[CentOS] Fedora change that will probably affect RHEL

Thu Jul 30 15:10:51 UTC 2015
Lamar Owen <lowen at pari.edu>

On 07/29/2015 07:40 PM, Chris Murphy wrote:
> On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:
>
>> Security is *always* opposed to convenience.
> False. OS X by default runs only signed binaries, and if they come
> from the App Store they run in a sandbox. User gains significant
> security with this, and are completely unaware of it. There is no
> inconvenience.

While I agree with you about the long-term viability of passwords, I'll 
disagree with this statement.  There is a loss of convenience with 
signed binaries from a store: the user can no longer install directly 
from the program vendor's website but must go through the walled garden 
of the store, and developers are held hostage to having to meet the 
store's policy or get their signing key revoked and/or their app 
'de-stored' or worse.  There is significant inconvenience to users when 
their app is removed from the store for whatever reason and they cannot 
get updates (or reinstall their app, for which they may have paid a fee) 
anymore because the app is no longer in the store (and that could be for 
arbitrary reasons, including political ones).  This is, of course, the 
case to a more limited degree with CentOS and signed packages, since 
packages can be removed from repositories and installation of packages 
by default requires signed packages (but it's not as inconvenient, nor 
is it as secure, as the OS X model of only allowing signed binaries to 
run). For that comparison, repository = store.

> What is the inconvenience of encrypting your device compared to the
> security? Zero vs a ton more secure (either when turned off and data
> is at rest or a remote kill that makes it very fast to effectively
> wipe all data)
Or a hackable remote kill that allows an attacker to wipe you device out 
from under you.  Or now the inconvenience of losing access to the 
encrypted volume because you forgot the exact spelling of that ten word 
seventy-five character passphrase and you're locked out and no data 
recovery tool out there will get your files back.

Security and convenience are always at odds with each other; more secure 
= less convenient in some form or fashion; even if you have to dig for 
the loss of convenience there will be a loss of convenience somewhere 
for increased security.