[Mageia-discuss] A possible risk ?

Wed Feb 8 13:35:01 CET 2012

Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
+écrit :
+> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from Claire 
+> Robinson who wrote:
+> > > I ended up installing Mageia 1 on his box, but I wonder why does the
+> > > distribution allow the user to potentially hose his system, when it
+> > > requires the root password to install a prog ?
+> > > Would it not make more sense to ask for the root password for the updates?
+> 
+> > It is configurable in MCC. You can find it under Security => Configure 
+> > authentication for Mageia Tools.
+> > Just select root for Update.
+> 
+> Brilliant, thanks.
+> 
+> But would it not make more sense to have the default changed to root ?
+
+That totally miss the point, which is that a upgrade hosed the system.
+Would requiring the root password have changed that ? I doubt. 
+
+However, if the user cannot do upgrade without asking to someone else
+( because that's the whole point of having 2 different passwords, else,
+that's just a nuisance that will confuse most people ), then he will
+likely miss security and bugfixes updates, and that's problematic. 
+
+And I truly doubt that having a separate person ( ie, asking to someone
+else who has the root password ) would have avoid any issues due to
+upgrade. I am pretty sure that both of us would have also updated the
+computer. 
+
+The risk is the lack of QA, and I have been repeating this since a long
+time. If people cannot trust updates, they will use them, and they face
+issues and security problems, and that will tarnish our reputation,
+among others.
+-- 
+Michael Scherer
+
+
+