Ubuntu Desktop Security Defaults
Gday folks :) There is difference between what I foresee as sensible security defaults for our desktop build against what is being currently delivered. It may very well be that there is aspects to the current setup that I am not fully aware of, and I'd like to better understand the reasoning behind the current situation if so. Otherwise, perhaps I could please suggest some possible enhancements: * Enabling UFW by default or some other firewall by default * Having AppArmor actually protecting the desktop build rather than what seems as currently a false illusion of coverage with just CUPS being protected In my view the users want to feel secure in knowing that should a zero day exploit be identified, that AppArmor or SELinux or foo or whatever will trap the damage the exploited service can take beyond the standard user is not root UNIX setup. Thanks and regards, Nullack -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Packaging Training
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew schrieb: One idea for a session I'd like to see, maybe along with some new documentation added to the wiki, would be something on the new dh auto stuff added with debhelper 7. Sounds like a good idea. I noted this down. Have a great day, Daniel -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm+CNwACgkQRjrlnQWd1esneQCfbnPf3vdh+8FeaMpAzGISJuUE KQMAnin/TgyM3Sm5zcSBbWm/RLA9Hzh8 =uI4k -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
(``-_-´´) -- BUGabundo wrote: Olá Matthew e a todos. On Thursday 12 March 2009 09:54:05 Matthew Paul Thomas wrote: The Design team has just discussed this and we agree it's confusing. The two-monitors icon sucked, but our first try at a replacement wasn't so hot. :-) We will have another go, considering the cross and slash possibilities proposed here, and we'll seek a UI freeze exception for 9.04 for a replacement icon. On tonight's Linux Class, I went and asked my students (most of them are using GNU/Linux for the 1st time, and systems have Ubuntu 8.10) what they thought about the update-notifier (and it was showing Critical updates) and the NM icon. Sure UM was confusing at 1st, but after explaining some used it latter to get a PPA update. The NM icon didnt made any of them (at least the ones who replied) confused, and only a girl had trouble finding the VPN setting. One user had trouble understanding why the icon changed from wired to areal icon once he connected to wifi, but 3 secs later just forgot about it, cause it worked. When I mentioned that the new icon would just be the areal one, most asked why?. Talking to Linux long(er) time users and mentioning the UM change (no easy icon, popunder window) they all get scared. I'll let you know more after next classes and our monthly LoCoTeam meeting. That's an interesting feedback, thanks. However, I would not treat Linux Class students as representative for the population of all potential Ubuntu users :) Of course they would not have any problem with the old icon, neither would you or I. I'm pretty sure they'll get used to the new icon very quickly, too. The request to change the icon came originally from various OEMs we cooperate with, backed up by their studies (not available for public, unfortunately). We'll now be very closely looking at all feedback we're getting for the new icon. I encourage everyone to keep their eyes open, too :) Many thanks, Mat -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
Matthew Paul Thomas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mat Tomaszewski wrote on 07/03/09 13:17: Nicolò Chieffo wrote: I totally agree that it's confusing Is it confusing just because it's different to what you've been used to? I know it's not a justification, but OSX have been using exactly the same metaphor for many years now and it seems to be working out very well. As a couple of small corrections to this, it's not a metaphor, Agreed :) and it's not what OS X does. OS X shows 0 signal icon for both no signal and disconnected. Not sure what I've missed? M. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
Olá Mat e a todos. On Monday 16 March 2009 10:58:55 Mat Tomaszewski wrote: That's an interesting feedback, thanks. However, I would not treat Linux Class students as representative for the population of all potential Ubuntu users :) Most of them are brand new users, using a GNU/Linux distro for the 1st time. It seems exactly the target ppl. The request to change the icon came originally from various OEMs we cooperate with So OEMs now count more then Community? Thanks, that was exactly what *we* wanted to here. -- Hi, I'm BUGabundo, and I am Ubuntu (whyubuntu.com) (``-_-´´) http://LinuxNoDEI.BUGabundo.net Linux user #443786GPG key 1024D/A1784EBB http://BUGabundo.net ps. My emails tend to sound authority and aggressive. I'm sorry in advance. I'll try to be more assertive as time goes by... signature.asc Description: This is a digitally signed message part. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
On Mon, 2009-03-16 at 14:24 +, (``-_-´´) -- BUGabundo wrote: ... On Monday 16 March 2009 10:58:55 Mat Tomaszewski wrote: ... The request to change the icon came originally from various OEMs we cooperate with So OEMs now count more then Community? Thanks, that was exactly what *we* wanted to here. I'm sorry to have to point this out, but this is the sort of attitude that doesn't bring us any further. Actually, we simply don't know the background here. For example, if these OEMs actually ran controlled experiments, they have hard data that, as far as I can tell, no one in the open community has. Unless we find a way to run controlled, repeatable experiments by ourselves, all we are doing here is bikeshedding, and hard data wins over bikeshedding anytime. Additionally, I don't think that mailing-list bikeshedding is the right way to design good interactive software, anyway. Canonical's design team is definitely paying attention to us (as we can see from their active participation in this list) but they are aren't making their decisions solely based on our input, which, in my opinion, is also the right thing for them to do. Best wishes, M. S. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Ubuntu Desktop Security Defaults
On Monday 16 March 2009 2:13:34 am Null Ack wrote: Gday folks :) There is difference between what I foresee as sensible security defaults for our desktop build against what is being currently delivered. It may very well be that there is aspects to the current setup that I am not fully aware of, and I'd like to better understand the reasoning behind the current situation if so. Otherwise, perhaps I could please suggest some possible enhancements: * Enabling UFW by default or some other firewall by default * Having AppArmor actually protecting the desktop build rather than what seems as currently a false illusion of coverage with just CUPS being protected NoScript addon installed by default would probably fall into the security that's too disruptive category, I'm guessing? Oh, and um...ufw enabled *for IPv6* as well. -- Mackenzie Morgan http://ubuntulinuxtipstricks.blogspot.com apt-get moo signature.asc Description: This is a digitally signed message part. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
I agree that using the zero signal icon for no connection is really confusing. Is there some easy way to revert this on my system? -- Siegfried-Angel Gevatter Pujals (RainCT) Ubuntu Developer. Debian Contributor. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
Hello Matthew, As a couple of small corrections to this, it's not a metaphor, and it's not what OS X does. The Design team has just discussed this and we agree it's confusing. The two-monitors icon sucked, but our first try at a replacement wasn't so hot. :-) We will have another go, considering the cross and slash possibilities proposed here, and we'll seek a UI freeze exception for 9.04 for a replacement icon. Thanks for raising the issue. Part of the problem is that your trying to merge two concepts into one. On the one hand you have Network Connection and on the other you have Online Status The first is what we use to connect to eth0 (a label that needs replacing) or connect to a wifi network, it's what you get with a physical connection. So an ethernet connection should show a filled plug icon (just like mac osx) and a wifi connection shows the signal strength. the disconnected icon can show the unplugged icon or the no wifi connection icon (on mac I thought it has a black line through it) The second concept is Online Status, a completely under served status. Are we online? Would the lay person grok that they are online from this icon or would it show that they are in fact sitting behind a paywall? I don't think it's as useful to equate network connectivity to online status. I think we may need two separate icons, or one of these newfangled status widgets and more robust NM APIs for giving that status to apps. Regards, Martin Owens PS, My ideal table of Statuses: 0:Offline 1:Network Connection 2:Router Visible 3:DNS Visible 4:HTTP redirects to router address 5:Search Domains Visible (i.e google.com) (assume your fully online) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: aufs based upgrade tests
On Sat, Mar 14, 2009 at 02:13:24PM +, (``-_-´´) -- BUGabundo wrote: Olá Michael e a todos. On Friday 13 March 2009 18:19:28 Michael Vogt wrote: during the last UDS we talked informally about using the aufs overlay filesystem layer for release upgrade testing. I build a prototype implementation of this now that should be ok for public testing. The idea discussed with Evan Dandrea (and others) was to create a writable overlay into /tmp on top the systemdirs in / and then run the release upgrade. This way we can test easily if the system would upgrade cleanly (if no dpkg errors/maintainer script failures happen). All writes go into /tmp so after the upgrade and on the next reboot the system is back to its pre-upgraded state again (modulo /home, that is not overlayed). It also means the next boot takes a *long* time to clean /tmp - when I did test it on one of my production machines that wait made me *really* nervous :) But its ok, it just takes long (up to ~20 minutes or so). Feedback is welcome This idea seems like a really nice idea, and one that in some other form is requested by users/testers. I would like to add to points: * if all tests go OK, and we end up with this on koala (to late for FFe on jaunty, right?), a checkbox when using update-manager -d / cli question on do-release-upgrade to use Sandbox would be much nicer then running all that code. * to save the system state prior to upgrade, so that a user can restore the system if even after successful package upgrade, some application/kernel/driver upgrade doesnt go as good. Thanks for this feedback. The longer term goal is provide the two improvements you suggested :) The current version is a first step to build up experience with the system. This is why its limited to testing currently, but in the longer run we hope to make it more capable. Cheers, Michael -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: aufs based upgrade tests
On Sun, Mar 15, 2009 at 02:27:16AM -0400, John Vivirito wrote: On 03/14/2009 10:13 AM, (``-_-´´) -- BUGabundo wrote: Olá Michael e a todos. [..] This idea seems like a really nice idea, and one that in some other form is requested by users/testers. I would like to add to points: * if all tests go OK, and we end up with this on koala (to late for FFe on jaunty, right?), a checkbox when using update-manager -d / cli question on do-release-upgrade to use Sandbox would be much nicer then running all that code. * to save the system state prior to upgrade, so that a user can restore the system if even after successful package upgrade, some application/kernel/driver upgrade doesnt go as good. I am a bit on the short end of this topic due to trouble with having this set to digest mode. What exactly is this going to do. It sounds very interesting. is this similar to system restore in windows? The following quote makes it sound like after reboot it is going to restore itself to before the latest upgrade: All writes go into /tmp so after the upgrade and on the next reboot the system is back to its pre-upgraded state again Right now its a tool to help test if your version of ubuntu can upgrade to the next version of ubuntu without errors. It does a full regular upgrade from 8.10 to 9.04 but instead of writing it to the system disk it writes all changes to a directory in /tmp Doe the above always write to /tmp? If so does it clear upon restart automatically? Yes, after the upgrade the system will be jaunty until the next reboot, then the writable overlay is removed and the system is exactly in the same state as before the upgrade. Is there somewhere where i can get more information on it, a wiki or, blueprint or something? Unfortunately not right now. I created as a stub wiki page: https://wiki.ubuntu.com/AufsBasedUpgrades and we will probably talk about it at the next UDS and create a more formal plan. The currently version is build to get experience with the system and fint bugs and limitations with the aufs based approach, this is why its relatively complicated to enable it. Cheers, Michael -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: aufs based upgrade tests
On Sun, Mar 15, 2009 at 11:51:52AM +0100, Vincenzo Ciancia wrote: When doing something like this one should be careful because here you have a copy of all files that are modified during the upgrade. Applications keeping these files open will write to the old copies, and applications which reopen the file after the upgrade will not see this data. This may be dangerous and lead to unexpected behaviour. Thanks for the feedback. This is a problem we are aware of. The best ways to fix it will probably we discussed at UDS. One approach (that is available in the code as well) is to just create the overlay for the dpkg child, this means that the regular desktop stuff (including firefox) keeps working during the upgrade. But in my tests it has been less of a practical problem than I anticiapted, i.e. I have not had any issues because of that in my tests (but of course this is all young and has not been tested that much yet). Apart from that, as I ranted in the past, let me say that this is a very important change and I am really happy that ubuntu developers are making it happen. Thanks, if it works out in the way we hope it will mean more robustness to upgrades and that is certainly a good thing. Cheers, Michael -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
Martin Pitt wrote: Mat Tomaszewski [2009-03-16 10:02 +]: OS X shows 0 signal icon for both no signal and disconnected. Not sure what I've missed? Even if that is really so, I really don't think that we ought to copy such confusions from OS X, Absolutely, hence the change we just made (also thanks to the feedback from this group) :) M. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
(``-_-´´) -- BUGabundo wrote: Olá Mat e a todos. On Monday 16 March 2009 10:58:55 Mat Tomaszewski wrote: That's an interesting feedback, thanks. However, I would not treat Linux Class students as representative for the population of all potential Ubuntu users :) Most of them are brand new users, using a GNU/Linux distro for the 1st time. It seems exactly the target ppl. If you're right, we'll soon find out :) The request to change the icon came originally from various OEMs we cooperate with So OEMs now count more then Community? No, but they provide a user reseach that we would not be able to conduct otherwise. Thanks, that was exactly what *we* wanted to here. I hope by saying *we* you mean *you*, or maybe other community members have already chosen their representative to speak for them? :) M. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
On Mon, 16 Mar 2009 14:45:59 + Mat Tomaszewski mat.tomaszew...@canonical.com wrote: I hope by saying *we* you mean *you*, or maybe other community members have already chosen their representative to speak for them? :) Even with the smiley I think this kind of response discourages constrcutive dialogue and is not in keeping with the atmosphere we try to keep in Ubuntu (yes, I know this not something I always excel in either). Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
Scott Kitterman wrote: On Mon, 16 Mar 2009 14:45:59 + Mat Tomaszewski mat.tomaszew...@canonical.com wrote: I hope by saying *we* you mean *you*, or maybe other community members have already chosen their representative to speak for them? :) Even with the smiley I think this kind of response discourages constrcutive dialogue It's difficult for me (and I think for anyone) to consider statements like that a constructive dialogue. and is not in keeping with the atmosphere we try to keep in Ubuntu (yes, I know this not something I always excel in either). :) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
On Mon, 16 Mar 2009 14:45:59 + Mat Tomaszewski mat.tomaszew...@canonical.com wrote: (``-_-´´) -- BUGabundo wrote: Olá Mat e a todos. On Monday 16 March 2009 10:58:55 Mat Tomaszewski wrote: That's an interesting feedback, thanks. However, I would not treat Linux Class students as representative for the population of all potential Ubuntu users :) Most of them are brand new users, using a GNU/Linux distro for the 1st time. It seems exactly the target ppl. If you're right, we'll soon find out :) The request to change the icon came originally from various OEMs we cooperate with So OEMs now count more then Community? No, but they provide a user reseach that we would not be able to conduct otherwise. Thanks, that was exactly what *we* wanted to here. I hope by saying *we* you mean *you*, or maybe other community members have already chosen their representative to speak for them? :) M. Well, I guess I should say I agree most of the time with BUGabundo. Since he does state things, I see no point in jumping in with me too. Which, come to think of it, does make him my spokesman unless I speak up, does it not? Thanks. -- Charlie Kravetz Linux Registered User Number 425914 [http://counter.li.org/] Never let anyone steal your DREAM. [http://keepingdreams.com] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: unsure how to submit package for tth, pkg doc comments
Hello, I have updated the tth package for inclusion in jaunty, and attempted to remedy the various problems with it that were found by REVU. However, I am a bit at a loss about what to do regarding the two remaining lintian warnings: http://revu.ubuntuwire.com/revu1-incoming/tth-0903162054/lintian I: tth source: debian-watch-file-is-missing W: tth source: out-of-date-standards-version 3.7.2 (current is 3.8.0) I am looking into setting up a watch file, but I'm not sure what to do about the standards version. I am developing on hardy and that is what dh_make gave me. What should I do to update it? -- Obama Nation | It's not like I'm encrypting... it's more like I've developed a massive entropy deficiency | http://www.subsubpacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Replacing network-offline (old version 2xmonitor) with NM wlan 0% signal strength icon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mat Tomaszewski wrote on 16/03/09 10:02: Matthew Paul Thomas wrote: ... and it's not what OS X does. OS X shows 0 signal icon for both no signal and disconnected. Not sure what I've missed? ... Yes, but Bugabundo's original complaint was about when wireless is off completely: The new icon is very deceiving, making me think I have my WiFi On, but with no signal. Mac OS X icon for wireless off: http://sfghdean.ucsf.edu/wireless/images/ucsf-clinical-mac/wifism01.jpg Mac OS X icon for wireless on but disconnected: http://www.its.ipfw.edu/wireless/images/mac/mac-open-internet-connection.gif. For Ubuntu it's a bit tricker, because we want to distinguish between (1) no connection with wireless off, (2) no connection with wireless on, (3) connected with wireless (at various signal strengths), and (4) connected with wired. Cheers - -- Matthew Paul Thomas http://mpt.net.nz/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm+i60ACgkQ6PUxNfU6ecqEhACfZ6GWj7WE6DNGGeFld/ukctUd jtQAnjWA1QOL9mH2zeR2l3qwCR0c2nTP =oPz6 -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss