http://bugzilla.suse.com/show_bug.cgi?id=1125432
http://bugzilla.suse.com/show_bug.cgi?id=1125432#c7
--- Comment #7 from Matthias Gerstner
I think we don't need to be too cautious: First, these policies are inherited from the upsteam, fedora/debian/ubuntu... even BSD all use these privilege, I don't see any complaint about it.
Sorry but this reasoning does not work out at all. We wouldn't need to do any security reviews by these standards. Just have a look at the various security issues uncovered by SUSE employees in upstream software [1]. [1]: https://www.google.de/search?q=site:https://seclists.org/oss-sec/+suse
Second is, If you close these > rights, and in the future, some release manager request to re-open "new user mode", the customer user experience will be extremely bad, I think.
The correct way will be to ask for a security review when this happens and then we will be on the safe side. There is no way around the security review: Either we do it right now, thereby wasting resources for a feature currently not in use (and for a version of the software that will most probably never be used) or we remove the rules file and do the review when it's actually needed. I vote for the latter. -- You are receiving this mail because: You are on the CC list for the bug.