| |||||||||||||
GNU Guix launchesGNU Guix launchesPosted Nov 27, 2012 0:28 UTC (Tue) by davidescott (guest, #58580)In reply to: GNU Guix launches by pboddie Parent article: GNU Guix launches
> I'm not really arguing against systems administration policies, but it really baffles me that instead of entertaining and encouraging workable compromises and perhaps loosening the leash on captive users, organisations and developers would rather keep the leash as tight as possible even though history shows that the leash will break as a result.
I think the relevant question is what is worse, having the leash break or just letting the dogs run free?
I don't think anyone (certainly not myself) is suggesting that policy is perfect, just that having policy is better than not having it. If you have no policy in place and anyone can install anything on any system then you have no guarantees that people are doing things correctly. And if your policy is that the end user gets to make the technical decisions based on their own assessment of their knowledge and capabilities in order to keep the business agile then you get some idiot who read "PHP for Dummies" making a website and keeping passwords in plaintext.
Dealing with the constraints on our group enforced upon us from systems was my #1 reason for leaving my last job, but I don't think the firm was crazy to have those restrictions in place. It made the firm less agile, but I also believe it prevented more problems than it caused. I had tacit permission from my boss to go off-policy in a number of areas, and the mere fact that I was going off policy made me consider every decision very carefully, and document what exactly I was doing in a way I wouldn't have if there were no rules.
One can do a lot of damage with software if they don't know what you are doing. I thought I was extremely careful and had a good idea of what the correct choices were, despite this I made some bad design and technology choices that somebody is going to have to back out within the next few years. So I'm all for trying new ways of organizing systems groups, and I don't know what the answer is, but I don't think it is giving everyone the ability to install anything in the package archive.
Another analogy would be that policy and controls on what can be installed is like having a curb on the side of the road. Sure you can jump the curb and drive on the sidewalk if you know what you are doing. If you are James Bond you might even drive up the stairs and onto the roofs of the building, but we aren't all James Bond, and having those curbs discourages many from doing things that are very dangerous.
(Log in to post comments)
GNU Guix launches Posted Nov 27, 2012 13:53 UTC (Tue) by pboddie (subscriber, #50784) [Link]
I'm not advocating that "the dogs run free". The dogs do run free, however, when technical measures to achieve their goals have been exhausted and they adopt social or political measures to achieve them in another way.
It's funny that you mention people deploying Web sites after reading "PHP for Dummies". I once had a discussion with someone who had pointed out that a Web site I had become responsible for - not in PHP nor developed by dummies, mind you - was running on a "high port" which in turn made his systems people uneasy, and he wondered whether it might one day be made available on port 80 instead. After a fairly small amount of work, the site was deployed within the existing port 80 infrastructure and I was able to get back to the guy within a day or so. This apparently made him simultaneously overjoyed at the prompt progress in the matter and frustrated that something similar would take weeks to get done in his organisation.
Having such restrictions are understandable - I have been aware of lots of crazy things going on in large organisations including some that were perpetrated by systems administrators themselves - but it does no-one any good if those restrictions are consistently implemented at the expense of people doing their work in a responsible fashion. When someone wants to run a program like Inkscape, to take a random desktop application that isn't in its normal form going to DDOS various Web sites as part of a botnet, surely the logical "first stop" is for the user to take advantage of the existing package available for the system and not to have to "manualize" the process by making a human being whose time is presumably precious run the install command on that user's behalf. (And virtualising the whole thing as a solution instead of supporting a non-privileged installation of packaged software just confirms that the software isn't inherently dangerous, anyway, because it shouldn't be the case that the host system is more insecure and that Inkscape could do more evil in that environment than on what will inevitably be a network-connected virtual host just to reduce the level of inconvenience involved.)
Anyway, I think I've made my point, as has everybody else in this discussion, and I just think that we all have different perspectives on the matter.
GNU Guix launches Posted Nov 27, 2012 16:33 UTC (Tue) by pspinler (subscriber, #2922) [Link]
We're also talking about two separate cases here: managing servers, and managing interactive machines (most probably desktops).
Managing servers you typically take a more conservative approach to. I'm more in the server than the desktop profession, but I can see the need to be more permissive with desktops.
With desktops I can see a use for a package manager that allows non-root installations in arbitrary paths, for instance to a network home directory that would then be available in any workstation you logged in at.
Even on (most) desktops, I can see not allowing normal office workers full root on the machines. However, there would likely need to be exceptions for certain classes of users -- basically people doing experimental stuff with their desktops. I'd perhaps setup an automated request mechanism for doling that out, so a) I'd have a record of who did it, and b) Id' have at least a chance to talk to the users and see what they're doing, and if they really actually need root, or could do with something else.
-- Pat
GNU Guix launches Posted Nov 27, 2012 18:21 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
> Even on (most) desktops, I can see not allowing normal office workers full root on the machines.
what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"?
It seems to me that the latter is much more complicated (where did this user install this package...)
GNU Guix launches Posted Nov 28, 2012 1:12 UTC (Wed) by pspinler (subscriber, #2922) [Link] what's the practical difference on a desktop machine between giving the user of the machine root (or sudo style package manager access like Ubuntu does) and allowing them to install arbitrary packages as "non-root installations in arbitrary paths"? Lots. For instance:
Anyway, point is, there's lots and lots of administrative advantages to limiting user customizations to limited areas and to stuff that requires no privs. Heck, I do this on my own workstation where I do have full privs. -- Pat
GNU Guix launches Posted Nov 27, 2012 16:47 UTC (Tue) by pspinler (subscriber, #2922) [Link] one other thought I'm not advocating that "the dogs run free". The dogs do run free, however, when technical measures to achieve their goals have been exhausted and they adopt social or political measures to achieve them in another way. I think this logic is faulty. To use an analogy "they're going to break security anyway, so why do XXXXX ...". The point isn't to be perfect, you can't ever be. The point is to put layers in place, each of which adds something toward the final goal. This applies to procedures and people as much as to systems and security. So, if, at a corporate level, I want people to comply with certain policies to protect what the company sees as its best interest, then yes, one layer will be technical restrictions of various sorts. Other layers will include policy manuals and websites, required annual training, easy contact points to the sysadmins and policy makers, scanning software, proxies and filtering software, and etc. Sure, people will still work around that, but with stuff like this in place it makes these people think about it, and hopefully brings what they're doing to other people's attention. This is a good thing: it might mean that their solution gets adopted, that procedures get changed, or that an actual stupid thing gets squashed. To use your example, "Oh, Janet installed inkscape! Hmmm ... do people need to be creating SVG's? Maybe we need to look at a wider solution for that. Oh, Fred installed a web server, and look, the logs show a bunch of external hits, uh oh, we need to squash that ... My personal philosophy: people doing stuff isn't necessarily good or bad, but people doing stuff in isolation is most definitely bad. Corollary: people are lazy, and if they don't have to do something (like, say, tell someone else and document it), they won't. And yes, I'm like this, too. :-) -- Pat
|
|||||||||||||