19 November 2009

Is there such thing as bad publicity?

I know there is a famous quote saying that there is no such thing as bad publicity and one day after the release the news about PackageKit allowing unprivileged users to install packages without root permission made a larger number of [negative] comments than the release announcement itself on such sites as LWN or Slashdot, which I am not convinced is a good thing for publicity.

But surely I am glad I got to keep my public presentations about F12 in advance last week, so I didn't get laughed-out of the presentation for such a "feature", for which I wouldn't know how or care to defend.

Now I promise, my next post will be on a more positive note about the release!

8 comments:

  1. Does this now mean that Fedora is less secure than Windows even? Atleast with 7 if you don't have an admin password, you cannot install anything. But this seems to fly in the face of this and allow you to install anything as long as the repository is authenticated and the package signed. Is that correct? Either way, keep doing what you're doing. Perhaps it's just a minor storm.

    ReplyDelete
  2. No, it only about the programs which are signed and included in an official repository. An ordinary user still can't install whatever untrusted crap, but he can trigger secondary vulnerability vectors.

    There is a huge debate in the community about this policy change so I guess something happen, my hope is for a workstation type of config, with better (for me) defaults.

    ReplyDelete
  3. Maaan... I missed this opportunity twice!

    ReplyDelete
  4. @rpetre: more than such a bad policy, i am disturbed by the developer's attitude, who think this is the best choice for desktop users

    ReplyDelete
  5. thinking about:
    su -c "yum -y erase PackageKit"
    one more time, and this time looks more seriouly than ever.
    And YES, than man has a disturbing attitude. Sad

    ReplyDelete
  6. @ Neville - YN1V
    http://docs.fedoraproject.org/release-notes/f12/en-US/html/sect-Release_Notes-Security.html

    A change of policy will do the trick.

    ReplyDelete
  7. A couple notes:

    (1) Many people have been confusing "all" or "unprivileged" with the smaller group of "local console users". That means people who already have physical access to the machine, its hardware, rebooting it, and so on. That does not excuse the lack of communication from the developers, but it's important to get the facts right.

    (2) There's already been an update, which you can find here:

    https://www.redhat.com/archives/fedora-announce-list/2009-November/msg00012.html

    That announcement links to a much longer post by the developers who are changing the behavior. It provides detailed background which everyone should read and understand.

    I agree that this was unnecessary and unwanted bad press, and it was a shame given how great the Fedora 12 release is overall. However, at least in Fedora I feel we can be open and honest and transparent about the times that things go wrong, learn from them, and move on. Thanks for your comments Nicu.

    ReplyDelete
  8. @stickster: Yeah, in a later post I commended the update. Also wrote an article in Romanian, based on your announcement and Owen's for our local community.

    However, yesterday evening I meet with a group of people from a local LUG, mostly Debian users, and had to take a good amount of humiliation....

    ReplyDelete