[Mageia-discuss] A possible risk ?

Anne Wilson cannewilson at googlemail.com
Wed Feb 8 14:51:27 CET 2012


On Wednesday 08 February 2012 12:50:46 Anne Wilson wrote:
> Am 08.02.2012 13:35, schrieb Michael Scherer:
> > Le mercredi 08 février 2012 à 08:47 -0300, Renaud (Ron) Olgiati a
> > 
> > écrit :
> >> On Wednesday 08 Feb 2012 08:37 my mailbox was graced by a message from
> >> Claire
> >> 
> >> Robinson who wrote:
> >>>> I ended up installing Mageia 1 on his box, but I wonder why does the
> >>>> distribution allow the user to potentially hose his system, when it
> >>>> requires the root password to install a prog ?
> >>>> Would it not make more sense to ask for the root password for the
> >>>> updates?
> >>> 
> >>> It is configurable in MCC. You can find it under Security => Configure
> >>> authentication for Mageia Tools.
> >>> Just select root for Update.
> >> 
> >> Brilliant, thanks.
> >> 
> >> But would it not make more sense to have the default changed to root ?
> > 
> > That totally miss the point, which is that a upgrade hosed the system.
> > Would requiring the root password have changed that ? I doubt.
> > 
> > However, if the user cannot do upgrade without asking to someone else
> > ( because that's the whole point of having 2 different passwords, else,
> > that's just a nuisance that will confuse most people ), then he will
> > likely miss security and bugfixes updates, and that's problematic.
> > 
> > And I truly doubt that having a separate person ( ie, asking to someone
> > else who has the root password ) would have avoid any issues due to
> > upgrade. I am pretty sure that both of us would have also updated the
> > computer.
> > 
> > The risk is the lack of QA, and I have been repeating this since a long
> > time. If people cannot trust updates, they will use them, and they face
> > issues and security problems, and that will tarnish our reputation,
> > among others.
> 
> Well, you also miss the point if the cause for this breakage (maybe some
> packages that are currently missing/only available in an older version
> compared to Mandriva) is not reported, we can't really fix it, no?
> 
> So just telling: "An upgrade from Mandriva broke my machine" will do no
> good at all,
> IMHO.

Having just lost a week when an update broke my CentOS box, I should point out 
that I have no idea what caused the breakage - and when the system is unusable 
there are no logs either.  I understand your concern, but it may not be 
possible for the user to give you that information.

I agree with Michael Scherer that the security setting is not the issue.  Not 
only would an admin guy, if one exists, have done the update, but also the 
user cannot keep his machine secure without help.  I have some very non-techy 
users in my family and expect them to accept updates whenever they are offered.  
They are told to contact me if they see any messages they don't understand, 
but otherwise, carry on, and it works well.

Anne


More information about the Mageia-discuss mailing list