Fedora Server Spin

Rui Miguel Silva Seabra rms at 1407.org
Fri Jan 12 15:29:08 UTC 2007 

Sex, 2007-01-12 às 09:40 -0300, Horst H. von Brand escreveu:
> > 	Inside each of those maybe some questions like:
> > 		[ ] password for X
> > 		[ ] typical configuration { A or B or ... } for Y
> > 		... (other choices, you get the gist I hope)
> 
> Hum... I'd go for "Installed, but disabled by default." (or whatever is the
> fail-safe option, i.e. SELinux enabled, no root login except on the
> console, ...) + "To set up for X do Y" type documentation here. Presumably
> they know what they are doing, and their setup most probably won't fit any
> "standard". Nice side effect is that it is simpler that way ;-)

I'd prefer that too, but I used "maybe" with a particular intention, you
might predict some simple scenarios which are easy to have a generic
default config (like a simple mta on the localhost for sending email
outside).

> > Configurations:
> > 	Secure by default
> > 		* no default passwords
> > 		* no service shall start automatically unless it can
> > 		  have a secure default configuration
> > 		* root only by sudo, but without direct access to a
> > 		  shell (for improved audit-ability)
> > 		* selinux activated
> > 		... (other choices, you get the gist I hope)
> 
> Just one option is simpler

This aren't supposed to be options, I meant choices as in choices of
things to configure by default.

> , and so harder to screw up upstream (this is
> critical),

Many projects have HORRIBLE configurations by default (JBoss and tomcat
for instance). I'm not sure they're inclined to solve it upstream, and
it's a true PITA to configure such systems in a PCI:DSS (for VISA)
compliant form, for instance.

>  and gives people time to look at the various pieces having the
> full documentation (and web access, etc) at hand. This is one of my gripes
> about the installation process: You have to decide on stuff without data,
> and either you decide right now or you can't go on.

I usually define it with kickstart ;)

Rui

-- 
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta ? uma parte de mensagem	assinada digitalmente
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070112/fab9f543/attachment.sig>

More information about the fedora-devel-list mailing list