On Thu, Aug 21, 2014 at 3:56 PM, Owen Taylor <otaylor(a)redhat.com> wrote:
On Thu, 2014-08-21 at 15:11 -0400, Josh Boyer wrote:
> On Thu, Aug 21, 2014 at 3:03 PM, Elad Alfassa <elad(a)fedoraproject.org> wrote:
> > Hello.
> >
> > I propose we remove firewall-config (the graphical firewall configuration
> > utility) from the default install of Fedora Workstation.
> > Rationale:
> >
> > * The default Workstation zone file allows incoming connection to non-root
> > ports. This means most of the common usecases will "just work" out of
the
> > box. Thus, most users will not need to touch their Firewall settings.
> >
> > * People who do need it will be able to install it from GNOME Software quite
> > easily. Just search for "Firewall". There will be no confusion as this
is
> > the only firewall configuration tool shown in GNOME Software.
> >
> > * In general, we should avoid having app launchers for things that are
> > configuration utilities in the default install.
> >
> > Unless there's major objection to this change in the following few days,
> > I'll remove it from the gnome-desktop group in comps.
>
> I object for now. I'd like to hear more from Matthias, Christian, and
> the firewalld contributors first. We already discussed this a while
> ago and there has been work to make it more Workstation appropriate.
> I don't think we should remove it without consensus from everyone that
> has already been discussing this.
That's why the list was mailed ... to get some discussion and build
consensus :-)
Yep! That's why I said "for now". I just didn't want Elad to remove
it in a few days before we actually discussed it.
One main idea of putting a lot of work into GNOME Software is to
reduce
the difference between "installed by default" and "not installed by
default" - there are a ton of things that we want to allow a user to do
easily with Fedora that we can't have in the default install.
Sure.
Having something in the default install to me means two things:
first,
we think that the activity it enables is something that a large
percentage of users will want to do. Second we want to actively
encourage the user to stumble on the application, start it up, find what
it does.
If you start firewall-config I don't think it meets the second objective
- you get prompted for authentication before it even loads, and you are
immediately confronted with a pretty complex UI that depends on
understanding concepts (zones, runtime vs. static config, trusted vs.
untrusted services, etc.) that most technical users probably won't
understand without some study.
Correct. That interaction is what was highlighted as not being
suitable, but I thought there were plans to address it.
But if we need firewall-config for the first objective - if a large
fraction of users will need to use it, then the right response to the
complexity is to try and make it friendly for non-firewall-experts,
rather than removing it from the default install. The *idea* here is
that that's not the case as of Fedora Workstation 21 - the average
developer won't need to configure their firewall - e.g., when developing
a web app, a developer will almost always be running on a high port.
Right, and I thought the firewalld team and others were working on a
UI that _is_ appropriate. Did that work happen? What state is it in?
etc.
josh