Yet Another Reflection on Trusting Trust

stewartetcie at canada.com stewartetcie at canada.com
Tue Apr 20 20:40:10 UTC 2004 

The Fedora Core 2 Test 2 installer lacks a check-box at
the bottom of the package selection window that was
provided with previous Red Hat 9 and Fedora Core 1
releases. This check-box enables access to a second
package selection window that provides fine-grained
control over selection of individual packages. (The
check-box also disappears from the otherwise identical
Red Hat 9 and Fedora Core 1 install/remove package
window.) So there's no obvious way to install, say, the
Festival speech server or the EmacSpeak audio desktop
(or the beta release of Gnome Speech). The FC2 Test 2
install/remove package program also lacks RPM file
association that would allow users to click to install
RPM packages from a Fedora CD. Curiously though, the
VNC server, which permits remote control of my computer
keeps getting installed even if all network servers are
deselected.

Since FC2 Test 2 is a test of the NSA's security
enhanced Linux, a user would have to recompile the
kernel to get rid SELinux. If enabled, the default
security policy appears to disable such things as the
Apache web server and administrative acess to the var
directory, where Apache's web is located, using the
Mozilla web browser. Since the updatedb command won't
run, performance of the find command is suspect and
help doesn't work, though the man command does.
Disabling SELinux enables Apache and the updatedb
command, but help still doesn't work and, though 
executing the rpm command works, it produces incredibly
verbose complaints from the, supposedly disabled,
SELinux extensions.

I'm like a guy from Missouri, not entirely convinced.
Linux was already pretty secure. Then IPSec was built
into the 2.6 Linux kernel. But we should remember that
SELinux comes from the NSA, whose mandate isn't to
provide everyone with unassailable communications
security, but to listen to everything, all the time,
everywhere. Now  here's Fedora, with the widest
distribution yet seen for Linux 2.6, but the kernel
must be recompiled to enable IPSec and disable SELinux.
All in all, it kind of makes you go hmmm.

More information about the fedora-legacy-list mailing list