1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-discuss] A possible risk ?
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20A%20possible%20risk%20%3F&In-Reply-To=%3C201202081335.03633.cannewilson%40googlemail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="006428.html">
<LINK REL="Next" HREF="006430.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-discuss] A possible risk ?</H1>
<B>Anne Wilson</B>
<A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20A%20possible%20risk%20%3F&In-Reply-To=%3C201202081335.03633.cannewilson%40googlemail.com%3E"
TITLE="[Mageia-discuss] A possible risk ?">cannewilson at googlemail.com
</A><BR>
<I>Wed Feb 8 14:51:27 CET 2012</I>
<P><UL>
<LI>Previous message: <A HREF="006428.html">[Mageia-discuss] A possible risk ?
</A></li>
<LI>Next message: <A HREF="006430.html">[Mageia-discuss] A possible risk ?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7766">[ date ]</a>
<a href="thread.html#7766">[ thread ]</a>
<a href="subject.html#7766">[ subject ]</a>
<a href="author.html#7766">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Wednesday 08 February 2012 12:50:46 Anne Wilson wrote:
><i> Am 08.02.2012 13:35, schrieb Michael Scherer:
</I>><i> > Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
</I>><i> >
</I>><i> > écrit :
</I>><i> >> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from
</I>><i> >> Claire
</I>><i> >>
</I>><i> >> Robinson who wrote:
</I>><i> >>>> I ended up installing Mageia 1 on his box, but I wonder why does the
</I>><i> >>>> distribution allow the user to potentially hose his system, when it
</I>><i> >>>> requires the root password to install a prog ?
</I>><i> >>>> Would it not make more sense to ask for the root password for the
</I>><i> >>>> updates?
</I>><i> >>>
</I>><i> >>> It is configurable in MCC. You can find it under Security => Configure
</I>><i> >>> authentication for Mageia Tools.
</I>><i> >>> Just select root for Update.
</I>><i> >>
</I>><i> >> Brilliant, thanks.
</I>><i> >>
</I>><i> >> But would it not make more sense to have the default changed to root ?
</I>><i> >
</I>><i> > That totally miss the point, which is that a upgrade hosed the system.
</I>><i> > Would requiring the root password have changed that ? I doubt.
</I>><i> >
</I>><i> > However, if the user cannot do upgrade without asking to someone else
</I>><i> > ( because that's the whole point of having 2 different passwords, else,
</I>><i> > that's just a nuisance that will confuse most people ), then he will
</I>><i> > likely miss security and bugfixes updates, and that's problematic.
</I>><i> >
</I>><i> > And I truly doubt that having a separate person ( ie, asking to someone
</I>><i> > else who has the root password ) would have avoid any issues due to
</I>><i> > upgrade. I am pretty sure that both of us would have also updated the
</I>><i> > computer.
</I>><i> >
</I>><i> > The risk is the lack of QA, and I have been repeating this since a long
</I>><i> > time. If people cannot trust updates, they will use them, and they face
</I>><i> > issues and security problems, and that will tarnish our reputation,
</I>><i> > among others.
</I>><i>
</I>><i> Well, you also miss the point if the cause for this breakage (maybe some
</I>><i> packages that are currently missing/only available in an older version
</I>><i> compared to Mandriva) is not reported, we can't really fix it, no?
</I>><i>
</I>><i> So just telling: "An upgrade from Mandriva broke my machine" will do no
</I>><i> good at all,
</I>><i> IMHO.
</I>
Having just lost a week when an update broke my CentOS box, I should point out
that I have no idea what caused the breakage - and when the system is unusable
there are no logs either. I understand your concern, but it may not be
possible for the user to give you that information.
I agree with Michael Scherer that the security setting is not the issue. Not
only would an admin guy, if one exists, have done the update, but also the
user cannot keep his machine secure without help. I have some very non-techy
users in my family and expect them to accept updates whenever they are offered.
They are told to contact me if they see any messages they don't understand,
but otherwise, carry on, and it works well.
Anne
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="006428.html">[Mageia-discuss] A possible risk ?
</A></li>
<LI>Next message: <A HREF="006430.html">[Mageia-discuss] A possible risk ?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7766">[ date ]</a>
<a href="thread.html#7766">[ thread ]</a>
<a href="subject.html#7766">[ subject ]</a>
<a href="author.html#7766">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss
mailing list</a><br>
</body></html>
|
