Re: Vino should not be included in the default install
On 11-06-03 09:36 AM, Mario Limonciello wrote: On Fri, Jun 3, 2011 at 10:16, Bilal Akhtar wrote: Hi I originally posted this message as [Bug 790009] on Launchpad. It was suggested that this list is a better place for the suggestion. -- Having "remote desktop" as an option in the default installation creates a security risk. It invites new users to enable it, not understanding the security implications. They then end up with unwanted connections to their machine. A quick look around the "security discussions" forum on ubuntuforums shows that this happens quite frequently. I propose that it should be removed from the LiveCD. If a remote connection program is needed, then something that*requires* SSH tunnelling could be provided. -- Jane Atkinson (Irihapeti) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel Removing sounds like a fairly heavy footed approach. If the UI to enable it isn't informative enough to explain the security implications, perhaps that UI should just be improved instead. The UI allows the user to setup remote access without a password, either a password should be generated automatically, or it shouldn't be enabled without having to enter a password manually, and I really feel that uPNP shouldn't be an option during setup. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Vino should not be included in the default install
On Fri, Jun 03, 2011 at 11:36:03AM -0500, Mario Limonciello wrote: > On Fri, Jun 3, 2011 at 10:16, Bilal Akhtar wrote: > > I originally posted this message as [Bug 790009] on Launchpad. > > It was suggested that this list is a better place for the suggestion. > > -- > > > > Having "remote desktop" as an option in the default installation > > creates a security risk. > > > > It invites new users to enable it, not understanding the security > > implications. They then end up with unwanted connections to their > > machine. A quick look around the "security discussions" forum on > > ubuntuforums shows that this happens quite frequently. > > > > I propose that it should be removed from the LiveCD. If a remote connection > > program is needed, then something that*requires* SSH tunnelling could be > > provided. > > > > -- > > Jane Atkinson > > (Irihapeti) > > > > -- > > ubuntu-devel mailing list > > ubuntu-devel@lists.ubuntu.com > > Modify settings or unsubscribe at: > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > > > > > Removing sounds like a fairly heavy footed approach. If the UI to enable it > isn't informative enough to explain the security implications, perhaps that > UI should just be improved instead. The UI defaults to pretty reasonable settings. Unless those have changed since I've last looked, I don't think it's a concern. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Vino should not be included in the default install
On Fri, Jun 3, 2011 at 10:16, Bilal Akhtar wrote: > Hi > > I originally posted this message as [Bug 790009] on Launchpad. > It was suggested that this list is a better place for the suggestion. > -- > > Having "remote desktop" as an option in the default installation > creates a security risk. > > It invites new users to enable it, not understanding the security > implications. They then end up with unwanted connections to their > machine. A quick look around the "security discussions" forum on > ubuntuforums shows that this happens quite frequently. > > I propose that it should be removed from the LiveCD. If a remote connection > program is needed, then something that*requires* SSH tunnelling could be > provided. > > -- > Jane Atkinson > (Irihapeti) > > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > > Removing sounds like a fairly heavy footed approach. If the UI to enable it isn't informative enough to explain the security implications, perhaps that UI should just be improved instead. -- Mario Limonciello supe...@gmail.com -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Fwd: Vino should not be included in the default install
Forwarding to the Ubuntu Desktop mailing list, which is more relevant for such a discussion. Original Message Subject:Vino should not be included in the default install Date: Fri, 03 Jun 2011 12:36:26 +1200 From: Jane Atkinson To: ubuntu-devel@lists.ubuntu.com Hi I originally posted this message as [Bug 790009] on Launchpad. It was suggested that this list is a better place for the suggestion. -- Having "remote desktop" as an option in the default installation creates a security risk. It invites new users to enable it, not understanding the security implications. They then end up with unwanted connections to their machine. A quick look around the "security discussions" forum on ubuntuforums shows that this happens quite frequently. I propose that it should be removed from the LiveCD. If a remote connection program is needed, then something that*requires* SSH tunnelling could be provided. -- Jane Atkinson (Irihapeti) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Vino should not be included in the default install
Hi I originally posted this message as [Bug 790009] on Launchpad. It was suggested that this list is a better place for the suggestion. -- Having "remote desktop" as an option in the default installation creates a security risk. It invites new users to enable it, not understanding the security implications. They then end up with unwanted connections to their machine. A quick look around the "security discussions" forum on ubuntuforums shows that this happens quite frequently. I propose that it should be removed from the LiveCD. If a remote connection program is needed, then something that*requires* SSH tunnelling could be provided. -- Jane Atkinson (Irihapeti) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel