[devel] [JT] *Kit

[devel] [JT] *Kit

[Michael Shigorin]

	Здравствуйте.
Помнится, я как-то бухтел насчёт hal.  Потом его закопали.

Просьба почитать и осознать нижепроцитированное перед тем,
как слишком активно тащить в рот (сизиф и дистрибутивы)
разные *Kit и в особенности пока отсутствующий PackageKit.

Новости старые, но думаю, для нас пригодятся.

---
In short, the problem was that in the Fedora 12 default
installation, regular users sitting at the console could install
signed packages from any repository that the administrator has
enabled. [...]

The other main line of defense is that this behavior is "just"
a default, and can be changed by administrators. While that is
true, the process to do so is not obvious. It involves mucking
about with PolicyKit files, something that many Fedora users
probably know little to nothing about. Hughes thinks that users
should learn PolicyKit: "If you're deploying F12, then I really
think you should know the basics about PolicyKit." But, when Seth
Vidal set out to find out how to disable the feature--documented
on his blog--asking Hughes did not lead to the solution: "So, if
our engineers don't know the basics, how should our users?"

Overall, Hughes's reaction to the problem has been dismissive,
bordering on rude:

  I don't particularly care how UNIX has always worked.
  Looking at the use-cases and the things people are trying
  to do this seemed the best default. Admins can trivially
  change the default on machines if they wish. 
--- http://lwn.net/Articles/362771/

Я лично таким людям, как этот дядя Хьюз -- не верю.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

Re: [devel] [JT] *Kit

[Vitaly Kuznetsov]

Michael Shigorin <mike@osdn.org.ua> writes:

> In short, the problem was that in the Fedora 12 default
> installation, regular users sitting at the console could install
> signed packages from any repository that the administrator has
> enabled. [...]

Fedora is a "bleeding edge" and thus this is normal. Sisyphus
isn't. Running in front of locomotive may be dangerous. 

-- 
Vitaly Kuznetsov, ALT Linux

Re: [devel] [JT] *Kit

[Michael Shigorin]

On Mon, Dec 14, 2009 at 01:44:28AM +0300, Vitaly Kuznetsov wrote:
> > In short, the problem was that in the Fedora 12 default
> > installation, regular users sitting at the console could install
> > signed packages from any repository that the administrator has
> > enabled. [...]
> Fedora is a "bleeding edge" and thus this is normal.

---
The Fedora project has likely learned quite a bit from this
particular controversy, and it seems to be taking the right steps
to avoid a repeat in the future. For a distribution that went
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
through a great deal of pain to integrate SELinux features in
order to increase the security of the system, it is mind-boggling
to many that this non-root install feature was added as the
default. There were multiple missteps--making it the default, not
highlighting it in the release notes, not testing it in Rawhide,
and so on--but those can all be corrected. Hopefully, the outcry
and publicity will ensure that the word gets out, so that Fedora
users will understand the issue and can make the appropriate
changes for their systems.

In the meantime, though, other projects--distributions or
software packages--would be well-served by studying this episode.
Security is hard, and requires great diligence. It is likely that
other projects could have hit this same kind of problem, but,
hopefully, with this incident as a guide, will avoid doing so
in the future.
---

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

Re: [devel] [JT] *Kit

[Vitaly Kuznetsov]

Michael Shigorin <mike@osdn.org.ua> writes:

> On Mon, Dec 14, 2009 at 01:44:28AM +0300, Vitaly Kuznetsov wrote:
>> > In short, the problem was that in the Fedora 12 default
>> > installation, regular users sitting at the console could install
>> > signed packages from any repository that the administrator has
>> > enabled. [...]
>> Fedora is a "bleeding edge" and thus this is normal.
>
> The Fedora project has likely learned quite a bit from this
> particular controversy, and it seems to be taking the right steps
> to avoid a repeat in the future.

I think new RHEL will have different defaults ;) Target matters. I don't
think it was an indeliberate mistake. Allowing user to install packages
is normal for a single user desktop system but it may be fatal for a
server. Defaults must differ.

-- 
Vitaly Kuznetsov, ALT Linux

Re: [devel] [JT] *Kit

[Michael Shigorin]

On Mon, Dec 14, 2009 at 02:09:57AM +0300, Vitaly Kuznetsov wrote:
> > The Fedora project has likely learned quite a bit from this
> > particular controversy, and it seems to be taking the right
> > steps to avoid a repeat in the future.
> I think new RHEL will have different defaults ;) Target
> matters. I don't think it was an indeliberate mistake.

It was one person's personal arrogance along with project's
failure to make this particular thing obvious before too late.

> Allowing user to install packages is normal for a single user
> desktop system but it may be fatal for a server. Defaults must
> differ.

---
Hughes often refers to the change only being made for the
"desktop spin", but that doesn't really make sense as the feature
was added to all of Fedora. Certainly, some spins--server, for
example--could change this default, but that seems backward. The
core should default to secure choices, and allow spins to relax
those requirements if they so desire.
---

Would you please stop advocating idiocy?  They acknowledged it,
and the last thing we really want to do is take *wrong* example
at that.

PS: похоже, в следующий раз придётся сесть и переводить куски
с LWN, чтоб потом не выглядеть парлевуфрансе.  Что ж, правильно.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/