No subject

[bogus () does not exist com ()]

environment and the patch policy is broken because we can't test or
prioritize patches .

The worst thing is that this 'feature' was undocumented.  We could accept
that this setting is enabled by default, but we need a guide/recommendations
to harden our environment if we want to deploy FC12.  Change the security
model and keep it secret is bad.

They also say that Fedora is targeted to end users due its life cycle, but
many people is using Fedora for servers/desktops in the enterprise, like me.


Regards,

Xavier Garcia


2009/11/19 Michael Miller <mike.mikemiller at gmail.com>

> I think the idea is to provide the same type of control that you have
> with Active Directory and GPO software polices.  Which are based on
> HASH values or Certificates rolled out by GPO.  I don't think the
> developers where looking at it from the same view point of system
> administrators.  Who most likely are going to be in a corporate
> environment. They want software (installs)  to be easy for people
> switching over from Windows.
>
> I say that based on what one of the mission statements ( with a lot of
> paraphrasing on my part. ) from Fedora Project.  I think if you where
> to role this out in a corporate environment this would work out really
> well.  If one was to do it correctly and maintain their own software
> repositories.  Which would decrease the number of help desk calls when
> a user needed some software installed to do there job.
>
> <Personal Opinion>
> I have the view point that if have a based image ( Stripped down OS )
> you reduce security issues because you don't have Acrobat or Flash
> installed on 500 machines in your environment.  You only have Acrobat
> or flash installed on the machines of the people who need to use that
> software.  In a perfect world that would be 10 or 15 people.   Which
> is a different line of thinking from most Microsoft shops where they
> want every machine to be exactly the same to reduce software
> conflicts.
> </Personal Opinion>
>
> Sorry for the rant.
>
> mmiller
>
> On Thu, Nov 19, 2009 at 1:57 AM, Xavier Garcia <xavi.garcia at gmail.com>
> wrote:
> > Hi guys,
> >
> > First, sorry for my broken english.
> >
> >
> > This is from Dailydave. Have a look at this bug report from RedHat
> (Fedora12). Hilarious!
> > https://bugzilla.redhat.com/show_bug.cgi?id=534047
> >
> > "Bug 534047 -  All users get to install software on a machine they do not
> have the root password to"
> > All these years working to have a standard and controlled environment.
> Now all this is bs and everybody
> > should be able to install whatever they want in a desktop environment
> because the packages are signed and are trusted (secure).
> > "PackageKit allows you to install signed content from signed repositories
> > without a password by default. It only asks you to authenticate if
> anything is
> > unsigned or the signatures are wrong. "
> >
> > Fail!
> >
> > Regards,
> >
> > Xavier Garcia
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

--0016e6d464cf6bbe4a0478c0b56c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,<br><br>My point as admin., talking about HelpDesk,<br><br>Lets say that=
 I have created my image / kickstart file with the programs I trust and I h=
ave tested myself, so everything works fine and I am sure that my HelpDesk =
and secondline guys are properly trained to help the users.<br>
<br>Now, one example is the email client,=A0 they can choose their own soft=
ware that can brake lots of things and Help Desk can&#39;t help them becaus=
e they can&#39;t be trained to support everything that comes from their rep=
ository, unless we maintain a custom repository that will cost lots of mone=
y.<br>
<br>From the admin./security point of view, now we do not have a standard e=
nvironment and the patch policy is broken because we can&#39;t test or prio=
ritize patches .<br><br>The worst thing is that this &#39;feature&#39; was =
undocumented.=A0 We could accept that this setting is enabled by default, b=
ut we need a guide/recommendations to harden our environment if we want to =
deploy FC12.=A0 Change the security model and keep it secret is bad.<br>
<br>They also say that Fedora is targeted to end users due its life cycle, =
but many people is using Fedora for servers/desktops in the enterprise, lik=
e me.<br><br><br>Regards,<br><br>Xavier Garcia<br><br><br><div class=3D"gma=
il_quote">
2009/11/19 Michael Miller <span dir=3D"ltr">&lt;<a href=3D"mailto:mike.mike=
miller at gmail.com">mike.mikemiller at gmail.com</a>&gt;</span><br><blockquote c=
lass=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); ma=
rgin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think the idea is to provide the same type of control that you have<br>
with Active Directory and GPO software polices. =A0Which are based on<br>
HASH values or Certificates rolled out by GPO. =A0I don&#39;t think the<br>
developers where looking at it from the same view point of system<br>
administrators. =A0Who most likely are going to be in a corporate<br>
environment. They want software (installs) =A0to be easy for people<br>
switching over from Windows.<br>
<br>
I say that based on what one of the mission statements ( with a lot of<br>
paraphrasing on my part. ) from Fedora Project. =A0I think if you where<br>
to role this out in a corporate environment this would work out really<br>
well. =A0If one was to do it correctly and maintain their own software<br>
repositories. =A0Which would decrease the number of help desk calls when<br=
>
a user needed some software installed to do there job.<br>
<br>
&lt;Personal Opinion&gt;<br>
I have the view point that if have a based image ( Stripped down OS )<br>
you reduce security issues because you don&#39;t have Acrobat or Flash<br>
installed on 500 machines in your environment. =A0You only have Acrobat<br>
or flash installed on the machines of the people who need to use that<br>
software. =A0In a perfect world that would be 10 or 15 people. =A0 Which<br=
>
is a different line of thinking from most Microsoft shops where they<br>
want every machine to be exactly the same to reduce software<br>
conflicts.<br>
&lt;/Personal Opinion&gt;<br>
<br>
Sorry for the rant.<br>
<br>
mmiller<br>
<div class=3D"im"><br>
On Thu, Nov 19, 2009 at 1:57 AM, Xavier Garcia &lt;<a href=3D"mailto:xavi.g=
arcia at gmail.com">xavi.garcia at gmail.com</a>&gt; wrote:<br>
</div><div><div></div><div class=3D"h5">&gt; Hi guys,<br>
&gt;<br>
&gt; First, sorry for my broken english.<br>
&gt;<br>
&gt;<br>
&gt; This is from Dailydave. Have a look at this bug report from RedHat (Fe=
dora12). Hilarious!<br>
&gt;<br>
&gt; <a href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D534047"; targe=
t=3D"_blank">https://bugzilla.redhat.com/show_bug.cgi?id=3D534047</a><br>
&gt;<br>
&gt; &quot;Bug 534047 - =A0All users get to install software on a machine t=
hey do not have the root password to&quot;<br>
&gt;<br>
&gt; All these years working to have a standard and controlled environment.=
 Now all this is bs and everybody<br>
&gt; should be able to install whatever they want in a desktop environment =
because the packages are signed and are trusted (secure).<br>
&gt;<br>
&gt;<br>
&gt; &quot;PackageKit allows you to install signed content from signed repo=
sitories<br>
&gt; without a password by default. It only asks you to authenticate if any=
thing is<br>
&gt; unsigned or the signatures are wrong. &quot;<br>
&gt;<br>
&gt; Fail!<br>
&gt;<br>
&gt; Regards,<br>
&gt;<br>
&gt; Xavier Garcia<br>
</div></div><div><div></div><div class=3D"h5">&gt; ________________________=
_______________________<br>
&gt; Pauldotcom mailing list<br>
&gt; <a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.paul=
dotcom.com</a><br>
&gt; <a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldot=
com" target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/=
pauldotcom</a><br>
&gt; Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">htt=
p://pauldotcom.com</a><br>
&gt;<br>
_______________________________________________<br>
Pauldotcom mailing list<br>
<a href=3D"mailto:Pauldotcom at mail.pauldotcom.com">Pauldotcom at mail.pauldotco=
m.com</a><br>
<a href=3D"http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom"; =
target=3D"_blank">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauld=
otcom</a><br>
Main Web Site: <a href=3D"http://pauldotcom.com"; target=3D"_blank">http://p=
auldotcom.com</a><br>
</div></div></blockquote></div><br>

--0016e6d464cf6bbe4a0478c0b56c--