Branch 'f12-temp' - en-US/Revision_History.xml en-US/Security.xml
John J. McDonough
jjmcd at fedoraproject.org
Thu Nov 19 02:12:54 UTC 2009
en-US/Revision_History.xml | 27 +++++++++++++++++++++
en-US/Security.xml | 57 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+)
New commits:
commit 6db80efbe3639cf95aef5928a75ec58b52c4c039
Author: John J. McDonough <jjmcd at fedoraproject.org>
Date: Wed Nov 18 21:12:25 2009 -0500
Add warning about nonpriv users installing packages
diff --git a/en-US/Revision_History.xml b/en-US/Revision_History.xml
index c04a8a9..f920819 100644
--- a/en-US/Revision_History.xml
+++ b/en-US/Revision_History.xml
@@ -10,6 +10,33 @@
<itemizedlist>
<listitem>
<para>
+ 0.8
+ Wed 18 Nov 2009
+ John McDonough
+ <email>jjmcd at fedoraproject.org</email>
+ <simplelist>
+ <member>
+ Admonition about policy change that allows users to
+ install signed packages without authentication.
+ </member>
+ </simplelist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ 0.7
+ Mon 16 Nov 2009
+ John McDonough
+ <email>jjmcd at fedoraproject.org</email>
+ <simplelist>
+ <member>
+ Multiple small typos
+ </member>
+ </simplelist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
0.6
Mon 9 Nov 2009
John McDonough
diff --git a/en-US/Security.xml b/en-US/Security.xml
index e914c0a..4828cc2 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -10,6 +10,63 @@
</para>
+ <section id="sect-Release_Notes-Security-Install-trusted-packages">
+ <title>Local users may install trusted packages</title>
+ <warning>
+ <title>Non-privileged users may install software.</title>
+ <para>
+ In Fedora 12, a <emphasis>local</emphasis> user may
+ install <emphasis>signed</emphasis> packages without
+ authentication. This is a change from Fedora 11.
+ </para>
+ </warning>
+ <para>
+ In common use cases, local desktop users frequently
+ install packages. In Fedora 11, this required
+ authentication. In Fedora 11, if the user wishes to
+ install an unsigned package, a second authentication is
+ required. Since the desktop user is typically the owner
+ and sole user of the machine, the default was changed in
+ Fedora 12 to allow a local user to install signed
+ (trusted) packages without authentication. Unsigned
+ packages continue to require authentication.
+ </para>
+ <para>
+ This change only affects installs and updates made through
+ the graphical interface. It does not affect
+ <command>yum</command>, nor does it allow packages to be
+ removed without authentication.
+ </para>
+ <para>
+ Some administrators may prefer the old behavior. To
+ restore the Fedora 11 behavior, create a file in
+ <filename>/var/lib/polkit-1/localauthority/20-org.d</filename>
+ (name it anything you want) and the content should be
+ <screen>
+[NoUsersInstallAnythingWithoutPassword]
+Identity=unix-user:someone;unix-user:someone_else
+Action=org.freedesktop.packagekit.*
+ResultAny=auth_admin
+ResultInactive=auth_admin
+ResultActive=auth_admin
+ </screen>
+ </para>
+ <para>
+ It is important to note that, as of this writing, there is
+ some discussion as to whether this feature may be
+ reverted. There is also a question about whether the
+ above fix works for all users. This document will be
+ updated as new information becomes available.
+ </para>
+ <para>
+ Those that want to follow the detailed discussion can
+ refer to <ulink type="http"
+ url="https://bugzilla.redhat.com/show_bug.cgi?id=534047"
+ />. Be advised that most of those commenting are
+ developers and frequently have software and understanding
+ beyond ordinary users.
+ </para>
+ </section>
<section id="sect-Release_Notes-Security-Lower_process_capabilities">
<title>Lower process capabilities</title>
<para>
More information about the Fedora-docs-commits
mailing list