Functionality vs Security

Brad Bishop bradleyb at fuzziesquirrel.com
Thu Feb 13 09:36:29 AEDT 2020



> On Feb 12, 2020, at 5:06 PM, James Feist <james.feist at linux.intel.com> wrote:
> 
> On 2/12/20 2:01 PM, Brad Bishop wrote:
>> Hi James
>>> On Feb 12, 2020, at 4:16 PM, James Feist <james.feist at linux.intel.com> wrote:
>>> 
>>> In IRC yesterday I proposed the question of whether to change the default of bmcweb to disable REST D-Bus, or to change it in our meta-layers only. I created the patch here: https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29344 and I am looking for feedback. While REST D-Bus does expose many useful APIs, and phosphor-webui depends heavily on it, it does leak information to any logged in user. This comes to the question, should we prefer functionality by default or security by default? It is a compile switch either way, so each user can still decide which they prefer.
>> There is no user that prefers something that doesn’t work or is incomplete, no matter how secure it is.  If you can find one, I’m happy to be proven wrong.
> 
> To my knowledge the only thing that breaks is the Web-UI, if you don't find the Web-UI useful, then I don't think it matters much.

The project test automation suite would also break.  What if you do find the Web-UI (or test automation suite) useful?  Who gets to decide what the “important” usage patterns are that need to be maintained and which ones don’t and can be allowed to break with changes like this?

I think we should take a cue from Linux.  The answer is _all_ usage patterns are important and must be maintained.  I don’t see why we should be any different.

> 
>> In my mind, the only user that wants this is Intel, because Intel has a bunch of patches to the webui that would make the broken upstream work.  The path forward here is simple (in concept) - upstream your webui patches, and the need for this to even be a discussion point goes away.  Has Intel had issues getting the webui patches upstreamed?
> 
> We had someone working on the Web-UI, but they had problems getting things merged due to differences in design opinions.

I don’t understand how design differences would present problems in getting back-end api calls switched over to Redfish.  It sounds like the commits were not structured properly or there were design changes mixed in with functional changes.

> 
>>> I have the opinion that the default should be the safest configuration
>> I completely agree!  This disconnect is what should we entertain calling a configuration.  I say that configurations that break existing (working) usage patterns of the upstream project code are not on the table.
> 
> It doesn't break it, it's just a default that you can switch back with a single build flag. This is only changing a default.

If I clone openbmc and try to run the webui, will it still work after this change?  If I clone openbmc and run the test automation suite against that, will it still work after this change?


More information about the openbmc mailing list