On Mon, 2007-08-20 at 15:08 -0400, Colin Walters wrote:
On 8/20/07, David Zeuthen <davidz(a)redhat.com> wrote:
So, like it or not, we simply need to engineer the security of
the
operating system such that untrusted code running in your
desktop
session can do as little harm as possible.
Ok we're pretty far afield here but I don't disagree with anything
you're saying here - all that work would help - but it doesn't change
my opinion that by far the biggest bang for the buck in terms of
security is making sure we get updates as painlessly (well tested
etc.) as possible. And hence, that's why we should not have any
password prompts for updating.
Oh, I think we definitely agree on that. Btw, with the work on PolicyKit
that I'm doing
http://people.freedesktop.org/~david/polkit-admin-auth-1.png
combined with the PackageKit work Richard is doing
http://hughsient.livejournal.com/32948.html
we should be close, with a bit of luck anyway, to having something for
Fedora 9. I'm hoping to find time in a month or two to help out on that.
Anyway, the beauty of this is that for the Fedora desktop spin we'll
just ship with a /etc/PolicyKit/PolicyKit.conf [1] file that allows the
action (and others) of updating the OS with signed package without
asking for auth. And the admin (if any) can always change this however
he likes. For a hypothetical super-secure govt compliant locked-down and
secure desktop spin it will always default to denying this (and other
actions) without even asking for any passwords. Centralized, fine
grained, secure.
David
[1] :
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=blob;hb=HEAD;f=doc/man/P...