-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So far I've been quietly amused by this thread. :) But now I'd like to make several points that people have sort of been dancing around in this discussion, but haven't really hit upon, that I've seen so far.
1. There was, in fact, a discussion about root access had on this list not all that long ago (I think it was about a year ago). However, being one of the primary players in (and IIRC the instigator of) that thread, I would like to point out that the "no root access" argument supported by both Paul and I was NOT that no user should ever have root access to their desktop. It was instead about the fact that under most circumstances, in an environment where security was considered important by management, that no user should NEED to have root access to their desktop (being the machine from which they access corporate IT resources like e-mail and such -- root access to "lab" machines might still be required for various reasons). While I agree with both sides on many points in the *present* discussion, I stand by that point of view. It does not preclude the idea that a skilled employee could run whatever software makes them most productive in a) environments where security is not as important, or b) on machines that have less or no access to company IT resources. Depending on exactly what level of security is required, I'll even add c) in an environment where having root access to a lone Unix workstation doesn't amount to anything, such as an environment whose IT resources are all based on Windows services. In such an environment, much of the problems associated with a user having root access to their desktop disappear (i.e. there is no NIS domain to snarf, no NFS volumes to run ragged over, etc.). If I were in a situation where I were managing an environment that had a need to control root access to users' workstations, but I had users who needed to have root access to Unix workstations to do their job, I wouldn't have any problem with that provided they were in a segregated lab, or were somehow otherwise blocked off from accessing the company's IT resources. 2. In general, I agree that the IT staff usually has sufficient skill to determine what software makes them most productive. But, as anyone who has worked in IT has seen, there are always users who *think* they are skilled enough to make that same determination, but aren't. In both cases, what they should be allowed to run depends on the situation, and on the company's policy. If the company has a corporate policy that "no one shall run anything but Windows on any system connected to the corporate network," and the IT department has been tasked with strict enforcement of that policy, then the IT people should adhere to it also. However, I will admit freely that I will never work in such a place by choice (desperation for a paycheck does not count as choice). A more sensible and user-friendly approach is to have a policy which states that corporate machines will be pre-installed with supported software, and any other software installed is not supported. If you have a problem with any software you've installed, you're on your own. If you have problems that you can't overcome yourself, your system will be replaced with one that conforms to the corporate standard. If, because of your own incompetence to use and/or manage the software you've installed, you damage corporate systems, or cause problems with the corporate network, you will be subject to disciplinary action up to and including termination. And, in the event that the company has software which is not permitted to be used (such as AOL or MS-Outlook), those titles should be expressly listed in the policy, and disciplinary actions should be taken against users who break the policy. I believe there are occasions when there should be a list of banned software, but I also believe a title shouldn't go on such a list without a very good reason (like oh, say, it's primary use is to easily propogate Internet worms)... Obviously, any number of other variations are possible here. The corporation should choose a policy that makes sense to its environment, but should try to accomodate users as much as is reasonable. Contrary to popular belief, I am not in favor of policies which blindly restrict users and/or make their jobs difficult. Whenever such a policy is instituted, there ought to be a very compelling reason for doing so. 3. If you are going to have any kind of strictly enforced policy, the people who enforce the policy MUST be subject to the same policies and disciplinary actions imposed on others. The IT department will lose credibility and respect if the situation is otherwise. It is also unwise to have policies which are evaluated on a case-by-case basis, where the sole criteria is a subjective, if not somewhat arbitrary judgement of the individual user's computer skill. This is the sort of thing that breeds discrimination law suits, and other political quagmires... - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9KbNDdjdlQoHP510RAhJIAJ4uGza42P6nucWBG2LTQnaok0STiQCfVoME IHr+KDUx7nHUwQJPVNvqA/Q= =wcMv -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************