On Thursday 19 November 2009 06:45:51 am Richard Hughes wrote: > 2009/11/19 Rahul Sundaram <sundaram fedoraproject org>: > > Right. The alternative really is defining the roles and the target > > audience clearly for distinct set of policies and allowing the user to > > trivially select it during or post-installation. > > I disagree, most people will just go for the default option without > understanding the subtle nuances of what they are being asked. So the default option should be the more secure option. The PackageKit policy was a major change, and someone who was naively clicking through the installer should not be surprised by such things. > > So if I pick "personal desktop", the change you made makes sense. If on > > the other hand, I choose "workstation" profile, I would obviously need a > > more locked down profile. > > Surely if you're deploying a workstation (1000s of workstations?) you > would just ship an extra package that set the PolicyKit policies > according to the domain policy, It is not so black and white. If I managing computers as a side favor, I may very well upgrade everyone to Fedora 12 without taking the time to look through these sorts of sweeping changes, and just do a quick test to make sure everything that used to work is still working. This is not a very uncommon situation, especially since not all Fedora users are experience at administrating systems. The problem here is that not everyone was on board with the "single user desktop" target. I would not say it is unreasonable to miss this detail, since Fedora is periodically used as a base for RHEL, which is certainly not a single user desktop system. > The real argument is what set of users upstream software should > target. There's an argument for upstream to default to "no" for all > actions and for the admin to install a policy for "desktop", > "workstation" etc, but then there's just the related problem of what > policy package to choose by default for "Fedora". Maybe there should just be a separate spin for "single user desktops," and it could be called "Fedora Home User Spin." -- Ben -- Message sent on: Thu Nov 19 09:59:13 EST 2009
Description: This is a digitally signed message part.