-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/01/2014 12:15 PM, Simo Sorce wrote:
On the meeting today we briefly discussed how to address defaults that may be appropriate for a server and may differ from other Fedora products, how to find them, how to change them in the product.
I am personally more looking to determine a process, when we find out something may need to change. How do we analyze the issue, what guidelines will drive our decision and finally how, technically, changes are made that affect just the server product.
Working backwards from the end here. I don't think that security defaults are anything but a special case of products wanting different configuration defaults. I think that conversation has been held ad nauseam on the fedora-devel list[1] at this point. As far as the technical changes to address this are concerned, I think it should follow whatever policy we adopt there.
As for how we process the need, I think the process can probably be very simple (and similar to the Change process): 1) Open a discussion on the fedora-server mailing list. 2) After a week, it gets added to the Server WG meeting agenda and is voted on (or deferred for additional discussion on the list).
As far as guidelines to drive us, I really can think of only two: 1) Default to deny in the absence of explicit permission grant. 2) See rule one.
I'd like ideas and discussion around this topic so we can determine if it is important, and how to deal with this 'stuff'.
[1] https://lists.fedoraproject.org/pipermail/devel/2014-March/196546.html