 Karel Zak  
 http://karelzak.blogspot.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Michael Spahn 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating system.

It's not about a simple Yes / No Dialog, it's more about an
explanation and providing possible solutions and if you want so to
educate the user.

People using Fedora are usually not simple "I'd like to have a more
stable and secure computer"-guys, they are already pretty aware of the
advantages of a linux distribution and their privacy - so on they
probably like to decide whats happening.

I hope it's not needed to mentions that we are not Ubuntu, Windows or
OSx. We are a free and open Linux distribution and every step in
another direction is an attack against the ideas of free open source
and open mind.

We need to support our users and offer them to make decisions.

 * Explaining the user why
 * Explaining the user what does it mean to open a port
 * Offer the user a appropriate way to resolve his issue

This is just my opinion, don't take this offensive. :-)


On 08.12.2014 11:05, Reindl Harald wrote:
> 
> Am 08.12.2014 um 10:50 schrieb Bastien Nocera:
>>> We don't need open or preconfigured high ports.
>>> 
>>> What we really need is a user notification with options to
>>> allow or deny like we do with SELinux.
>>> 
>>> That would be a appropriate solution for a workstation.
>> 
>> No it wouldn't be, because users don't like being asked security 
>> questions
> 
> STOP THAT - you do NOT speak for "the users"
> 
> you speak just for the careless part but they are already trained 
> monkeys click on "yes" and "OK", at least they are responsible for
> their click
> 
> for brand new PC users the sad in that attitude is they will never
> have a chance raise their voice about it - if you are aksing the
> right users in a survey you can always have the reulst you want
> 
> the rest is fine with think and answer a question of the OS and
> *after that* repsonsible for his own decision - making the decision
> implicit "we open that for you without asking" is dangerous and
> harmful
> 
> 
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJUhYAeAAoJEGtRNj3Wo+zBYfoP/3Hf9z7KX7xdWEyixbeoKQrD
Avc99N7v+6GV+WAKsk2DLXfbXWNV+erzCyBxV2rco6uGehafeGLPaeiB/asHnFpt
U6cJF3yqEFn99lstULZIEUvBmm37XefFJrAYr6LAopdjGbPC0zwtDtud+HyU9Kyq
Ju7x6l+iwhK/Wr7E+mw6rWOtjxzMgcDe5SnhDy1q6rs9fZaNdI+fzOdnz5f1KRcj
TBUftczn0CpYLGqS91YIRhZFn5q40f/M8MVRNNa8MAvcS4ACdZS7jY0SOWBd0IWJ
R/uIWQADdka1snaCqoTmR/FcFAG8PenOuC2YfvlNCWbWNQFxxQM0VY97h3O6xIKI
YAH/7EAzx3+fxqpykeKwhqd6yrYj+nIBvYIFikll+89YOb7FmPghP8mW0TR9JNhP
sTd+emnwDJN5dxVDi4V3+HwaduggU9Q97GjThRJwX0vToyc69J5CDEOZbh3wqqBb
PqeaR+6wNUWxpjOfApVzGatyYlOCiFIOPucLXWO7URTGjoOLQfXXOvl/L98g+ZK1
Ha45paMhprWYW9xi1xwaPxGJUYD4My2Tk15blKatxiPuZi3m5V+UPhMiaMLEkoIj
/JHf+1hH4XA1kx8cJpTnEq+cFNip72YZUXtKN3Iz3EDfOcNocE134Yz9QgSqOAH9
06ROa5j1IFLf3/I4Xerm
=pG3X
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 11:32 schrieb Bastien Nocera:

Am 08.12.2014 um 10:50 schrieb Bastien Nocera:

We don't need open or preconfigured high ports.

What we really need is a user notification with options to allow or
deny like we do with SELinux.

That would be a appropriate solution for a workstation.


No it wouldn't be, because users don't like being asked security questions


STOP THAT - you do NOT speak for "the users"


I do, when it's been researched that asking users security questions doesn't 
work.


you asked the right persons

the people i am working with in the meantime are trained to call me by 
phone in doubt if their computer asks something



you speak just for the careless part but they are already trained
monkeys click on "yes" and "OK", at least they are responsible for their
click


Yeah, that's so useful. "Oh, you clicked it, it's your fault". That's not
the type of OS I want to help implement, sorry.


open it by default and say "oh it's the applications fault" is the one 
you want to implement, i git that in your other response



for brand new PC users the sad in that attitude is they will never have
a chance raise their voice about it - if you are aksing the right users
in a survey you can always have the reulst you want


Because Internet surveys aren't biased. *eyeroll*


did i say that?

you have multiple type of users but you design a OS just for the careless


the rest is fine with think and answer a question of the OS and *after
that* repsonsible for his own decision - making the decision implicit
"we open that for you without asking" is dangerous and harmful


How can users make their own decisions and be responsible for their own
decisions when they don't know about firewall ports? Or firewalls? Or
TCP/IP? You're starting with the wrong preconceptions


THAN EDUCATE THEM INSTEAD GIVE UP

how can they learn about firewall ports of firewalls if they never got 
asked - how did i learn or the people i know?


ask a user a question and you have some options:

* he knows about it (not all users are clueless)
* he don't know but asks Google before click
  maybe he got more interested in the topic later
  frankly that's how i became an IT professional 12 years ago
* he clicks yes anyways

what you are doing is click "yes" for anybody and the expect that the 
knowledgeable people fix that wrong settings on each and every instance 
they install




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Well, I'll understand these aspects.
> 
> But when I think about Linux, especially about Fedora, I'm thinking
> about the freedom to make decisions. This means to me, to customize
> and take advantage of my computer and in this case my operating system.

You're free to select another firewall zone.

> It's not about a simple Yes / No Dialog, it's more about an
> explanation and providing possible solutions and if you want so to
> educate the user.

I don't think that linking to a TCP/IP manual is going to help.

> People using Fedora are usually not simple "I'd like to have a more
> stable and secure computer"-guys, they are already pretty aware of the
> advantages of a linux distribution and their privacy - so on they
> probably like to decide whats happening.

And that means they know about the ins and outs of firewalls and TCP/IP?
It doesn't.

> I hope it's not needed to mentions that we are not Ubuntu, Windows or
> OSx. We are a free and open Linux distribution and every step in
> another direction is an attack against the ideas of free open source
> and open mind.
> 
> We need to support our users and offer them to make decisions.
> 
>  * Explaining the user why
>  * Explaining the user what does it mean to open a port
>  * Offer the user a appropriate way to resolve his issue
> 
> This is just my opinion, don't take this offensive. :-)

No, because that'd be awful UI.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select 
another (more unsecure) firewall zone"?




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Best way to use zram in Fedora 21?

2014-12-08 Thread Dan Horák 
On Mon, 8 Dec 2014 11:36:47 +0100
Karel Zak  wrote:

> On Tue, Nov 25, 2014 at 09:03:20PM +0100, Juan Orti wrote:
> > Hi, I know how to manually configure the zram, but what's the best
> > way to do it?
> > 
> > I've seen the unit zram.service of anaconda-core, and it gets
> > activated when booting with inst.zram=on, but it looks like very
> > anaconda-centric.
> > 
> > Should something like [1] be packaged and included in the distro? or
> > maybe we should spin off the anaconda zram.service and do it more
> > generic.
> > 
> > I think this is a very interesting feature for memory constrained
> > VMs and other devices.
> > 
> > [1] https://github.com/mystilleef/FedoraZram
> 
> 
> BTW, util-linux v2.26 (f22) is going to contain new command zramctl(8)
> 
> Karel
> 
> 
> $ zramctl --help
> 
> Usage:
>  lt-zramctl [options] 
>  lt-zramctl -r  [...]
>  lt-zramctl [options] -f |  -s 
> 
> Options:
>  -a, --algorithm lzo|lz4   compression algorithm to use

can this work with HW accelerated compressors like the one in IBM Power
CPUs? See eg.
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/W51a7ffcf4dfd_4b40_9d82_446ebc23c550/page/Build%20F17%20with%20Memory%20Compression


Dan

>  -b, --bytes   print sizes in bytes rather than in human
> readable format -f, --findfind a free device
>  -n, --noheadings  don't print headings
>  -o, --outputcolumns to use for status output
>  --raw use raw status output format
>  -r, --reset   reset all specified devices
>  -s, --size  device size
>  -t, --streams number of compression streams
> 
>  -h, --help display this help and exit
>  -V, --version  output version information and exit
> 
> Available columns (for --output):
> NAME  zram device name
> DISKSIZE  limit on the uncompressed amount of data
> DATA  uncompressed size of stored data
>COMPR  compressed size of stored data
>ALGORITHM  the selected compression algorithm
>  STREAMS  number of concurrent compress operations
>   ZERO-PAGES  empty pages with no allocated memory
>TOTAL  all memory including allocator fragmentation and
> metadata overhead MOUNTPOINT  where the device is mounted
> 
> For more details see zramctl(8).
> 
> 
> 
> -- 
>  Karel Zak  
>  http://karelzak.blogspot.com
> -- 
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Michael Spahn 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Probably this is not gnomish enough to him.

On 08.12.2014 11:48, Reindl Harald wrote:
> 
> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
>>> Well, I'll understand these aspects.
>>> 
>>> But when I think about Linux, especially about Fedora, I'm
>>> thinking about the freedom to make decisions. This means to me,
>>> to customize and take advantage of my computer and in this case
>>> my operating system.
>> 
>> You're free to select another firewall zone
> 
> so why do you not make secure defaults and say "You're free to
> select another (more unsecure) firewall zone"?
> 
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJUhYcpAAoJEGtRNj3Wo+zBnVMQANBasSED0d5eA6+/CY9Ah7eb
JcJriWVBUxyHl7j+H1JhG8OHWezqxEiSJkcf8khWjbRktTa7JrpD5ceNNgjY3nRA
TiNrp39zxRUaXpFaPI2HUImPB3kwJwal9U5YIZWg5h9d00RuqMPX2DnJ+dGUpTKl
qgoYjvkqHpHZCePyHVbLqwjQM3BlSGHOR8a82hEFadyw1WQmrfuBlk7ShYZ4QXK6
TcGxAFUk8n1DqncphGOVZXWT/1RFtUqpugf5kvbbduEZ9GrAi9RVAaqv4X0Hv1Hf
ZIrn195/P4OYIoqnWZBLCLoVU1xVMMIaYsjEQ/IodsyczKi6ubO68w8FOkQVltZJ
pffsSlqZIsmxjURZtNQLranacu5oGnOZSCDHImi4Y9HWRGHnJA3rGNDk/acVwUvW
sU4DBQ5QNtmq4Gdhwk1jV+ANI4muo8fztcGwxO8ksYooVaOUdkFLTFPeO85L4uSv
d1XuFVayJWini0R4Imub7k4qfzNO/UJDaqbenxNMMXQHObPXN4N/SOQUrNs9Fj7S
Kq0KvTFzCMPgVWdX8dmOAu9ZUo7InWY7KE5B5701dKAyAUjff/5Jyrwgph8/J2IC
CBxPOkyQQfQnyhZiZMMi2mGCx7dgBYlk1VUcZY6C2xyeMIJB/uUl0lFo5TAvD03L
vUxrKmd79C1tSOPioURI
=9Uxb
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
> >> Well, I'll understand these aspects.
> >>
> >> But when I think about Linux, especially about Fedora, I'm thinking
> >> about the freedom to make decisions. This means to me, to customize
> >> and take advantage of my computer and in this case my operating system.
> >
> > You're free to select another firewall zone
> 
> so why do you not make secure defaults and say "You're free to select
> another (more unsecure) firewall zone"?

1) It is secure enough and Eclipse listening to a port by default is a bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)
2) Good defaults
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 
It's not good UI for any OS, not just the ones based on GNOME.

- Original Message -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Probably this is not gnomish enough to him.
> 
> On 08.12.2014 11:48, Reindl Harald wrote:
> > 
> > Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
> >>> Well, I'll understand these aspects.
> >>> 
> >>> But when I think about Linux, especially about Fedora, I'm
> >>> thinking about the freedom to make decisions. This means to me,
> >>> to customize and take advantage of my computer and in this case
> >>> my operating system.
> >> 
> >> You're free to select another firewall zone
> > 
> > so why do you not make secure defaults and say "You're free to
> > select another (more unsecure) firewall zone"?
> > 
> > 
> > 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQIcBAEBAgAGBQJUhYcpAAoJEGtRNj3Wo+zBnVMQANBasSED0d5eA6+/CY9Ah7eb
> JcJriWVBUxyHl7j+H1JhG8OHWezqxEiSJkcf8khWjbRktTa7JrpD5ceNNgjY3nRA
> TiNrp39zxRUaXpFaPI2HUImPB3kwJwal9U5YIZWg5h9d00RuqMPX2DnJ+dGUpTKl
> qgoYjvkqHpHZCePyHVbLqwjQM3BlSGHOR8a82hEFadyw1WQmrfuBlk7ShYZ4QXK6
> TcGxAFUk8n1DqncphGOVZXWT/1RFtUqpugf5kvbbduEZ9GrAi9RVAaqv4X0Hv1Hf
> ZIrn195/P4OYIoqnWZBLCLoVU1xVMMIaYsjEQ/IodsyczKi6ubO68w8FOkQVltZJ
> pffsSlqZIsmxjURZtNQLranacu5oGnOZSCDHImi4Y9HWRGHnJA3rGNDk/acVwUvW
> sU4DBQ5QNtmq4Gdhwk1jV+ANI4muo8fztcGwxO8ksYooVaOUdkFLTFPeO85L4uSv
> d1XuFVayJWini0R4Imub7k4qfzNO/UJDaqbenxNMMXQHObPXN4N/SOQUrNs9Fj7S
> Kq0KvTFzCMPgVWdX8dmOAu9ZUo7InWY7KE5B5701dKAyAUjff/5Jyrwgph8/J2IC
> CBxPOkyQQfQnyhZiZMMi2mGCx7dgBYlk1VUcZY6C2xyeMIJB/uUl0lFo5TAvD03L
> vUxrKmd79C1tSOPioURI
> =9Uxb
> -END PGP SIGNATURE-
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 12:22 schrieb Bastien Nocera:

Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select
another (more unsecure) firewall zone"?


1) It is secure enough and Eclipse listening to a port by default is a bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)
2) Good defaults


again: the *purpose* of a Firewall is to protect from application bugs 
or unintentional user faults - frankly the early KDE4 setups in 2008 had 
a ton of 0.0.0.0 listenining high ports, that where indeed a bug and 
hence a firewall to protect the user against such bugs


it is not a bug that "ZendStudio" is listening on a high UDP port for 
license verification (only one instance in the same network via broadcasts)


it is intentional by the software

but it is not intentional by the user have that open on the WAN or even 
by default in the LAN, it's intentional by the user to be protected





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Aleksandar Kurtakov 
- Original Message -
> From: "Bastien Nocera" 
> To: "Development discussions related to Fedora" 
> 
> Sent: Monday, December 8, 2014 1:22:04 PM
> Subject: Re: "Workstation" Product defaults to wide-open firewall
> 
> 
> 
> - Original Message -
> > 
> > Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
> > >> Well, I'll understand these aspects.
> > >>
> > >> But when I think about Linux, especially about Fedora, I'm thinking
> > >> about the freedom to make decisions. This means to me, to customize
> > >> and take advantage of my computer and in this case my operating system.
> > >
> > > You're free to select another firewall zone
> > 
> > so why do you not make secure defaults and say "You're free to select
> > another (more unsecure) firewall zone"?
> 
> 1) It is secure enough and Eclipse listening to a port by default is a bug
> (and I have the firewall specialists at Red Hat/Fedora to back me up)

I have Eclipse open and it's not listening to a port AFAIKT. I wonder what 
obscure plugin is installed in Eclipse to make this happen.

Alexander Kurtakov
Red Hat Eclipse team

> 2) Good defaults
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Alec Leamas 



On 08/12/14 12:10, Michael Spahn wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Probably this is not gnomish enough to him.


Hm... There's something strange familiar with this discussion... yes, in 
[1] there are several threads on "Firewall blocking desktop features".


I can see both sides here, the impossible situation for the user when 
presented with questions like "Is it OK to open TCP port 8765 for 
incoming traffic?", but also the major security problem having ports 
>1024 open by default. There are some ideas in the threads how to cope 
with it.


A problem here seems to be that some interested (including me) isn't 
reading the the workstation list, and gets a nasty surprise when the 
results just pops up from nowhere. I certainly expected a better 
solution for this problem, but I havn't made any effort whatsoever to 
help solving it.  So I guess my expectation is basically void.



--alec

[1] https://lists.fedoraproject.org/pipermail/devel/2013-September/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> - Original Message -
> > From: "Bastien Nocera" 
> > To: "Development discussions related to Fedora"
> > 
> > Sent: Monday, December 8, 2014 1:22:04 PM
> > Subject: Re: "Workstation" Product defaults to wide-open firewall
> > 
> > 
> > 
> > - Original Message -
> > > 
> > > Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
> > > >> Well, I'll understand these aspects.
> > > >>
> > > >> But when I think about Linux, especially about Fedora, I'm thinking
> > > >> about the freedom to make decisions. This means to me, to customize
> > > >> and take advantage of my computer and in this case my operating
> > > >> system.
> > > >
> > > > You're free to select another firewall zone
> > > 
> > > so why do you not make secure defaults and say "You're free to select
> > > another (more unsecure) firewall zone"?
> > 
> > 1) It is secure enough and Eclipse listening to a port by default is a bug
> > (and I have the firewall specialists at Red Hat/Fedora to back me up)
> 
> I have Eclipse open and it's not listening to a port AFAIKT. I wonder what
> obscure plugin is installed in Eclipse to make this happen.

Thanks for following up Aleksandar. Hopefully Reindl will let us know about that
so the bug can be fixed.

Cheers
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

rawhide report: 20141208 changes

2014-12-08 Thread Fedora Rawhide Report 
Compose started at Mon Dec  8 05:15:03 UTC 2014
Broken deps for i386
--
[3Depict]
3Depict-0.0.16-3.fc22.i686 requires libmgl.so.7.2.0
[Sprog]
Sprog-0.14-27.fc20.noarch requires perl(:MODULE_COMPAT_5.18.0)
[cab]
cab-0.1.9-12.fc22.i686 requires cabal-dev
[dnssec-check]
dnssec-check-1.14.0.1-4.fc20.i686 requires libval-threads.so.14
dnssec-check-1.14.0.1-4.fc20.i686 requires libsres.so.14
[glances]
glances-2.1.2-2.fc22.noarch requires python-psutil >= 0:2.0.0
[kde-runtime]
kde-runtime-libs-14.11.97-1.fc22.i686 requires kdelibs4(x86-32) >= 
0:14.11.97
[nodejs-mbtiles]
nodejs-mbtiles-0.7.4-1.fc22.noarch requires npm(tiletype) < 0:0.2
[nodejs-tilejson]
nodejs-tilejson-0.12.0-1.fc22.noarch requires npm(tiletype) < 0:0.2
[nwchem]
nwchem-openmpi-6.3.2-11.fc21.i686 requires libmpi_usempi.so.1
[openstack-neutron-gbp]
openstack-neutron-gbp-2014.2-0.2.acb85f0git.fc22.noarch requires 
openstack-neutron = 0:2014.2
[pam_mapi]
pam_mapi-0.2.0-3.fc22.i686 requires libmapi.so.0
[perl-DBIx-Class]
perl-DBIx-Class-0.082810-1.fc22.noarch requires 
perl(DBIx::Class::CDBICompat::Relationship)
[python-selenium]
python3-selenium-2.43.0-1.fc22.noarch requires python3-rdflib
[rubygem-wirb]
rubygem-wirb-1.0.3-2.fc21.noarch requires rubygem(paint) < 0:0.9
[shogun]
shogun-doc-3.2.0.1-0.27.git20140804.96f3cf3.fc22.noarch requires 
shogun-data = 0:0.8.1-0.18.git20140804.48a1abb.fc22
[uwsgi]
uwsgi-plugin-gridfs-2.0.7-2.fc22.i686 requires libmongoclient.so
uwsgi-stats-pusher-mongodb-2.0.7-2.fc22.i686 requires libmongoclient.so
[vfrnav]
vfrnav-20140510-2.fc22.i686 requires libpolyclipping.so.16
vfrnav-utils-20140510-2.fc22.i686 requires libpolyclipping.so.16
[wine]
wine-1.7.32-1.fc22.i686 requires mingw32-wine-gecko = 0:2.34



Broken deps for x86_64
--
[3Depict]
3Depict-0.0.16-3.fc22.x86_64 requires libmgl.so.7.2.0()(64bit)
[Sprog]
Sprog-0.14-27.fc20.noarch requires perl(:MODULE_COMPAT_5.18.0)
[cab]
cab-0.1.9-12.fc22.x86_64 requires cabal-dev
[dnssec-check]
dnssec-check-1.14.0.1-4.fc20.x86_64 requires 
libval-threads.so.14()(64bit)
dnssec-check-1.14.0.1-4.fc20.x86_64 requires libsres.so.14()(64bit)
[glances]
glances-2.1.2-2.fc22.noarch requires python-psutil >= 0:2.0.0
[kde-runtime]
kde-runtime-libs-14.11.97-1.fc22.i686 requires kdelibs4(x86-32) >= 
0:14.11.97
kde-runtime-libs-14.11.97-1.fc22.x86_64 requires kdelibs4(x86-64) >= 
0:14.11.97
[nodejs-mbtiles]
nodejs-mbtiles-0.7.4-1.fc22.noarch requires npm(tiletype) < 0:0.2
[nodejs-tilejson]
nodejs-tilejson-0.12.0-1.fc22.noarch requires npm(tiletype) < 0:0.2
[nwchem]
nwchem-openmpi-6.3.2-11.fc21.x86_64 requires libmpi_usempi.so.1()(64bit)
[openstack-neutron-gbp]
openstack-neutron-gbp-2014.2-0.2.acb85f0git.fc22.noarch requires 
openstack-neutron = 0:2014.2
[pam_mapi]
pam_mapi-0.2.0-3.fc22.i686 requires libmapi.so.0
pam_mapi-0.2.0-3.fc22.x86_64 requires libmapi.so.0()(64bit)
[perl-DBIx-Class]
perl-DBIx-Class-0.082810-1.fc22.noarch requires 
perl(DBIx::Class::CDBICompat::Relationship)
[python-selenium]
python3-selenium-2.43.0-1.fc22.noarch requires python3-rdflib
[rubygem-wirb]
rubygem-wirb-1.0.3-2.fc21.noarch requires rubygem(paint) < 0:0.9
[shogun]
shogun-doc-3.2.0.1-0.27.git20140804.96f3cf3.fc22.noarch requires 
shogun-data = 0:0.8.1-0.18.git20140804.48a1abb.fc22
[uwsgi]
uwsgi-plugin-gridfs-2.0.7-2.fc22.x86_64 requires 
libmongoclient.so()(64bit)
uwsgi-stats-pusher-mongodb-2.0.7-2.fc22.x86_64 requires 
libmongoclient.so()(64bit)
[vfrnav]
vfrnav-20140510-2.fc22.i686 requires libpolyclipping.so.16
vfrnav-20140510-2.fc22.x86_64 requires libpolyclipping.so.16()(64bit)
vfrnav-utils-20140510-2.fc22.x86_64 requires 
libpolyclipping.so.16()(64bit)
[wine]
wine-1.7.32-1.fc22.i686 requires mingw32-wine-gecko = 0:2.34
wine-1.7.32-1.fc22.x86_64 requires mingw64-wine-gecko = 0:2.34
wine-1.7.32-1.fc22.x86_64 requires mingw32-wine-gecko = 0:2.34



Broken deps for armhfp
--
[3Depict]
3Depict-0.0.16-3.fc22.armv7hl requires libmgl.so.7.2.0
[Sprog]
Sprog-0.14-27.fc20.noarch requires perl(:MODULE_COMPAT_5.18.0)
[avro]
avro-mapred-1.7.5-9.fc22.noarch requires hadoop-mapreduce
avro-mapred-1.7.5-9.fc22.noarch requires hadoop-client
[cab]
cab-0.1.9-12.fc22.armv7hl requires cabal-dev
[dnssec-check]
dnssec-check-1.14.0.1-4.fc20.armv7hl requires libval-threads.so.14
dnssec-check-1.14.0.1-4.fc20.armv7hl requires libsres.so.14
[glances]
glances-2.1.2-2.fc22.noarch requires python-psutil >= 0:2.0.0
[kde-runtime]
kde-runt

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 12:34 schrieb Bastien Nocera:

Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating
system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select
another (more unsecure) firewall zone"?


1) It is secure enough and Eclipse listening to a port by default is a bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)


I have Eclipse open and it's not listening to a port AFAIKT. I wonder what
obscure plugin is installed in Eclipse to make this happen.


Thanks for following up Aleksandar. Hopefully Reindl will let us know about that
so the bug can be fixed.


* first: it is not a Fedora package
* second: it does not matter

fixing applications to work around harmful firewall settings is the 
wrong direction - the *purpose* of a firewall is to *protect* against 
such things and i really don't get why this needs to be explained 
multiple times


that's the same as drive a car on the street, facing another driver 
ignoring his red light and instead try to stop your car just say "he is 
wrong and i am allowed to drive"


a sensible reaction would be stop, call the others names and live
the ignorant reaction would be get killed but be right at it



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> 
> Am 08.12.2014 um 12:34 schrieb Bastien Nocera:
>  Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
> >> Well, I'll understand these aspects.
> >>
> >> But when I think about Linux, especially about Fedora, I'm thinking
> >> about the freedom to make decisions. This means to me, to customize
> >> and take advantage of my computer and in this case my operating
> >> system.
> >
> > You're free to select another firewall zone
> 
>  so why do you not make secure defaults and say "You're free to select
>  another (more unsecure) firewall zone"?
> >>>
> >>> 1) It is secure enough and Eclipse listening to a port by default is a
> >>> bug
> >>> (and I have the firewall specialists at Red Hat/Fedora to back me up)
> >>
> >> I have Eclipse open and it's not listening to a port AFAIKT. I wonder what
> >> obscure plugin is installed in Eclipse to make this happen.
> >
> > Thanks for following up Aleksandar. Hopefully Reindl will let us know about
> > that
> > so the bug can be fixed.
> 
> * first: it is not a Fedora package
> * second: it does not matter
> 
> fixing applications to work around harmful firewall settings is the
> wrong direction - the *purpose* of a firewall is to *protect* against
> such things and i really don't get why this needs to be explained
> multiple times

Security is about compromises. The net result of the old firewall settings
was people disabling the firewall. The new firewall settings were vouched for
by the firewalld folks, and provide good defaults for most users.

> that's the same as drive a car on the street, facing another driver
> ignoring his red light and instead try to stop your car just say "he is
> wrong and i am allowed to drive"
> 
> a sensible reaction would be stop, call the others names and live
> the ignorant reaction would be get killed but be right at it

I can't parse that, sorry. Looks like a strawman.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Aleksandar Kurtakov 
- Original Message -
> From: "Reindl Harald" 
> To: devel@lists.fedoraproject.org
> Sent: Monday, December 8, 2014 1:26:29 PM
> Subject: Re: "Workstation" Product defaults to wide-open firewall
> 
> 
> 
> Am 08.12.2014 um 12:22 schrieb Bastien Nocera:
> >> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
>  Well, I'll understand these aspects.
> 
>  But when I think about Linux, especially about Fedora, I'm thinking
>  about the freedom to make decisions. This means to me, to customize
>  and take advantage of my computer and in this case my operating system.
> >>>
> >>> You're free to select another firewall zone
> >>
> >> so why do you not make secure defaults and say "You're free to select
> >> another (more unsecure) firewall zone"?
> >
> > 1) It is secure enough and Eclipse listening to a port by default is a bug
> > (and I have the firewall specialists at Red Hat/Fedora to back me up)
> > 2) Good defaults
> 
> again: the *purpose* of a Firewall is to protect from application bugs
> or unintentional user faults - frankly the early KDE4 setups in 2008 had
> a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
> hence a firewall to protect the user against such bugs
> 
> it is not a bug that "ZendStudio" is listening on a high UDP port for
> license verification (only one instance in the same network via broadcasts)
> 
> it is intentional by the software

I'm not going to comment what is good, what is intentional and etc.
All I'm asking for is for precise wording aka when something is done by 
ZendStudion or any other Eclipse plugin is to name it unless it's something 
that Eclipse Platform/RCP does. 
As both Fedora and upstream Eclipse platform developer I really care about 
negative press we get because of such statements. "Eclipse listens on some port 
by default" translates into "Eclipse is insecure" and etc. is entirely 
not-true. We have a very strict privacy policy 
(http://www.eclipse.org/legal/privacy.php and 
http://wiki.eclipse.org/Policies/Uploading_and_Downloading_from_Eclipse_Software_Policy)
 so I sincerely ask people to not spread false statements like the one.

Alexander Kurtakov
Red Hat Eclipse team

> 
> but it is not intentional by the user have that open on the WAN or even
> by default in the LAN, it's intentional by the user to be protected
> 
> 
> 
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 13:02 schrieb Aleksandar Kurtakov:

- Original Message -

From: "Reindl Harald" 
To: devel@lists.fedoraproject.org
Sent: Monday, December 8, 2014 1:26:29 PM
Subject: Re: "Workstation" Product defaults to wide-open firewall

Am 08.12.2014 um 12:22 schrieb Bastien Nocera:

Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select
another (more unsecure) firewall zone"?


1) It is secure enough and Eclipse listening to a port by default is a bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)
2) Good defaults


again: the *purpose* of a Firewall is to protect from application bugs
or unintentional user faults - frankly the early KDE4 setups in 2008 had
a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
hence a firewall to protect the user against such bugs

it is not a bug that "ZendStudio" is listening on a high UDP port for
license verification (only one instance in the same network via broadcasts)

it is intentional by the software


I'm not going to comment what is good, what is intentional and etc.
All I'm asking for is for precise wording aka when something is done by 
ZendStudion or any other Eclipse plugin is to name it unless it's something 
that Eclipse Platform/RCP does.
As both Fedora and upstream Eclipse platform developer I really care about negative press we get 
because of such statements. "Eclipse listens on some port by default" translates into 
"Eclipse is insecure" and etc. is entirely not-true. We have a very strict privacy policy 
(http://www.eclipse.org/legal/privacy.php and 
http://wiki.eclipse.org/Policies/Uploading_and_Downloading_from_Eclipse_Software_Policy) so I 
sincerely ask people to not spread false statements like the one.


the point is not Eclipse

it was just an example of "netstat -l" as user and that the purpose of 
an OS is *not* to have defaults only sane in a default install


any application running as user can open a high port
that's the purpose of non-privileged ports

that means finally *any* bad piece of code with the current settings can 
open a listening port and contacted from a botnet *directly* instead 
open a active connection to the outside (which is bad enough)


spammer will love that opportunity because they need no longer to rely 
on single points easy taken offline where the bot-nodes connect to, no 
they just need to send their commands directly to the machines




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Ian Malone 
On 8 December 2014 at 12:02, Aleksandar Kurtakov  wrote:
> - Original Message -
>> From: "Reindl Harald" 
>> To: devel@lists.fedoraproject.org
>> Sent: Monday, December 8, 2014 1:26:29 PM
>> Subject: Re: "Workstation" Product defaults to wide-open firewall
>>
>>
>>
>> Am 08.12.2014 um 12:22 schrieb Bastien Nocera:
>> >> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
>>  Well, I'll understand these aspects.
>> 
>>  But when I think about Linux, especially about Fedora, I'm thinking
>>  about the freedom to make decisions. This means to me, to customize
>>  and take advantage of my computer and in this case my operating system.
>> >>>
>> >>> You're free to select another firewall zone
>> >>

And free to move to another distro of course.

>> >> so why do you not make secure defaults and say "You're free to select
>> >> another (more unsecure) firewall zone"?
>> >
>> > 1) It is secure enough and Eclipse listening to a port by default is a bug
>> > (and I have the firewall specialists at Red Hat/Fedora to back me up)
>> > 2) Good defaults
>>
>> again: the *purpose* of a Firewall is to protect from application bugs
>> or unintentional user faults - frankly the early KDE4 setups in 2008 had
>> a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
>> hence a firewall to protect the user against such bugs
>>
>> it is not a bug that "ZendStudio" is listening on a high UDP port for
>> license verification (only one instance in the same network via broadcasts)
>>
>> it is intentional by the software
>
> I'm not going to comment what is good, what is intentional and etc.
> All I'm asking for is for precise wording aka when something is done by 
> ZendStudion or any other Eclipse plugin is to name it unless it's something 
> that Eclipse Platform/RCP does.
> As both Fedora and upstream Eclipse platform developer I really care about 
> negative press we get because of such statements. "Eclipse listens on some 
> port by default" translates into "Eclipse is insecure" and etc. is entirely 
> not-true. We have a very strict privacy policy 
> (http://www.eclipse.org/legal/privacy.php and 
> http://wiki.eclipse.org/Policies/Uploading_and_Downloading_from_Eclipse_Software_Policy)
>  so I sincerely ask people to not spread false statements like the one.
>

Well, it's in your hands now, and every application developer's hands,
if RH is going to be turning the default firewall off.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[POC-change] Fedora packages point of contact updates

2014-12-08 Thread nobody 
Change in package status over the last 168 hours


3 packages were orphaned

clucene09 [master] was orphaned by robert
 A C++ port of Lucene
 https://admin.fedoraproject.org/pkgdb/package/clucene09
libvmime [master] was orphaned by robert
 Powerful library for MIME messages and Internet messaging services
 https://admin.fedoraproject.org/pkgdb/package/libvmime
pygtk2 [f19] was orphaned by walters
 Python bindings for GTK+
 https://admin.fedoraproject.org/pkgdb/package/pygtk2

5 packages were retired

PyYAML [el6] was retired by jeckersb
 YAML parser and emitter for Python
 https://admin.fedoraproject.org/pkgdb/package/PyYAML
libyaml [el6] was retired by jeckersb
 YAML 1.1 parser and emitter written in C
 https://admin.fedoraproject.org/pkgdb/package/libyaml
mediawiki119 [el5] was retired by puiterwijk
 A wiki engine
 https://admin.fedoraproject.org/pkgdb/package/mediawiki119
mirrormanager [el5] was retired by mdomsch
 Fedora mirror management system
 https://admin.fedoraproject.org/pkgdb/package/mirrormanager
zarafa [master] was retired by robert
 Open Source Edition of the Zarafa Collaboration Platform
 https://admin.fedoraproject.org/pkgdb/package/zarafa

6 packages unorphaned
-
nvi [el6] was unorphaned by bstinson
 4.4BSD re-implementation of vi
 https://admin.fedoraproject.org/pkgdb/package/nvi
perl-DateTime-TimeZone-SystemV [epel7] was unorphaned by pghmcfc
 System V and POSIX timezone strings
 
https://admin.fedoraproject.org/pkgdb/package/perl-DateTime-TimeZone-SystemV
perl-Lingua-EN-Numbers-Easy [master] was unorphaned by psabata
 Hash access to Lingua::EN::Numbers objects
 https://admin.fedoraproject.org/pkgdb/package/perl-Lingua-EN-Numbers-Easy
perl-MooseX-Getopt [el6, epel7] was unorphaned by pghmcfc
 Moose role for processing command line options
 https://admin.fedoraproject.org/pkgdb/package/perl-MooseX-Getopt
pygtk2 [f21, f20, master] was unorphaned by leigh123linux
 Python bindings for GTK+
 https://admin.fedoraproject.org/pkgdb/package/pygtk2
qca [master] was unorphaned by limb
 Qt Cryptographic Architecture
 https://admin.fedoraproject.org/pkgdb/package/qca

0 packages were unretired


24 packages were given
-
apache-mina [f21, f19, master, f20] was given by jhernand to msrb
 Apache MINA
 https://admin.fedoraproject.org/pkgdb/package/apache-mina
apache-sshd [f21, f19, master, f20] was given by jhernand to msrb
 Apache SSHD
 https://admin.fedoraproject.org/pkgdb/package/apache-sshd
cqrlog [f19, f20] was given by sparks to hobbes1069
 An amateur radio contact logging program
 https://admin.fedoraproject.org/pkgdb/package/cqrlog
create-tx-configuration [f19, f20] was given by sparks to immanetize
 An easy way to create Transifex client configuration files
 https://admin.fedoraproject.org/pkgdb/package/create-tx-configuration
glassfish-dtd-parser [f21, f19, master, f20] was given by jhernand to msrb
 Library for parsing XML DTDs
 https://admin.fedoraproject.org/pkgdb/package/glassfish-dtd-parser
glassfish-fastinfoset [f21, f19, master, f20] was given by jhernand to msrb
 Fast Infoset
 https://admin.fedoraproject.org/pkgdb/package/glassfish-fastinfoset
glassfish-jaxb [f21, f19, master, f20] was given by jhernand to msrb
 JAXB Reference Implementation
 https://admin.fedoraproject.org/pkgdb/package/glassfish-jaxb
gnome-clocks [f21, f19, master, f20] was given by bochecha to group::gnome-sig
 Clock application designed for GNOME 3
 https://admin.fedoraproject.org/pkgdb/package/gnome-clocks
gnome-music [f21, f20, master] was given by bochecha to group::gnome-sig
 Music player and management application for GNOME
 https://admin.fedoraproject.org/pkgdb/package/gnome-music
gnome-photos [f21, f19, master, f20] was given by bochecha to group::gnome-sig
 Access, organize and share your photos on GNOME
 https://admin.fedoraproject.org/pkgdb/package/gnome-photos
istack-commons [f21, f19, master, f20] was given by jhernand to msrb
 Common code for some Glassfish projects
 https://admin.fedoraproject.org/pkgdb/package/istack-commons
jackson [f21, f19, master, f20] was given by jhernand to msrb
 Jackson Java JSON-processor
 https://admin.fedoraproject.org/pkgdb/package/jackson
jsr-311 [f21, f19, master, f20] was given by jhernand to msrb
 JAX-RS: Java API for RESTful Web Services
 https://admin.fedoraproject.org/pkgdb/package/jsr-311
mingw-SDL [f21, f19, master, f20, epel7] was given by rjones to epienbro
 MinGW Windows port of SDL cross-platform multimedia library
 https://admin.fedoraproject.org/pkgdb/package/mingw-SDL
mingw-atk [f21, f19, master, f20, epel7] was given by rjones to epienbro
 MinGW Windows Atk library

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -

> Well, it's in your hands now, and every application developer's hands,
> if RH is going to be turning the default firewall off.

Not Red Hat, Fedora. And it's not off by default either. It's disabled
for user applications, not root ones.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 13:39 schrieb Bastien Nocera:

Well, it's in your hands now, and every application developer's hands,
if RH is going to be turning the default firewall off.


Not Red Hat, Fedora. And it's not off by default either. It's disabled
for user applications, not root ones


and that is a problem

"user applications" can be any bad code executed by the user start 
listening on the WAN - guess what is more likely


* get a rootkit opening privileged ports
* execute code by a careless user

mircosoft has learned their lessons after WinXP SP2 and Fedora goes the 
opposite direction which is very sad




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 13:39 schrieb Bastien Nocera:
> >> Well, it's in your hands now, and every application developer's hands,
> >> if RH is going to be turning the default firewall off.
> >
> > Not Red Hat, Fedora. And it's not off by default either. It's disabled
> > for user applications, not root ones
> 
> and that is a problem
> 
> "user applications" can be any bad code executed by the user start
> listening on the WAN - guess what is more likely
> 
> * get a rootkit opening privileged ports
> * execute code by a careless user
> 
> mircosoft has learned their lessons after WinXP SP2 and Fedora goes the
> opposite direction which is very sad

Rootkit won't require opened *server* ports. It will contact a command server
through a client port, which requires no special privileges. If you blocked
the firewall for user applications, you just made the system a pain to use for
no security benefits.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 13:56 schrieb Bastien Nocera:

Am 08.12.2014 um 13:39 schrieb Bastien Nocera:

Well, it's in your hands now, and every application developer's hands,
if RH is going to be turning the default firewall off.


Not Red Hat, Fedora. And it's not off by default either. It's disabled
for user applications, not root ones


and that is a problem

"user applications" can be any bad code executed by the user start
listening on the WAN - guess what is more likely

* get a rootkit opening privileged ports
* execute code by a careless user

mircosoft has learned their lessons after WinXP SP2 and Fedora goes the
opposite direction which is very sad


Rootkit won't require opened *server* ports. It will contact a command server
through a client port, which requires no special privileges


opening a webserver for malware code for the next spam wave would be one 
example, but it don't matter, if you are there the machine is owned 
anyways and the firewall disabled too



If you blocked the firewall for user applications, you just made
the system a pain to use for no security benefits


you just do now know if it is a *intentet* user application acting as 
server until you ask the user - you don't know *anything* until you ask 
the user and be sure and you don't get the point


* even if the users intention is to have that application inside the
  LAN acting as server/P2P that does *not* mean automatically it
  should be open on the WAN, frankly in case of video-streaming
  the user may end in legal trouble as exmaple

* any application reachable from the WAN is dangerous
  just because *any* bug in that application becomes a *remote exploit*

you are just giving up in security because it's not easy enough to 
maintain - make some more steps in that direction and a from scratch 
insteall Windows will be more secure than a Linux system and in fact 
that already happened with that high-ports-open defaults





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: non-responsive maintainer - vda - Denys Vlasenko - dvlas...@redhat.com

2014-12-08 Thread Denys Vlasenko 
On 12/05/2014 05:43 PM, Orion Poplawski wrote:
> Starting the non-reponsive maintainter process for  vda - Denys Vlasenko -
> dvlas...@redhat.com  as he appears to have completely abandoned busybox.
> Anyone know him or how to contact?

Hi. I'm here.
How can I help you?
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Solomon Peachy 
On Mon, Dec 08, 2014 at 07:56:28AM -0500, Bastien Nocera wrote:
> Rootkit won't require opened *server* ports. It will contact a command 
> server through a client port, which requires no special privileges. If 
> you blocked the firewall for user applications, you just made the 
> system a pain to use for no security benefits.

And perhaps more to the point, a *rootkit* will just turn off (or open 
up a hole in) the firewall anyway.

 - Solomon
-- 
Solomon Peachy pizza at shaftnet dot org
Delray Beach, FL  ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum viditur.


pgp877IiAQ3yJ.pgp
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Matthew Miller 
On Mon, Dec 08, 2014 at 12:11:40PM +, Ian Malone wrote:
> >> >>> You're free to select another firewall zone
> And free to move to another distro of course.

Well, or free to select another Fedora offering, or configure you
systems to not be Fedora Workstation.

The defaults are different in the generic config, and appropriately
more strict in Server. However, as a point of reference, there is no
configured host packet-filter firewall at all in Cloud, as that's not
the expectation in that environment.

-- 
Matthew Miller

Fedora Project Leader
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Matthew Miller 
On Mon, Dec 08, 2014 at 11:40:30AM +0100, Michael Spahn wrote:
> I hope it's not needed to mentions that we are not Ubuntu, Windows or
> OSx. We are a free and open Linux distribution and every step in
> another direction is an attack against the ideas of free open source
> and open mind.

Let's please not go this way with the discussion. There's no one here
who doesn't want free software and openness to win. It's a matter of
how we get there, and on this particular matter, reasonable people
clearly can disagree — but let's please keep that disagreement
_reasonable_, rather than making accusatory arguments.

That's the main point, but as a secondary one, please take a look at
. We aren't
those other operating systems, but the target audience that Workstation
is aiming for _isn't_ entirely the traditional Fedora userbase. That's
a good thing; we have a model here were we can actually have different
configurations for different use cases.

-- 
Matthew Miller

Fedora Project Leader
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Review swap -- Budgie Desktop

2014-12-08 Thread Zbigniew Jędrzejewski-Szmek 
On Mon, Dec 08, 2014 at 08:14:36AM +0800, Christopher Meng wrote:
> I can help as several months ago the budgie music player was packaged by
> myself. At that time the desktop was however unstable.
Thanks. The packaging is straightforward, for the most part. The
only sticky issue is the inclusion of gnome-volume-control submodule.
I requested a FESCo exception for that from the packager, but I'm not
100% sure if it is necessary. It would be good if you could
sanity-check that decision (last few comments on the bug).

Zbyszek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Thomas Woerner 

On 12/08/2014 12:51 PM, Bastien Nocera wrote:



- Original Message -



Am 08.12.2014 um 12:34 schrieb Bastien Nocera:

Am 08.12.2014 um 11:45 schrieb Bastien Nocera:

Well, I'll understand these aspects.

But when I think about Linux, especially about Fedora, I'm thinking
about the freedom to make decisions. This means to me, to customize
and take advantage of my computer and in this case my operating
system.


You're free to select another firewall zone


so why do you not make secure defaults and say "You're free to select
another (more unsecure) firewall zone"?


1) It is secure enough and Eclipse listening to a port by default is a
bug
(and I have the firewall specialists at Red Hat/Fedora to back me up)


I have Eclipse open and it's not listening to a port AFAIKT. I wonder what
obscure plugin is installed in Eclipse to make this happen.


Thanks for following up Aleksandar. Hopefully Reindl will let us know about
that
so the bug can be fixed.


* first: it is not a Fedora package
* second: it does not matter

fixing applications to work around harmful firewall settings is the
wrong direction - the *purpose* of a firewall is to *protect* against
such things and i really don't get why this needs to be explained
multiple times


Security is about compromises. The net result of the old firewall settings
was people disabling the firewall.



The new firewall settings were vouched for
by the firewalld folks, and provide good defaults for most users.

This is wrong and you know about that - the firewalld folks have been 
urged to use this zone for the Workstation product - it was a 
Workstation team decision.



that's the same as drive a car on the street, facing another driver
ignoring his red light and instead try to stop your car just say "he is
wrong and i am allowed to drive"

a sensible reaction would be stop, call the others names and live
the ignorant reaction would be get killed but be right at it


I can't parse that, sorry. Looks like a strawman.


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Thomas Woerner 

On 12/08/2014 10:50 AM, Bastien Nocera wrote:



- Original Message -

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

We don't need open or preconfigured high ports.

What we really need is a user notification with options to allow or
deny like we do with SELinux.

That would be a appropriate solution for a workstation.


No it wouldn't be, because users don't like being asked security questions,
even less so when they don't have the skills to understand the consequences
of their choices.

The changes were vouched for by the Fedora and GNOME designers, as well as
the firewalld maintainers.



This zone was not proposed by firewalld maintainers. We had to accept 
this zone - it was the Workstation team decision.


Additionally there was a request to pin down the zone in Workstation 
that the user would not be able to change zones. But we denied this 
request, because it would have been a big code change in firewalld to 
remove one of its key features.


Additionally firewall-applet and firewall-config are not installed by 
default in Gnome. All this was the decision of the Workstation team. I 
asked then to leave the firewall UI there, but ...


Thomas
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

File Net-Amazon-S3-0.60.tar.gz uploaded to lookaside cache by ppisar

2014-12-08 Thread Petr Pisar 
A file has been added to the lookaside cache for perl-Net-Amazon-S3:

652bfee36dbb2c21e8e5633961db7780  Net-Amazon-S3-0.60.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel

Re: Review swap -- Budgie Desktop

2014-12-08 Thread Bastien Nocera 
It's a sub-module because it's not a library.

It won't be a library in the short-term either.

- Original Message -
> On Mon, Dec 08, 2014 at 08:14:36AM +0800, Christopher Meng wrote:
> > I can help as several months ago the budgie music player was packaged by
> > myself. At that time the desktop was however unstable.
> Thanks. The packaging is straightforward, for the most part. The
> only sticky issue is the inclusion of gnome-volume-control submodule.
> I requested a FESCo exception for that from the packager, but I'm not
> 100% sure if it is necessary. It would be good if you could
> sanity-check that decision (last few comments on the bug).
> 
> Zbyszek
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> On 12/08/2014 12:51 PM, Bastien Nocera wrote:

> This is wrong and you know about that - the firewalld folks have been
> urged to use this zone for the Workstation product - it was a
> Workstation team decision.

What?! We discussed it, and it was deemed acceptable by you, and mitr.
We went back and forth on this, and you agreed that it was a good
cost/benefit decision.

Feel free to make the discussion public if you feel that I misrepresented
your POV. I'm pretty certain that it was deemed a good change, whether you
remember it that way or not.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Thomas Woerner 

On 12/08/2014 03:12 PM, Bastien Nocera wrote:



- Original Message -

On 12/08/2014 12:51 PM, Bastien Nocera wrote:



This is wrong and you know about that - the firewalld folks have been
urged to use this zone for the Workstation product - it was a
Workstation team decision.


What?! We discussed it, and it was deemed acceptable by you, and mitr.
We went back and forth on this, and you agreed that it was a good
cost/benefit decision.


We could choose between removing firewalld and accepting this zone ...


Feel free to make the discussion public if you feel that I misrepresented
your POV. I'm pretty certain that it was deemed a good change, whether you
remember it that way or not.


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Ian Malone 
On 8 December 2014 at 13:45, Matthew Miller  wrote:
> On Mon, Dec 08, 2014 at 12:11:40PM +, Ian Malone wrote:
>> >> >>> You're free to select another firewall zone
>> And free to move to another distro of course.
>
> Well, or free to select another Fedora offering, or configure you
> systems to not be Fedora Workstation.
>
> The defaults are different in the generic config, and appropriately
> more strict in Server. However, as a point of reference, there is no
> configured host packet-filter firewall at all in Cloud, as that's not
> the expectation in that environment.
>

Pulling in another quote:
> That's the main point, but as a secondary one, please take a look at
> . We aren't
> those other operating systems, but the target audience that Workstation
> is aiming for _isn't_ entirely the traditional Fedora userbase. That's
> a good thing; we have a model here were we can actually have different
> configurations for different use cases.

There are three products: workstation, server, cloud. Workstation is
the one for desktop use. That leaves server to aim for the traditional
fedora user base, since cloud is (understandably) a very different
thing. So if you want a desktop system with a security focus where do
you look now?

As pointed out elsewhere, the firewall configuration GUI isn't even
installed by default, so if you want to change this on a new system
you may have to connect to the internet to do it and this is hidden
from people who are new to the system.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> On 12/08/2014 03:12 PM, Bastien Nocera wrote:
> >
> >
> > - Original Message -
> >> On 12/08/2014 12:51 PM, Bastien Nocera wrote:
> > 
> >> This is wrong and you know about that - the firewalld folks have been
> >> urged to use this zone for the Workstation product - it was a
> >> Workstation team decision.
> >
> > What?! We discussed it, and it was deemed acceptable by you, and mitr.
> > We went back and forth on this, and you agreed that it was a good
> > cost/benefit decision.
> >
> We could choose between removing firewalld and accepting this zone ...

Which you could have refused if you felt that it was an unacceptable compromise.
Which you didn't do. Are you still going to argue that this wasn't _vouched_ for
by you and the other firewall stakeholders?
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Tick-tock" release cadence?

2014-12-08 Thread Adam Jackson 
On Thu, 2014-12-04 at 20:01 +0100, Reindl Harald wrote:
> Am 04.12.2014 um 19:57 schrieb Adam Jackson:
> > I think it's a bit misguided to even think of these things as related.
> > "Polish" in an end-user-visible sense is itself a list of tasks and
> > criteria that require dedicated attention, preferably from someone with
> > the breadth of experience and lack of fear to be able to dive into
> > whatever needs fixing.  It's not a coat of paint you let cure for six
> > months, it's a process
> 
> history and repeatly closed bugs showing that this "process" don't work 
> very well and one reason is for sure that many contributors are 
> overloaded with doing that "polish" and keep track with prepare the next 
> release *and* rawhide at the same time

That it has not worked well does not imply that it can not work.  More
likely it implies that we've simply _done a bad job_.

You'll note I also suggested dedicated resources for the task, which is
precisely not single contributors being overloaded.

- ajax

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[perl-smartmatch/f21] 0.05-TRIAL

2014-12-08 Thread Petr Pisar 
commit 4c2b55a59d34410fa3e528d1b8bd8da5be16
Author: Petr Písař 
Date:   Mon Dec 8 15:41:35 2014 +0100

0.05-TRIAL

 .gitignore   |1 +
 perl-smartmatch.spec |   17 +++--
 sources  |2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 70cf8b2..d2a1489 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /smartmatch-0.03-TRIAL.tar.gz
 /smartmatch-0.04-TRIAL.tar.gz
+/smartmatch-0.05-TRIAL.tar.gz
diff --git a/perl-smartmatch.spec b/perl-smartmatch.spec
index 51367d9..8efcb62 100644
--- a/perl-smartmatch.spec
+++ b/perl-smartmatch.spec
@@ -1,12 +1,13 @@
 # This file is licensed under the terms of GNU GPLv2+
 Name:   perl-smartmatch
-Version:0.04
-Release:8%{?dist}
+Version:0.05
+Release:1%{?dist}
 Summary:Pluggable smart matching back-ends
 License:GPL+ or Artistic
 Group:  Development/Libraries
 URL:http://search.cpan.org/dist/smartmatch/
 Source0:
http://search.cpan.org/CPAN/authors/id/D/DO/DOY/smartmatch-%{version}-TRIAL.tar.gz
+BuildRequires:  perl
 BuildRequires:  perl(B::Hooks::OP::Check) >= 0.14
 BuildRequires:  perl(ExtUtils::Depends)
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -19,10 +20,12 @@ BuildRequires:  perl(parent)
 BuildRequires:  perl(File::Find)
 BuildRequires:  perl(File::Temp)
 BuildRequires:  perl(List::MoreUtils)
+BuildRequires:  perl(overload)
+BuildRequires:  perl(Scalar::Util)
 BuildRequires:  perl(Test::More) >= 0.88
 # Optional tests:
 BuildRequires:  perl(Test::Script) >= 1.05
-Requires:   perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo 
$version))
+Requires:   perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 
 %{?perl_default_filter}
 
@@ -40,14 +43,13 @@ result.
 %setup -q -n smartmatch-%{version}
 
 %build
-%{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="$RPM_OPT_FLAGS"
+perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="$RPM_OPT_FLAGS"
 make %{?_smp_mflags}
 
 %install
-make pure_install PERL_INSTALL_ROOT=$RPM_BUILD_ROOT
+make pure_install DESTDIR=$RPM_BUILD_ROOT
 find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \;
 find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -exec rm -f {} \;
-find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
 %{_fixperms} $RPM_BUILD_ROOT/*
 
 %check
@@ -60,6 +62,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Mon Dec 08 2014 Petr Pisar  - 0.05-1
+- 0.05-TRIAL bump
+
 * Sun Aug 17 2014 Fedora Release Engineering  
- 0.04-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 
diff --git a/sources b/sources
index 9f361de..065bf30 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-6bd4e36a4d773d84a253e4aa4c3b8492  smartmatch-0.04-TRIAL.tar.gz
+60b1de3e53363ec17c726708c69cadd7  smartmatch-0.05-TRIAL.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel

Re: Review swap -- Budgie Desktop

2014-12-08 Thread Zbigniew Jędrzejewski-Szmek 
On Mon, Dec 08, 2014 at 09:08:09AM -0500, Bastien Nocera wrote:
> It's a sub-module because it's not a library.
I know it does not have a stable api. But could it be compiled
as a library?

Zbyszek
 
> It won't be a library in the short-term either.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

File JSON-MaybeXS-1.003003.tar.gz uploaded to lookaside cache by pghmcfc

2014-12-08 Thread Paul Howarth 
A file has been added to the lookaside cache for perl-JSON-MaybeXS:

2780e19be87f56078f990a16361ed51b  JSON-MaybeXS-1.003003.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Thomas Woerner 

On 12/08/2014 03:45 PM, Bastien Nocera wrote:



- Original Message -

On 12/08/2014 03:12 PM, Bastien Nocera wrote:



- Original Message -

On 12/08/2014 12:51 PM, Bastien Nocera wrote:



This is wrong and you know about that - the firewalld folks have been
urged to use this zone for the Workstation product - it was a
Workstation team decision.


What?! We discussed it, and it was deemed acceptable by you, and mitr.
We went back and forth on this, and you agreed that it was a good
cost/benefit decision.


We could choose between removing firewalld and accepting this zone ...


Which you could have refused if you felt that it was an unacceptable compromise.
Which you didn't do. Are you still going to argue that this wasn't _vouched_ for
by you and the other firewall stakeholders?



Yes, exactly in the same way as I could say "no" to the removal of all 
firewall UI tools ...

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 15:45 schrieb Bastien Nocera:

On 12/08/2014 12:51 PM, Bastien Nocera wrote:



This is wrong and you know about that - the firewalld folks have been
urged to use this zone for the Workstation product - it was a
Workstation team decision.


What?! We discussed it, and it was deemed acceptable by you, and mitr.
We went back and forth on this, and you agreed that it was a good
cost/benefit decision.


We could choose between removing firewalld and accepting this zone ...


Which you could have refused if you felt that it was an unacceptable compromise.
Which you didn't do. Are you still going to argue that this wasn't _vouched_ for
by you and the other firewall stakeholders?


Google translates "vouched" to "verbürgt"
suck something is not guarantee for it

beeing forced to accept something or get the firewall completly dropped 
in the product is the opposite of a open discussion


to be honest the way you agrue in this thread "it's the applications 
fault if it listens to a port and not ours that we make the OS wide 
open" don't let you appear as somebody who is open for a security 
discussion killed always with "but then some things don't work magically 
and we want that for user expierience" so you hardly would follow 
advices from security experts no matter what they say




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Are both the audio and jackuser groups necessary?

2014-12-08 Thread Jonathan Underwood 
Hi,

A perhaps naive question, but is it really necessary to have both the
"audio" and "jackuser" groups? Could these not be consolidated moving
forward?

Cheers,
Jonathan.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> On 12/08/2014 03:45 PM, Bastien Nocera wrote:
> >
> >
> > - Original Message -
> >> On 12/08/2014 03:12 PM, Bastien Nocera wrote:
> >>>
> >>>
> >>> - Original Message -
>  On 12/08/2014 12:51 PM, Bastien Nocera wrote:
> >>> 
>  This is wrong and you know about that - the firewalld folks have been
>  urged to use this zone for the Workstation product - it was a
>  Workstation team decision.
> >>>
> >>> What?! We discussed it, and it was deemed acceptable by you, and mitr.
> >>> We went back and forth on this, and you agreed that it was a good
> >>> cost/benefit decision.
> >>>
> >> We could choose between removing firewalld and accepting this zone ...
> >
> > Which you could have refused if you felt that it was an unacceptable
> > compromise.
> > Which you didn't do. Are you still going to argue that this wasn't
> > _vouched_ for
> > by you and the other firewall stakeholders?
> >
> 
> Yes, exactly in the same way as I could say "no" to the removal of all
> firewall UI tools ...

It's not in the default installation because it's not needed. It wouldn't have
been needed either for any of the other possible options.

Also, the "we had a choice between removing firewalld or accepting this zone" is
completely untrue. Fesco had refused the removal of the firewall in the past,
and I don't think that it would have been accepted this time either. So 
modifying
the default firewall, or modifying the firewall interaction was necessary.

Given that the firewall doesn't protect any data in the session whether with the
workstation zone, or with a fully blocking one (apart from one that disallows 
any
networking, obviously), then I don't see what the problem is here.

The firewall in the session didn't improve security, it slightly improved 
privacy though,
which is something that we've looked into, and implemented a new sharing 
framework
to avoid sharing services being launched in networks where it wasn't intended. 
We also
changed the default avahi configuration to not leak information about the 
machine.

The net result is that the only services running on a default Workstation 
installation will
be as a consequence of users turning them on. No information about the user is 
leaked unless
they choose to share it by sharing data.

Having a good default also means that we avoid the turning off of the firewall 
as a big
hammer, just as we protect users better by enabling an SELinux with 
configurations that work
by default, and why it's a problem when SELinux gets in the way of user wanting 
things to work.

See also:
http://www.superlectures.com/guadec2013/more-secure-with-less-security

Consider this my closing note on this subject.

Cheers
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 
You're completely right, I won't follow security experts' ideas on UI, just as 
I won't follow a UX designers' ideas on security.

I was happy to act as the go between to fix a long-standing problem, only to be 
told 6 month later that they accepted the
change because we gave them a choice that was never even put on the table.

The only possible effect of that is that we won't ask "security experts" again. 
At least those ones.

- Original Message -
> 
> 
> Am 08.12.2014 um 15:45 schrieb Bastien Nocera:
>  On 12/08/2014 12:51 PM, Bastien Nocera wrote:
> >>> 
>  This is wrong and you know about that - the firewalld folks have been
>  urged to use this zone for the Workstation product - it was a
>  Workstation team decision.
> >>>
> >>> What?! We discussed it, and it was deemed acceptable by you, and mitr.
> >>> We went back and forth on this, and you agreed that it was a good
> >>> cost/benefit decision.
> >>>
> >> We could choose between removing firewalld and accepting this zone ...
> >
> > Which you could have refused if you felt that it was an unacceptable
> > compromise.
> > Which you didn't do. Are you still going to argue that this wasn't
> > _vouched_ for
> > by you and the other firewall stakeholders?
> 
> Google translates "vouched" to "verbürgt"
> suck something is not guarantee for it
> 
> beeing forced to accept something or get the firewall completly dropped
> in the product is the opposite of a open discussion
> 
> to be honest the way you agrue in this thread "it's the applications
> fault if it listens to a port and not ours that we make the OS wide
> open" don't let you appear as somebody who is open for a security
> discussion killed always with "but then some things don't work magically
> and we want that for user expierience" so you hardly would follow
> advices from security experts no matter what they say
> 
> 
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Kevin Kofler 
Bastien Nocera wrote:
> This was discussed, and implemented in the open, and I sent the details of
> the feature, and how it would be implemented to the fedora desktop list,
> as is customary for Workstation features.

That's the problem, you discuss everything in your private playground where 
you're only preaching to the choir.

> Next time, don't be 6 month late if you're going to be flippant.

If this had been discussed on this list, as it is supposed to, the 
objections would have come in much earlier.

Kevin Kofler

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Matthew Miller 
On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote:
> There are three products: workstation, server, cloud. Workstation is
> the one for desktop use. That leaves server to aim for the traditional
> fedora user base, since cloud is (understandably) a very different
> thing. So if you want a desktop system with a security focus where do
> you look now?

So, it's important to understand — here on the devel list, certainly —
that these three are part of a marketing strategy, and in order for
such a thing to be effective and not just fluffy talk, it does involve
technical changes to match the plan.

Right now, "desktop system with a security focus for new users" isn't a
key part of that effort. I certainly don't dispute that user security
and education are good goals, and I don't think anyone on the
workstation team does either — it's just a matter of the steps we take
to get there.

So, if you're not in the target of that focus, where do you look? Well,
you can certainly pick one of our other desktop spins, which have
different firewall defaults. Currently, all the generic one, but I'd
like to move to a model where spins have more freedom here too. We even
have a proposal for a new spin focused on privacy and security — the
Netizen Spin. (If you're interested, I think that could use additional
contributors.)

Or, you can do what I do: start with Fedora Workstation and then
configure it in a way that makes sense for my needs, or if you're
deploying for users into a managed environment, use the tools the OS
provides to preconfigure the system for whatever makes sense there.



-- 
Matthew Miller

Fedora Project Leader
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 
if your discussions leaded to the decisions also used the quoting style 
like in that thread only contain "myself said" i guess what went wrong 
in the first place


i am still unsure if that's

* intentional to mask communication
* just a bad usage of your mail-client

in any case it's not the default behavior if someobdy press "reply"

Am 08.12.2014 um 16:23 schrieb Bastien Nocera:



- Original Message -

On 12/08/2014 03:45 PM, Bastien Nocera wrote:



- Original Message -

On 12/08/2014 03:12 PM, Bastien Nocera wrote:



- Original Message -

On 12/08/2014 12:51 PM, Bastien Nocera wrote:



This is wrong and you know about that - the firewalld folks have been
urged to use this zone for the Workstation product - it was a
Workstation team decision.


What?! We discussed it, and it was deemed acceptable by you, and mitr.
We went back and forth on this, and you agreed that it was a good
cost/benefit decision.


We could choose between removing firewalld and accepting this zone ...


Which you could have refused if you felt that it was an unacceptable
compromise.
Which you didn't do. Are you still going to argue that this wasn't
_vouched_ for
by you and the other firewall stakeholders?



Yes, exactly in the same way as I could say "no" to the removal of all
firewall UI tools ...


It's not in the default installation because it's not needed. It wouldn't have
been needed either for any of the other possible options.

Also, the "we had a choice between removing firewalld or accepting this zone" is
completely untrue. Fesco had refused the removal of the firewall in the past,
and I don't think that it would have been accepted this time either. So 
modifying
the default firewall, or modifying the firewall interaction was necessary.

Given that the firewall doesn't protect any data in the session whether with the
workstation zone, or with a fully blocking one (apart from one that disallows 
any
networking, obviously), then I don't see what the problem is here.

The firewall in the session didn't improve security, it slightly improved 
privacy though,
which is something that we've looked into, and implemented a new sharing 
framework
to avoid sharing services being launched in networks where it wasn't intended. 
We also
changed the default avahi configuration to not leak information about the 
machine.

The net result is that the only services running on a default Workstation 
installation will
be as a consequence of users turning them on. No information about the user is 
leaked unless
they choose to share it by sharing data.

Having a good default also means that we avoid the turning off of the firewall 
as a big
hammer, just as we protect users better by enabling an SELinux with 
configurations that work
by default, and why it's a problem when SELinux gets in the way of user wanting 
things to work.

See also:
http://www.superlectures.com/guadec2013/more-secure-with-less-security
Consider this my closing note on this subject.




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Kevin Kofler 
Bastien Nocera wrote:
> Yeah, that's so useful. "Oh, you clicked it, it's your fault". That's not
> the type of OS I want to help implement, sorry.

So you rather implement the type of OS that just always assumes "Yes" 
without even asking? Because that's what the current "firewall" rules do 
(between quotes because it can hardly be called a firewall in that state). 
How's that more secure than asking?

> How can users make their own decisions and be responsible for their own
> decisions when they don't know about firewall ports? Or firewalls? Or
> TCP/IP? You're starting with the wrong preconceptions.

The users who don't know about firewall ports will not need to open them up 
at all. Developers running a development server (the use case given as a 
justification for the change in the release notes) surely know what a port 
is!

Kevin Kofler

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: non-responsive maintainer - vda - Denys Vlasenko - dvlas...@redhat.com

2014-12-08 Thread Orion Poplawski 
On 12/08/2014 06:20 AM, Denys Vlasenko wrote:
> On 12/05/2014 05:43 PM, Orion Poplawski wrote:
>> Starting the non-reponsive maintainter process for  vda - Denys Vlasenko -
>> dvlas...@redhat.com  as he appears to have completely abandoned busybox.
>> Anyone know him or how to contact?
> 
> Hi. I'm here.
> How can I help you?
> 

Are you still interested in maintaining busybox?  There are a number of
outstanding issues:

https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&component=busybox&list_id=3072742&product=Fedora&query_format=advanced

including a CVE and new versions being available.

-- 
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 

- Original Message -
> if your discussions leaded to the decisions also used the quoting style
> like in that thread only contain "myself said" i guess what went wrong
> in the first place
> 
> i am still unsure if that's
> 
> * intentional to mask communication
> * just a bad usage of your mail-client
> 
> in any case it's not the default behavior if someobdy press "reply"

It's the default behaviour in the Zimbra web interface, which I use
because I don't like getting trolled at week-ends.

> Am 08.12.2014 um 16:23 schrieb Bastien Nocera:
> >
> >
> > - Original Message -
> >> On 12/08/2014 03:45 PM, Bastien Nocera wrote:
> >>>
> >>>
> >>> - Original Message -
>  On 12/08/2014 03:12 PM, Bastien Nocera wrote:
> >
> >
> > - Original Message -
> >> On 12/08/2014 12:51 PM, Bastien Nocera wrote:
> > 
> >> This is wrong and you know about that - the firewalld folks have been
> >> urged to use this zone for the Workstation product - it was a
> >> Workstation team decision.
> >
> > What?! We discussed it, and it was deemed acceptable by you, and mitr.
> > We went back and forth on this, and you agreed that it was a good
> > cost/benefit decision.
> >
>  We could choose between removing firewalld and accepting this zone ...
> >>>
> >>> Which you could have refused if you felt that it was an unacceptable
> >>> compromise.
> >>> Which you didn't do. Are you still going to argue that this wasn't
> >>> _vouched_ for
> >>> by you and the other firewall stakeholders?
> >>>
> >>
> >> Yes, exactly in the same way as I could say "no" to the removal of all
> >> firewall UI tools ...
> >
> > It's not in the default installation because it's not needed. It wouldn't
> > have
> > been needed either for any of the other possible options.
> >
> > Also, the "we had a choice between removing firewalld or accepting this
> > zone" is
> > completely untrue. Fesco had refused the removal of the firewall in the
> > past,
> > and I don't think that it would have been accepted this time either. So
> > modifying
> > the default firewall, or modifying the firewall interaction was necessary.
> >
> > Given that the firewall doesn't protect any data in the session whether
> > with the
> > workstation zone, or with a fully blocking one (apart from one that
> > disallows any
> > networking, obviously), then I don't see what the problem is here.
> >
> > The firewall in the session didn't improve security, it slightly improved
> > privacy though,
> > which is something that we've looked into, and implemented a new sharing
> > framework
> > to avoid sharing services being launched in networks where it wasn't
> > intended. We also
> > changed the default avahi configuration to not leak information about the
> > machine.
> >
> > The net result is that the only services running on a default Workstation
> > installation will
> > be as a consequence of users turning them on. No information about the user
> > is leaked unless
> > they choose to share it by sharing data.
> >
> > Having a good default also means that we avoid the turning off of the
> > firewall as a big
> > hammer, just as we protect users better by enabling an SELinux with
> > configurations that work
> > by default, and why it's a problem when SELinux gets in the way of user
> > wanting things to work.
> >
> > See also:
> > http://www.superlectures.com/guadec2013/more-secure-with-less-security
> > Consider this my closing note on this subject.
> 
> 
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> On Mon, Dec 08, 2014 at 02:31:58PM +, Ian Malone wrote:
> > There are three products: workstation, server, cloud. Workstation is
> > the one for desktop use. That leaves server to aim for the traditional
> > fedora user base, since cloud is (understandably) a very different
> > thing. So if you want a desktop system with a security focus where do
> > you look now?
> 
> So, it's important to understand — here on the devel list, certainly —
> that these three are part of a marketing strategy, and in order for
> such a thing to be effective and not just fluffy talk, it does involve
> technical changes to match the plan.
> 
> Right now, "desktop system with a security focus for new users" isn't a
> key part of that effort. I certainly don't dispute that user security
> and education are good goals, and I don't think anyone on the
> workstation team does either — it's just a matter of the steps we take
> to get there.
> 
> So, if you're not in the target of that focus, where do you look? Well,
> you can certainly pick one of our other desktop spins, which have
> different firewall defaults. Currently, all the generic one, but I'd
> like to move to a model where spins have more freedom here too. We even
> have a proposal for a new spin focused on privacy and security — the
> Netizen Spin. (If you're interested, I think that could use additional
> contributors.)
> 
> Or, you can do what I do: start with Fedora Workstation and then
> configure it in a way that makes sense for my needs, or if you're
> deploying for users into a managed environment, use the tools the OS
> provides to preconfigure the system for whatever makes sense there.

Make sure to note that I'm convinced that the new firewall settings in
Fedora Workstation 21 are more secure than what was available in Fedora 20's
default settings.

If Reindl, Kevin or Tomas want to disagree with that, I'll give you a little
exercise:
Having just installed and updated my Fedora 20, I want to share a video in my
home directory using UPnP/DLNA to my TV, using rygel for example. Document the
steps necessary to achieve that.

Cheers
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Kevin Kofler 
Bastien Nocera wrote:
> You're free to select another firewall zone.

How, when you don't even install the firewall configuration tool by default?

Kevin Kofler

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> Bastien Nocera wrote:
> > You're free to select another firewall zone.
> 
> How, when you don't even install the firewall configuration tool by default?

Settings -> Network, select your network -> Identity -> Firewall zone
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Kevin Kofler 
Bastien Nocera wrote:
> Security is about compromises. The net result of the old firewall settings
> was people disabling the firewall.

And the net result of the new firewall settings is you disabling the 
firewall for them, and also for all those people out there (like me) who 
were NOT disabling the firewall. (Thankfully, I'm not using the GNOME 
Workstation, nor firewalld (but the old iptables.service), so I won't get 
this "improvement".)

> The new firewall settings were vouched for by the firewalld folks, and
> provide good defaults for most users.

The new firewall settings essentially amount to disabling the firewall.

The only ports they protect are those controlled by root anyway, and there 
is nothing listening on those ports by default (except SSH, which your 
firewall rules also let through, but that was already the case before).

Kevin Kofler

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 16:49 schrieb Bastien Nocera:

Make sure to note that I'm convinced that the new firewall settings in
Fedora Workstation 21 are more secure than what was available in Fedora 20's
default settings.

If Reindl, Kevin or Tomas want to disagree with that, I'll give you a little
exercise:
Having just installed and updated my Fedora 20, I want to share a video in my
home directory using UPnP/DLNA to my TV, using rygel for example. Document the
steps necessary to achieve that


than solve the problem that we don't have a firewall like personal 
firewalls on windows decades ago which can react on events and *ask* the 
user instead burry your head in the sand and open all ports


that where times where windows did not have any firewall enabled

now windows has *and* can ask after MS realized that it is a terrible 
idea to come with a enduser OS without - frankly i feel somebody smile 
in Redmon when previously secure operating systems give that up not 
learning from the past


such events could be "hmm the machine is listening on a previous unknown 
port" - it does not exist - so what - invent a solution or accept until 
it exists that there is not much you can do *but* do not turn up all 
shields because a "oh i want to share a video and not know anything 
about a computer"

__

[root@srv-rhsoft:~]$ netstat -l | grep mediatomb
tcp0  0 0.0.0.0:80800.0.0.0:* 
LISTEN  5222/mediatomb
udp0  0 127.0.0.1:56066 0.0.0.0:* 
5222/mediatomb
udp0  0 0.0.0.0:19000.0.0.0:* 
5222/mediatomb


[root@srv-rhsoft:~]$ firewall_status | grep 1900
 3469 1154K ACCEPT udp  --  br0*   192.168.2.0/24 
0.0.0.0/0multiport dports 1900
0 0 ACCEPT udp  --  br0*   10.0.0.0/24 
0.0.0.0/0multiport dports 1900


[root@srv-rhsoft:~]$ firewall_status | grep 8080
  190 11400 ACCEPT tcp  --  br0*   192.168.2.0/24 
0.0.0.0/0multiport dports 8080 ctstate NEW tcp flags:0x17/0x02
0 0 ACCEPT tcp  --  br0*   10.0.0.0/24 
0.0.0.0/0multiport dports 8080 ctstate NEW tcp flags:0x17/0x02
0 0 ACCEPT tcp  --  br1eth1192.168.10.0/24 
0.0.0.0/0multiport dports 53,80,443,8080,8443 ctstate NEW





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Review swap -- Budgie Desktop

2014-12-08 Thread Bastien Nocera 


- Original Message -
> On Mon, Dec 08, 2014 at 09:08:09AM -0500, Bastien Nocera wrote:
> > It's a sub-module because it's not a library.
> I know it does not have a stable api. But could it be compiled
> as a library?

It could be, as long as it's not installed in a system-wide location.
My point was that you don't need any exceptions to include the
gnome-volume-control library in your package.

It's copy/pasted in the control-center package (that's the original code),
in gnome-settings-daemon and in gnome-shell.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Review swap -- Budgie Desktop

2014-12-08 Thread Zbigniew Jędrzejewski-Szmek 
On Mon, Dec 08, 2014 at 11:01:50AM -0500, Bastien Nocera wrote:
> 
> 
> - Original Message -
> > On Mon, Dec 08, 2014 at 09:08:09AM -0500, Bastien Nocera wrote:
> > > It's a sub-module because it's not a library.
> > I know it does not have a stable api. But could it be compiled
> > as a library?
> 
> It could be, as long as it's not installed in a system-wide location.
> My point was that you don't need any exceptions to include the
> gnome-volume-control library in your package.
According to 
http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Exceptions,
"Exceptions are granted on a case-by-case basis by FPC.  You can look
in the following section for help on making a case for why an
exception should be granted. You should open up a ticket in the FPC's
trac with information asked for below. " and below is a section called
"Some reasons you might be granted an exception" with a "Copylibs"
subheading. So Unless I'm confusing something, an FPC stamp is still
needed.

> It's copy/pasted in the control-center package (that's the original code),
> in gnome-settings-daemon and in gnome-shell.

Zbyszek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 16:55 schrieb Bastien Nocera:

You're free to select another firewall zone.


How, when you don't even install the firewall configuration tool by default?


Settings -> Network, select your network -> Identity -> Firewall zone


that's possible with one click?

fine, then the only right decision would have been ship *that* as 
default and say "You're free to select another firewall zone" exactly 
that way BUT NOT ship danergous and unsecure defaults


there is no but and if

nobody of your user audience will lock down his machine manually when 
all seems to work and a user which is not able to manually switch to a 
more unsecure mode (by read 5 seconds docs or Google) better stays with 
shields up - better be safe than sorry


hopefully i die before the userbase growing up with that direction of 
wrong defaults is in the position to make decisions and technical 
implementations!




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> Bastien Nocera wrote:
> > Security is about compromises. The net result of the old firewall settings
> > was people disabling the firewall.
> 
> And the net result of the new firewall settings is you disabling the
> firewall for them,

It's not disabled.

> and also for all those people out there (like me) who
> were NOT disabling the firewall. (Thankfully, I'm not using the GNOME
> Workstation, nor firewalld (but the old iptables.service), so I won't get
> this "improvement".)

So why are you complaining exactly?

> > The new firewall settings were vouched for by the firewalld folks, and
> > provide good defaults for most users.
> 
> The new firewall settings essentially amount to disabling the firewall.

It doesn't.

> The only ports they protect are those controlled by root anyway, and there
> is nothing listening on those ports by default (except SSH, which your
> firewall rules also let through, but that was already the case before).

There's a few more items that will be opened I'm afraid. And one of the reasons
why we block root ports is to avoid regressions like rpcbind listening
by default, which was due to a bug in packaging. So what you call "no firewall"
would actually have prevented the potential security hole.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Matthias Clasen 
On Mon, 2014-12-08 at 17:08 +0100, Reindl Harald wrote:
> Am 08.12.2014 um 16:55 schrieb Bastien Nocera:
> >>> You're free to select another firewall zone.
> >>
> >> How, when you don't even install the firewall configuration tool by 
> >> default?
> >
> > Settings -> Network, select your network -> Identity -> Firewall zone
> 
> that's possible with one click?
> 
> fine, then the only right decision would have been ship *that* as 
> default and say "You're free to select another firewall zone" exactly 
> that way BUT NOT ship danergous and unsecure defaults
> 
> there is no but and if
> 
> nobody of your user audience will lock down his machine manually when 
> all seems to work and a user which is not able to manually switch to a 
> more unsecure mode (by read 5 seconds docs or Google) better stays with 
> shields up - better be safe than sorry
> 
> hopefully i die before the userbase growing up with that direction of 
> wrong defaults is in the position to make decisions and technical 
> implementations!

It is clear by now that you don't agree with the decision the
workstation WG has taken on this topic. I don't think rehashing the same
arguments over and over will lead to any new insights. In particular
with 'I hope I die' style rhetoric.





-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 17:10 schrieb Bastien Nocera:

Security is about compromises. The net result of the old firewall settings
was people disabling the firewall.


And the net result of the new firewall settings is you disabling the
firewall for them,


It's not disabled


it is practically

the only port unprivileged code can listen on is > 1024, you opened that


The new firewall settings essentially amount to disabling the firewall.


It doesn't


it does

the only port unprivileged code can listen on is > 1024, you opened that



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 17:10 schrieb Bastien Nocera:

There's a few more items that will be opened I'm afraid. And one of the reasons
why we block root ports is to avoid regressions like rpcbind listening
by default, which was due to a bug in packaging. So what you call "no firewall"
would actually have prevented the potential security hole


* go and read /etc/services above 1024
* they days that system service listening < 1024 are gone
* you can't guarantee that a similar packaging bug happens
  in context of a service assigned by IANA to a high port




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 17:10 schrieb Bastien Nocera:
> >>> Security is about compromises. The net result of the old firewall
> >>> settings
> >>> was people disabling the firewall.
> >>
> >> And the net result of the new firewall settings is you disabling the
> >> firewall for them,
> >
> > It's not disabled
> 
> it is practically
> 
> the only port unprivileged code can listen on is > 1024, you opened that
> 
> >> The new firewall settings essentially amount to disabling the firewall.
> >
> > It doesn't
> 
> it does
> 
> the only port unprivileged code can listen on is > 1024, you opened that

And you're not interested in protecting any of the services running as root?

"There's a packaging bug for you, just put rpcbind on that unencrypted Wi-Fi 
please"
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Bastien Nocera 


- Original Message -
> 
> Am 08.12.2014 um 17:10 schrieb Bastien Nocera:
> > There's a few more items that will be opened I'm afraid. And one of the
> > reasons
> > why we block root ports is to avoid regressions like rpcbind listening
> > by default, which was due to a bug in packaging. So what you call "no
> > firewall"
> > would actually have prevented the potential security hole
> 
> * go and read /etc/services above 1024
> * they days that system service listening < 1024 are gone
> * you can't guarantee that a similar packaging bug happens
>in context of a service assigned by IANA to a high port

There's plenty of pre-existing services under 1024, and there's
more likely to be bugs in those "old" services.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 17:17 schrieb Bastien Nocera:

Am 08.12.2014 um 17:10 schrieb Bastien Nocera:

Security is about compromises. The net result of the old firewall
settings
was people disabling the firewall.


And the net result of the new firewall settings is you disabling the
firewall for them,


It's not disabled


it is practically

the only port unprivileged code can listen on is > 1024, you opened that


The new firewall settings essentially amount to disabling the firewall.


It doesn't


it does

the only port unprivileged code can listen on is > 1024, you opened that


And you're not interested in protecting any of the services running as root?


noah stop that polemic

i know /etc/services and hence i am interested in protecting *any port*

period - end of discussion - we will never agree and thankfully i gave
up maintaining any enduser machine years ago because i had enough of the 
out-of-the-box security problems on windows systems and god bless that i 
never started to recommend anybody use whatever OS


the machines i have to bother about are secured

*but* be sure that discussion is bookmarked if we read soon about damage 
done by careless defaults to users which thought they can trust their 
operating system in a default setup




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 



Am 08.12.2014 um 17:20 schrieb Bastien Nocera:

Am 08.12.2014 um 17:10 schrieb Bastien Nocera:

There's a few more items that will be opened I'm afraid. And one of the
reasons
why we block root ports is to avoid regressions like rpcbind listening
by default, which was due to a bug in packaging. So what you call "no
firewall"
would actually have prevented the potential security hole


* go and read /etc/services above 1024
* they days that system service listening < 1024 are gone
* you can't guarantee that a similar packaging bug happens
in context of a service assigned by IANA to a high port


There's plenty of pre-existing services under 1024, and there's
more likely to be bugs in those "old" services


*lol* if you start security decisions with "likely" you have lost

that "old" services are mostly known and autited

for what you opened the door is random crap coded by a schoolboy with no 
clue in a random language, placed as download on his homepage with the 
instruction "move it to your desktop, make it executeable with a right 
click in your filebrowser and just double klick on it" not mentioning 
the open port at all because it's just a new experimental feature with 
draft code implemented because "it's cool"




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Fedora 22 planning and changes submission deadline

2014-12-08 Thread Jaroslav Reznik 
Hi all!
Fedora 21 is almost out of the doors (tomorrow!) and it's time to 
take a look closer on Fedora 22 plans. But before we move on, I'd
like to ask you to help us with Fedora 21 retrospective [1]. We'd
really like to know what you think went well and what did not.

Fedora 22 starts with changes proposals and as for now, we aim
on May release. Submission deadline is coming soon - the second
half of January! It applies for System Wide changes but it's
always good to have most of Self Contained proposed too.

Currently it is 2015-01-20 with changes to be completed and 
testable one month later.

I'll start processing proposed changes right now, sorry for
delays.

The final dates for other milestones will be published later.
There's ongoing discussion about tick-tock release, maybe we
will even change how release is scheduled from scratch, vFAD
is being planned... 

Initial schedule is available at the usual place [2] to give you
and idea how it could look like. There's also FESCo ticket for
additional feedback [3].

Jaroslav

[1] https://fedoraproject.org/wiki/Fedora_21_Retrospective
[2] https://fedoraproject.org/wiki/Releases/22/Schedule
[3] https://fedorahosted.org/fesco/ticket/1349
___
devel-announce mailing list
devel-annou...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Mate group should require galculator instead of mate-calc

2014-12-08 Thread Igor Gnatenko 
Hi,

my friend reported to me that mate-calc is deprected. We should use
galculator instead.
I've checked and found blogpost from one of mate release[0]. Please
fix up comps.xml.

Couldn't find bugzilla component for this.


[0]http://mate-desktop.org/blog/2014-03-17-galculator-is-coming-to-mate/
--
-Igor Gnatenko
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: python-dateutil update

2014-12-08 Thread Zbigniew Jędrzejewski-Szmek 
On Mon, Dec 08, 2014 at 09:10:59AM -0700, Pete Travis wrote:
> On Dec 8, 2014 8:51 AM, "Zbigniew Jędrzejewski-Szmek" 
> wrote:
> >
> > On Sun, Dec 07, 2014 at 04:45:12PM -0700, Pete Travis wrote:
> > > python-dateutil is old[0].  Fedora is carrying version 1.5, and upstream
> > > is up to 2.3 .  If you're receiving this mail directly, you are a
> > > maintainer of  a package that depends on python-dateutil, and we need
> > > your help.
> > It seems that calibre is fine with the new version. I wanted to update
> > pyton-dateutil to check if calibre works, and it seems that I
> > installed python-dateutil-2.3 with pip --user couple of months ago and
> > calibre didn't seem to mind. There's some dateutil usage in the installer,
> > which I didn't test but which we probably don't care about.
> > https://github.com/dateutil/dateutil/blob/master/NEWS also doesn't seem
> > scary.
> >
> > So I think it's fine it python-dateutil is updated as a calibre dep.
> >
> > Zbyszek
> 
> Great, thanks for responding.   I'm a *light* calibre user, but I'd be
> happy to help test with a newer dateutil when it becomes available if
> that's the direction you are going.
You can just install the python-dateutil-2.* package and test away ;)

Looking at the list and your annoucement mail again, I wonder if it
might be better to bump python-dateutil to 2.2 again as soon as the
updated python-dateutil15 is available, and simply modify packages
which either explicitly depend on dateutil < 2 or exhibit problems to
depend on python-dateutil15. Proven packagers can do that trivially if
necessary. Otherwise this could drag on for months.

fedocal and python-django-tastypie are the only packages which
explicitly require python-dateutil < 2. If you wish, I can volunteer
file bugs to change the dependency for F21 and rawhide for those two
packages and do it myself after a week if the maintainers don't
respond or are fine with the change (got to use those provenpackager
privs for something :)).

Zbyszek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: python-dateutil update

2014-12-08 Thread Pierre-Yves Chibon 
On Mon, 2014-12-08 at 17:47 +0100, Zbigniew Jędrzejewski-Szmek wrote:
> fedocal and python-django-tastypie are the only packages which
> explicitly require python-dateutil < 2. If you wish, I can volunteer
> file bugs to change the dependency for F21 and rawhide for those two
> packages and do it myself after a week if the maintainers don't
> respond or are fine with the change (got to use those provenpackager
> privs for something :)).

You can take fedocal out of this list.

The problem was that one release of python-dateutils was not py2
compatible (thus the 1.5 compat package and the discussion in bug report
listed previously). This is now back and fedocal runs now happily with
the latest python-dateutils.

Pierre
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Mate group should require galculator instead of mate-calc

2014-12-08 Thread Alexander Ploumistos 
I spoke with the MATE team a few weeks ago and they said that for the time
being mate-calc will remain the default.
Galculator *might* make it to the 1.10 release.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread DJ Delorie 

> Next time, don't be 6 month late if you're going to be flippant.

I, for one, am happy to welcome our new more-reasonable-less-paranoid
overlords.  I've been disabling my firewall for ages, as my machines
are behind an enterprise firewall anyway.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Reindl Harald 


Am 08.12.2014 um 18:33 schrieb DJ Delorie:

Next time, don't be 6 month late if you're going to be flippant.


I, for one, am happy to welcome our new more-reasonable-less-paranoid
overlords.  I've been disabling my firewall for ages, as my machines
are behind an enterprise firewall anyway


that don't apply for a notebook, especially not if the enduser is 
connected to a public WLAN and if you think that you are proctected 
because a firewall in front of the WAN security is not your bussiness


https://www.google.at/search?q=security+attackers+from+the+inside

* one infected machine inside the LAN
* vulnerable port open
* you are done

and no, that is not theory, that happens every single day again and 
again and hits people feeling safe because a firewall in front of the 
internet until they learn it the hard way


"less-paranoid" == no business in security

before Edward Snowden made informations public a lot of people which 
told that things are happening also where called "paranoid"




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread DJ Delorie 

> > I, for one, am happy to welcome our new more-reasonable-less-paranoid
> > overlords.  I've been disabling my firewall for ages, as my machines
> > are behind an enterprise firewall anyway
> 
> that don't apply for a notebook, especially not if the enduser is=20
> connected to a public WLAN and if you think that you are proctected=20
> because a firewall in front of the WAN security is not your bussiness
> 
> https://www.google.at/search?q=3Dsecurity+attackers+from+the+inside
> 
> * one infected machine inside the LAN
> * vulnerable port open
> * you are done
> 
> and no, that is not theory, that happens every single day again and=20
> again and hits people feeling safe because a firewall in front of the=20
> internet until they learn it the hard way
> 
> "less-paranoid" =3D=3D no business in security
> 
> before Edward Snowden made informations public a lot of people which=20
> told that things are happening also where called "paranoid"

I'm aware of all your rhetoric and I'm aware of the security concerns.

If you really want full security, your only choice is to disconnect
from the Internet.  Everything else is a compromise, and I choose to
place my compromise somewhere else than where you choose.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Sudhir Khanger 
On Mon, Dec 8, 2014 at 11:03 PM, DJ Delorie  wrote:
> I, for one, am happy to welcome our new more-reasonable-less-paranoid
> overlords.  I've been disabling my firewall for ages, as my machines
> are behind an enterprise firewall anyway.

So the target audience has shifted from developers to developers who
don't understand ports, don't like user prompts and are behind
enterprise firewalls.

-- 
Regards,
Sudhir Khanger,
sudhirkhanger.com,
github.com/donniezazen,
5577 8CDB A059 085D 1D60  807F 8C00 45D9 F5EF C394.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Tick-tock" release cadence?

2014-12-08 Thread Dennis Gilmore 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 8 Dec 2014 02:29:17 +
Peter Robinson  wrote:

> On Thu, Dec 4, 2014 at 6:42 PM, Matthew Miller
>  wrote:
> > On Thu, Dec 04, 2014 at 11:02:28AM -0600, Bruno Wolff III wrote:
> >> >For us, that would mean alternating between concentrating on
> >> >release features and on release engineering and QA process and
> >> >tooling. During the "tick", we'd focus on new features and
> >> >minimize unrelated rel-eng change. During the "tock", we'd focus
> >> >on the tools, and minimize change that might affect that.
> >> Presumably we wouldn't need to do this even up. We want say 2 to 1
> >> or 3 to 1.
> >
> > A waltz beat, say. :)
> >
> >
> >
> >> >* prevent compounded delays caused by intersection of feature
> >> >needs
> >> >  and releng changes
> >> There was a bit of that this time. But this was a really big
> >> change. Are you thinking we will have this scale of change for
> >> releng on a regular basis?
> >
> >
> > So, frankly — and I think the rel eng team won't be offended here,
> > because they know it more than anyone! — we're beyond what the
> > current releng overall design can really scale to, and it needs an
> > order of magnitude _more_ work in order to allow us to keep
> > growing. (And that's not just with the Fedora.next stuff or new
> > things like Atomic — the sheer _size_ means composes are going to
> > take more than 24 hours in the forseeable future.)
> 
> No offence taken but it does depend on a number of things, some out of
> our control. We're working to be able to parallelise a bunch of the
> process but part of that isn't fixable with code alone. Parts are
> being improved with more human resources for time (like me) and some
> is due to things like IO on infrastructure.

None taken here either, I want to get to a point where the human cost
to doing a compose is next to nothing. but that does involve massive
amounts of work and the turn around time will depend on things like
network speed, storage speed, etc. but there is a high change
turnaround could be over 24 hours as we make more and more things.

Dennis
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJUheJrAAoJEH7ltONmPFDREAkP/06kRYWtY5TdijxjEWX9YEem
24lmf56e00DI3EzGGn8g/2QmP7re4z8r18pRdMiP5QnicesH9AMxTFgBzg+kmQG5
Vspp40f9A6JrvQWucc3GwIi8NAj+pyK7/CQkOORKWe3VSr9qi4DP/De3OpHUV2ma
S1bHFQPQYs+FFGqqPzDi3qCak0UERWLefCSGu1EvYuNSvATxDkvSK2DynejO9V6c
jOID2Wxx566vnfjvjSMlfRXbM/NaZDiYNA7RrE84vFvnkkM5XMhdRiuC06sVxG+A
2ma3XyykzCnnP9HXYQynX/GITQUHJGgJlqWEoQ9Z5E6KU7YOmLrYQNCliwn7YuUr
PJw/iPIsnoq3L4soLZ26yzEy6qAwi3re7PcXslETIMFd9Db1a2NAUO/H2212/Emm
58BlkT7JEqVtIOtuLdbe+fyLYEzwTnvsC2iZrf8+L7NRFcghOBB9QbGzTSBNhNPG
DdjF0QYkCfpdPSeoUwVHvphcze6ZtCcHffIppGKPdBLX4c3+EVmkwhJd7hGovP6h
FRlaY2mSVtAI1tVY9s1LJJBFj6rdATM2MEiEZFyOFQf8tTA16fZ2WJxdoJDnQO3M
az/xVO06lqWYYfSfdr1pq5lhX9EUEs1L5JXG+qpoImIyC0X4M0+kV2RLxhv85TUM
lEp6xhn2MKfhkiAUhwV+
=hbQD
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread DJ Delorie 

> So the target audience has shifted from developers to developers who
> don't understand ports, don't like user prompts and are behind
> enterprise firewalls.

Certainly not.  I've never assumed I was an "average user".  There are
many different reasons why people might want a more open firewall
configuration, mine is only one of them.

Also, I do understand ports (I've written lots of networking software)
and it would be wonderful if we had a popup that said "Your
application  wants to accept traffic from the Internet, is that
OK?" but I understand how difficult that would be to implement.

Fedora is about choice.  My OP on this thread was to show that at
least one person was happy with the new choice when everyone else
seemed to be trying to remove that choice from me.  *Why* I am happy
with that choice is up to me.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: "Workstation" Product defaults to wide-open firewall

2014-12-08 Thread Adam Jackson 
On Mon, 2014-12-08 at 18:40 +0100, Reindl Harald wrote:

> * vulnerable port open

Yeah, see, this bit right here is the actual issue.  Curiously, AV
software on Other Operating Systems has had the ability to delegate this
very policy decision to the user session for at least a decade, and yet
nobody on this thread seems to have any desire to _write code_ to _fix
the problem_.

Instead we are treated to infinite spew about how nostalgic we are for a
security model we learned in 1996.  Sorry y'all, port-based security
does not match reality's threat model.  Let's be better than that.

- ajax

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Non-fatal error messages in Koji scratch build

2014-12-08 Thread Paul W. Frields 
http://paste.fedoraproject.org/157737/18064529

I had a bunch of 'sh: git: command not found' messages in a scratch
build I did from an SRPM I uploaded, testing an epel7 build before
submitting the real thing.  It's been a while -- are these messages
expected behavior?

-- 
Paul W. Frieldshttp://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

  1   2   >