* Martin Kudlvasr
On Tuesday 20 October 2009 15:07:03 Klaus Kaempf wrote:
If someone has enough knowledge to bypass the WebYaST UI, we can't stop him anyways ;-)
This is news to me. Until now I though, that webservice should be usable (and secure) on its own. Including accepting eulas and telling the user, that he has to accept eulas first. This is not about bypassing security, this is about telling the user, that there is an eula to accept, even if he is using only command-line. If we leave eulas only in UI and basesystem, some users (in some completely valid use-cases) simply won't realize there is an eula to accept. When user skips basesystem setup, it is his problem. When the user does not accept eula, it's license violation (also 3rd party vendors may have problem with that). I don't know, maybe it is just me seeing this problem as too serious.
I see your point and tend to agree. However, I want to keep things simple for now. I can imagine a lot of things the service side could enforce (password for root, existance of a non-root user, registration, ...) adding up in a pile of validations every service request has to check.
From the performance POV ... the check for detecting, if eula was accepted, has 1-2 file touches. I don't see it as speed bottleneck (in comparison to dbus call for instance).
I understand that this decision is for the project managers to make, so I'll change the implementation to whatever the decision is going to be. The amount of work needed is minimal.
For now, I see enforcement of the EULAs in the webclient-eula module as sufficient. Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org