Hi, There is a problem with the format of my previous email.
I apologize the inconvenience. Regards, Xavier Garcia 2009/11/21 Xavi Garcia <[email protected]> > Michael, > > My comments are also inline. > > > > 2009/11/20 Michael Miller <[email protected]> > > Xavi, >> >> My comments are inline. >> > > > >> >> On Thu, Nov 19, 2009 at 2:16 PM, Xavi Garcia <[email protected]> >> wrote: >> > Hi, >> > >> > My point as admin., talking about HelpDesk, >> > >> > Lets say that I have created my image / kickstart file with the programs >> I >> > trust and I have tested myself, so everything works fine and I am sure >> that >> > my HelpDesk and secondline guys are properly trained to help the users. >> >> Yes, if we all lived in a perfect world that would be the case. >> >> > Now, one example is the email client, they can choose their own >> software >> > that can brake lots of things and Help Desk can't help them because they >> > can't be trained to support everything that comes from their repository, >> > unless we maintain a custom repository that will cost lots of money. >> >> Some of the above is true. Windows ( not in a Active Directory Domain >> ) allows you by default to install anything. I think this was the >> wrong choice for the default behavior in Fedora. If you read all of >> the comments associated with that bug. Someone pointed out the >> behavior in question, could be changed and should be in a corporate >> environment. You can also restrict the selections of software. Based >> on the policy of your company. I still feel letting users install the >> e-mail application you have standardised on is a good idea. This will >> help the users from getting frustrated that they can't do anything >> with out a support call. >> > > > It will be a great solution but only if they develop a system that is > robust and well > documented. Reading their mailing list I think that only few guys know > exactly > how it works, there is not enough documentation (a FAQ page and some > blogposts) > and the commands/options are changing release after release. > > > > >> >> <side note> >> A e-mail client ( MUA ) should be apart of any business desktop. I >> just want to make sure everyone reading is on the same page that this >> is just being used as a example. I don't want to get a bunch of hate >> mail based on using it as a example. >> </side note> >> >> I don't think your argument about having ones own custom repository >> leads to costing lots of money. Most large ( if not all ) >> organizations have second or third tear storage ( SAN array, NAS or >> JBODS ) that they use for this. I've not worked in a company that has >> not had a SMB share or NFS share that didn't have approved software, >> for IT staff to grab from vs downloading the latest version off the >> Internet. If you are following a software patch policy that says you >> test in a test environment. Then you install on a development >> environment before you install in production or in a QA environment. >> You are going to have to store that somewhere, that is shared. Even if >> you are doing the install by hand. >> >> > Of course, I have my own repositories in my SAN. Perhaps I didn't express > my > point of view as I should. The point here is that mirroring their > repository is not > enough, now. If I follow their default policy, I have to create a custom > repository, > only with the packages that I really need and it requires time and tests, > because > will have broken dependencies, libraries, etc.. > > > > >> >> > From the admin./security point of view, now we do not have a standard >> > environment and the patch policy is broken because we can't test or >> > prioritize patches . >> >> That's true if you don't change the default policy. It's the same >> with anything in the network. The default configuration is never the >> most secure. You only get to a non-standard environment because you >> don't have defined policies. ( or a defined configuration implemented. >> ) I didn't mean to say this was a good security practice or policy. I >> only pointed out that it's a good idea and can cut down on IT staff >> having to coddling end users. ( Why is end user self service not a >> good idea? ) Which I don't think anyone enjoys doing, Or having to >> explain why users can't install approved software with out a helpdesk >> intervention. This gives the allusion ( to the end user ) that they >> have some control. While allowing IT to control what software and >> what manner it's installed on the system. At the end of the day if >> the user likes using Outlook vs Thunderbird. The company has >> Thunderbird as chosen e-mail reader. The user is out of luck and is >> going to have to learn to use it. >> > > > I do not know exactly how this installation system works. Perhaps I can > create a policy somehow and define the packages that can and can't be > installed, > but this adds complexity in the system and it is dangerous. I believe > that least > privilege is key to secure a system. I am sure that many people in this > list is able > to find ways to break this system, because complexity means mistakes and > mistakes > mean compromise. > > >> >> > The worst thing is that this 'feature' was undocumented. We could >> accept >> > that this setting is enabled by default, but we need a >> guide/recommendations >> > to harden our environment if we want to deploy FC12. Change the >> security >> > model and keep it secret is bad. >> >> This is very true and I fully agree with your statement. I think >> Fedora has a lot of egg on their face for this one, as they should. >> >> > They also say that Fedora is targeted to end users due its life cycle, >> but >> > many people is using Fedora for servers/desktops in the enterprise, like >> me. >> >> I think Fedora is a good choice for desktop users if you don't mind >> upgrading every year or when they drop support for that version. ( I >> use Fedora at home, work and on my laptop. If you wanted a longer >> life cycle and or more stable choice move over to CentOS which has the >> same documentation as RHEL and same life cycle. I don't think this >> would have fizzled down to RHEL and CentOS as it was with Fedora 12. >> > > > > I completely agree. I never wanted Fedora for a server environment because > it is a > desktop distribution and a test environment for RHEL. I believe that > CentOS is the > right choice because it has been my distribution for many years but ... > sometimes > you have no choice ;) > > Regards, > > Xavier Garcia > > > > >> >> >> Regards, >> >> -mmiller >> >> > >> > >> > 2009/11/19 Michael Miller <[email protected]> >> >> >> >> I think the idea is to provide the same type of control that you have >> >> with Active Directory and GPO software polices. Which are based on >> >> HASH values or Certificates rolled out by GPO. I don't think the >> >> developers where looking at it from the same view point of system >> >> administrators. Who most likely are going to be in a corporate >> >> environment. They want software (installs) to be easy for people >> >> switching over from Windows. >> >> >> >> I say that based on what one of the mission statements ( with a lot of >> >> paraphrasing on my part. ) from Fedora Project. I think if you where >> >> to role this out in a corporate environment this would work out really >> >> well. If one was to do it correctly and maintain their own software >> >> repositories. Which would decrease the number of help desk calls when >> >> a user needed some software installed to do there job. >> >> >> >> <Personal Opinion> >> >> I have the view point that if have a based image ( Stripped down OS ) >> >> you reduce security issues because you don't have Acrobat or Flash >> >> installed on 500 machines in your environment. You only have Acrobat >> >> or flash installed on the machines of the people who need to use that >> >> software. In a perfect world that would be 10 or 15 people. Which >> >> is a different line of thinking from most Microsoft shops where they >> >> want every machine to be exactly the same to reduce software >> >> conflicts. >> >> </Personal Opinion> >> >> >> >> Sorry for the rant. >> >> >> >> mmiller >> >> >> >> On Thu, Nov 19, 2009 at 1:57 AM, Xavier Garcia <[email protected]> >> >> wrote: >> >> > Hi guys, >> >> > >> >> > First, sorry for my broken english. >> >> > >> >> > >> >> > This is from Dailydave. Have a look at this bug report from RedHat >> >> > (Fedora12). Hilarious! >> >> > >> >> > https://bugzilla.redhat.com/show_bug.cgi?id=534047 >> >> > >> >> > "Bug 534047 - All users get to install software on a machine they do >> >> > not have the root password to" >> >> > >> >> > All these years working to have a standard and controlled >> environment. >> >> > Now all this is bs and everybody >> >> > should be able to install whatever they want in a desktop environment >> >> > because the packages are signed and are trusted (secure). >> >> > >> >> > >> >> > "PackageKit allows you to install signed content from signed >> >> > repositories >> >> > without a password by default. It only asks you to authenticate if >> >> > anything is >> >> > unsigned or the signatures are wrong. " >> >> > >> >> > Fail! >> >> > >> >> > Regards, >> >> > >> >> > Xavier Garcia >> >> > _______________________________________________ >> >> > Pauldotcom mailing list >> >> > [email protected] >> >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> > Main Web Site: http://pauldotcom.com >> >> > >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
