* Martin Kudlvasr <[email protected]> [Oct 20. 2009 15:51]: > On Tuesday 20 October 2009 15:07:03 Klaus Kaempf wrote: > > > > If someone has enough knowledge to bypass the WebYaST UI, we can't > > stop him anyways ;-) > > This is news to me. Until now I though, that webservice should be usable (and > secure) on its own. Including accepting eulas and telling the user, that he > has to accept eulas first. This is not about bypassing security, this is > about > telling the user, that there is an eula to accept, even if he is using only > command-line. If we leave eulas only in UI and basesystem, some users (in > some > completely valid use-cases) simply won't realize there is an eula to accept. > When user skips basesystem setup, it is his problem. When the user does not > accept eula, it's license violation (also 3rd party vendors may have problem > with that). I don't know, maybe it is just me seeing this problem as too > serious.
I see your point and tend to agree. However, I want to keep things simple for now. I can imagine a lot of things the service side could enforce (password for root, existance of a non-root user, registration, ...) adding up in a pile of validations every service request has to check. > > From the performance POV ... the check for detecting, if eula was accepted, > has 1-2 file touches. I don't see it as speed bottleneck (in comparison to > dbus call for instance). > > I understand that this decision is for the project managers to make, so I'll > change the implementation to whatever the decision is going to be. The amount > of work needed is minimal. For now, I see enforcement of the EULAs in the webclient-eula module as sufficient. Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
