[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: What I HATE about F11
- From: Michael Fleming <mfleming thatfleminggent com>
- To: fedora-devel-list redhat com
- Subject: Re: What I HATE about F11
- Date: Sun, 14 Jun 2009 17:45:43 +1000
On Sat, 13 Jun 2009 22:19:17 -0400
"Charles Butterfield" <charles butterfield nextcentury com> wrote:
> Okay, so I mostly love Fedora. However, here are 4 things that got by
> blood really, really boiling, so I thought I'd share my emotions.
> They are mostly policy issues, where I think you have gotten it very
> very wrong.
Well, "wrong" is a fairly subjective term, but each to their own. :-D
> Just installed F11 64 bit, here are the things I hate about it in the
> first 30 minutes (of course there are a lot of things I like too, but
> they work, these don't). No doubt more will crop up.
> * Root gdm login - gets harder every release - SHAME ON YOU
> root nazis!
Ich bin ein secure user and you should be too. Logging in as root into
X directly (or the console for that matter) is a *bad idea*. Yes a
This isn't specific to Fedora or even Linux/UNIX for that matter
(Savvy Windows admins have been trying this too to no avail. They do
exist, in times past I was one..)
With the likes of sudo / ConsoleKit / console-helper et. al you should
never, ever need to run an extended session as root. Your day-to-day
work can be done perfectly well as a standard non-privileged user, the
applications that *need* root, especially in X, are hooked into
consolehelper/ConsoleKit anyway and will prompt you for the root
password in any case (when run as a regular user)
As a systems administrator I applaud this idea, as it stops people from
shooting themselves in the foot (which is more like a Howtizer, be it a
desktop or server)
As a BOFH I'd like to see it extended further, lecturing/LARTing the
user for even attempting root login on X/direct tty :-P
> * Samba (outbound) browsing requires firewall mods
Turn off the firewall (if you're on a trusted local network) or punch
the required holes (137-139,445,kerberos) via
The default firewall is quite strict, which given that new users are
often ignorant of UNIX security is not such a bad idea (see bullet/foot
> * Jamming SELinux enforcing mode with no query during install
I've done reinstalls and upgrades and not seen a denial AVC - I believe
if it runs during the installer it would be a permissive / targeted
mode. I did have SELinux break an upgrade but that was many releases
back, and a relabel fixed it.
> And a bug:
> * My "supported" NVIDIA card (Quadro NVS 295) is not detected -
> okay this may not be due to overt, mulish arrogance, but I did check
> the supported card list and it is really annoying.
While noveau is better than prior releases, it's not perfect - I have a
8800GS - noveau works but it kernel panics and glitched out on me on a
couple of occasions (suspect my system has a conflict somewhere) -
the nvidia binary blob works, it's not my preference but got things
going. I'll give it another whirl in a future update
My card is supported too, but it doesn't mean it's perfect.
> The first 3 items are just freaking absurd and represent some sort of
> political agenda combined with astonishing arrogance.
You forgot the "IMHO". Can you outline this "political agenda" you
speak of, or are you being melodramatic?
I happen to believe the reasons are much simpler - sound technical and
*secure* usability. We're not being bastards for the sake of it.
> Is a graphical root login dangerous -- of course! So are a lot of
> things, which have obvious enable/disable controls. Was this this
> discussed in the release note? - NO. Should it be inhibited by an
> ever-increasing set of obscure work-arounds (in this case an new file
> to edit in F11)? Of course not.
Again, you forgot the "IMHO". Your case is (hopefully) a minority one -
most users won't know or care, those that do will try and find out how
to enable it if they *really* want it. Making it simple to do something
that is inherently dangerous is just bad practice and WILL bite users
on the backside.
> (Well as was pointed out to me in
> thread http://forums.fedoraforum.org/showthread.php?t=223793 this is
> discussed... but in non-highlighted text at the end of the boring last
> bullet suggesting you "save and close").
> And why on earth show the stupid "Windows Network" if it doesn't work
> -- just gives an obscure error message "Failed to retrieve share list
> from server". If you install the client, the reasonable man would
> open the ports, OR provide a cluefull error message.
Take up the error message with the nautilus developers - it's
technically correct (if the firewall is closed then the browse list
will not be retrievable from the DC/browse master) but not very
The firewall case is different again: The precise ports to open vary by
environment (are you on an Active Directory domain or a Samba3/NT4
style domain? The ports differ slightly between versions)
Also changing system security silently and dynamically in a package
install, without the user/admin's knowledge is a definite no-no.
> SELinux - enforcing???? So all the bugs are worked out? I think not.
Where did it break? The SELinux guys are usually pretty keen to see any
serious AVC / denials.
> -- Charlie Butterfield
Michael Fleming <mfleming thatfleminggent com> - (EMail/XMPP/Jabber)
Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages
[Date Prev][Date Next] [Thread Prev][Thread Next]