Fedora Weekly News Issue 172
Welcome to Fedora Weekly News Issue 172 for the week ending April 19th,
This week Announcements rubs its hands with glee over the "Fedora 11"
freeze. Similarly Artwork enthuses about "Fedora 11 Landing" with great
Leonidas themes including a surprise for wide-screen setups.
Developments gushes about "Presto and DeltaRPM Status" and SecurityWeek
asks the interesting question "Who in the Linux World Would be
Responsible for a Worm?". SecurityAdvisories faithfully lists updates
that might just help avoid that worm. With a red face we draw your
attention with an Erratum to last week's missing QualityAssurance beat.
This week's QualityAssurance beat "Test Days" advertizes the upcoming
minimal installation testing and reports in "Weekly meetings" that
PulseAudio issues with snd-intel-hda and snd-intel8x0 are resolved.
Translation reports on the availability of a bulky "Fedora 11
Installation Guide Ready for Translation". The FedoraWeeklyWebcomic
joins us again and Ambassadors shares a neat list of LinuxFestNorthWest
talks by Fedora folk.
If you are interested in contributing to Fedora Weekly News, please see
our 'join' page. We welcome reader feedback:
FWN Editorial Team: Pascal Calarco, Oisin Feeley, Huzaifa Sidhpurwala
1.1 Erratum: Missing QualityAssurance Beat in FWN#171
1.2.1 Fedora 11
1.2.2 FUDCon Berlin 2009
1.2.3 Upcoming Events
1.3.1 Test Days
1.3.2 Weekly meetings
1.4.1 Frozen for Fedora 11. Some Packages Still Not Built
1.4.2 Xorg Hacking Solves DontZap
1.4.3 Minesweeper Certified Solitaire Professionals Satisfied
1.4.4 Presto and DeltaRPM Status
1.4.5 Browser Plugins May Strip SELinux Protections
1.4.6 Getting Rid of /usr for Fedora 12 ?
1.5.1 Fedora 11 Installation Guide Ready for Translation
1.5.2 New Members in FLP
1.6.1 Fedora 11 Landing
1.7 Fedora Weekly Webcomic
1.8 Security Week
1.8.1 Malicious Activity Grows in 2008
1.8.2 Who in the Linux World Would be Responsible for a Worm ?
1.9 Security Advisories
1.9.1 Fedora 10 Security Advisories
1.9.2 Fedora 9 Security Advisories
1.10.1 LinuxFest Northwest Starts Saturday
1.10.2 Got Ambassador News?
== Erratum: Missing QualityAssurance Beat in FWN#171 ==
Last week (FWN#171) your painstaking QualityAssurance correspondent,
Adam Williamson, wrote a very readable account of the activity around
the UEFI BIOS replacement, Graphics-card Metrics and a lot more. Somehow
we omitted to include this in the plaintext issue. With apologies to
Adam and to our readers we suggest you take a look at our archived web
== Announcements ==
In this section, we cover announcements from the Fedora Project.
Contributing Writer: Max Spevack
=== Fedora 11 ===
We're getting very close to the Fedora 11 release, and excitement is
Jesse Keating announced that we are now frozen for Fedora 11.
"We've reached the final freeze, as well as mass branched. From this
point on, builds from F-11/ will go to dist-f11-updates-candidate and
builds from devel/ will go to dist-f12. dist-f11 itself is locked."
John Poelstra gave a final reminder to feature owners whose
features are not at 100%. "Feature freeze has past and the following
feature pages still need updates. Some have not been updated for several
months. All need to be at 100% completion and their content set to
=== FUDCon Berlin 2009 ===
Max Spevack reminded the community about FUDCon Berlin 2009,
including registration, lodging, and the speaking schedule.
=== Upcoming Events ===
April 17-19: Summer Geek Camp 2 in Antipolo City, Phillipines.
April 18: BarCamp Rochester in Rochester, New York, USA.
April 19-22: Red Hat EMEA Partner Summit in Malta.
April 24-25: FLISOL, all over the LATAM region.
April 25: Trenton Computer Festival in Trenton, New Jersey, USA.
April 25-26: Linux Fest Northwest in Bellingham, Wasthington, USA.
April 27: FOSS Lightning Talks in Stockholm, Sweden.
May 2: Introduction to FOSS, Fedora workshop in Pradesh, India.
May 4-8: VI Foro Mundial de Conocimiento Libre in Mérida, Venezuela.
== QualityAssurance ==
In this section, we cover the activities of the QA team.
Contributing Writer: Adam Williamson
=== Test Days ===
This week saw two Test Days. The first was a follow-up on the Fedora
11 rewrite of Anaconda's storage device code. The second was on
the Presto plugin for yum, which enables the use of deltarpms for
updates. The Anaconda test day verified that many issues from the
earlier test day had been resolved and turned up several new bugs, many
of which have been fixed already. The Presto test day was surprisingly
uneventful: there was good participation but few bugs were discovered,
the system worked well and reliably for almost every test.
Next week's Test Day will be on the minimal platform feature,
support for very small minimal installations. This is another test day
which will require installation, so if you are interested in taking
part, please make sure to have a spare system or partition on which you
can install a Rawhide system. Of course, this week it only needs to be
=== Weekly meetings ===
The QA group weekly meeting was held on 2009-04-15. The full log is
available. The group briefly discussed James Laska's plan to improve
the customization possibilities for Test Day live CDs. James promised to
send a mail to the list regarding his ideas here.
Adam Williamson reported that he had successfully had a post on the
Rawhide nss / x86-64 issue added to the rawhidewatch blog, run by
Adam Williamson reported on his progress in evaluating whether important
bugs reported in the X driver Test Days are fully repesented on the
Fedora 11 release blocker bugs list. The nouveau maintainer, Ben Skeggs,
has already reviewed all nouveau bugs. Review of intel and radeon bugs
in in process together with the regular triagers for these components,
Matej Cepl and Francois Cami.
Will Woods provided an update on his progress in checking on
PulseAudio's readiness for a Fedora 11 release. He noted that some
significant problems remained in two ALSA drivers - snd-intel-hda and
snd-intel8x0 - which cause problems in PulseAudio. These drivers are
used by a very large amount of current sound hardware. However, patches
to fix several problematic cases have been added to the Rawhide kernel
recently, and the remaining problems can be worked around if fixes are
not integrated prior to release time, so it should be possible to
release Fedora 11 with a fairly reliable PulseAudio. The group discussed
whether it would make sense to schedule a Test Day for Intel audio
chipsets, but concluded it was too close to release time and the Test
Day schedule was already too busy to make it practical.
The Bugzappers group weekly meeting was held on 2009-04-14. The full
log is available. The meeting opened with a call for the Bugzappers
group to be proactive in adding serious bugs to the Fedora 11 Blocker
and Target bug lists. Several group members expressed the concern that
they would not be able accurately to identify which bugs should be added
to the list, so Adam Williamson and James Laska promised to discuss the
issue at the next QA meeting and see if there was a way to provide
firmer policies and guidance in future.
The group agreed to delegate the creation and organization of a Wiki
area covering SOPs (Standard Operating Procedures) to John Poelstra.
The discussion about how long to wait before closing NEEDINFO bugs was
resolved by a proposal from John Poelstra: whether to close after 30 or
60 days will be left to the discretion of individual triagers, while if
there is in future any co-ordinated team working to resolve stale
NEEDINFO issues not handled by the initial triager, they will use the 60
The next QA weekly meeting will be held on 2009-04-22 at 1600 UTC in
#fedora-meeting, and the next Bugzappers weekly meeting on 2009-04-21 at
1500 UTC in #fedora-meeting.
== Developments ==
In this section the people, personalities and debates on the
@fedora-devel mailing list are summarized.
Contributing Writer: Oisin Feeley
=== Frozen for Fedora 11. Some Packages Still Not Built dist-f11 ===
Jesse Keating announced that henceforth all F-11/ builds would go to
dist-f11-updates-candidate and builds from devel/ would go to dist-f12.
He asked for concerned parties to check that builds were being properly
In response to Mike Chambers' question Jesse confirmed that the
nightly rawhide composes would consist of Fedora 11 content until the
GOLD packages were on their way out to the mirrors at which point the
nightly rawhide composes would contain Fedora 12 content.
On a related note Bill Nottingham asked maintainers of a list of
packages not yet rebuilt in dist-f11 (with the attendant compiler and
strong RPM hashes) to fix them if possible. Jesse Keating provided a
slightly more aggressive list as an addendum.
=== Xorg Hacking Solves DontZap ===
Peter Hutterer made some valuable contributions to resolving the furore
over the disabling of the zapping of the Xorg server via the
Ctrl-Alt-Backspace key combination.
Tom Callaway drew attention to a blog entry of Peter's which
mentioned upstream patches by Julien Cristau (of Debian) to
xkeyboard-config and Peter's own patch to Xserver which together make
it possible to disallow zapping by default and also to turn zapping on
'setxkbmap -option terminate:ctrl_alt_bksp'
. The net result is that it is possible to get zapping to work but the
XKB configuration needs to be set up properly and the DontZap option
left disabled (as per the new default).
In discussion with Kevin Kofler Peter clarified the situation in
which the new settings would take effect. Kevin responded that it
appeared that for KDE users zapping with Ctrl-Alt-BkSp would remain as
Later Peter answered some questions from Suren Karapetyan about the
ability to kill broken X grabs with details about how zapping works.
The above summary of an elegant technical solution ignores the long, and
at times vitriolic, complaints about this change. A common trope
occurring in some recent threads seems to be that changes are made by
Red Hat employees who are implementing changes without community
consultation and all work to a common game plan. Seth Vidal
challenged the latter assumption:"In a survey of 10 RH employees you
will find between 10 and 40 different opinions. sometimes more if you
don't ask some of them to confine their comments to a limited amount of
time." In any event it's worth noting that the resolution (which filters
the "Terminate_Server" action in a manner consistent with the
handling of other actions in xkb rulesets) was contributed upstream by a
Red Hat employee. As a point of information Kevin Fenzi also made it
clear that the change had not been instigated by FESCo.
The new options presented by Peter were in addition to those already
suggested in the beta Release Notes.
=== Minesweeper Certified Solitaire Professionals Satisfied with DVD ===
Jesse Keating requested help in selecting which packages should be
dropped from the DVD image. He suggested some java development packages
Feedback suggested that retaining the games was preferred and
dropping the development libraries made sense as the latest versions
would be needed and could be obtained from the repositories anyway.
Jesse later posted this was sufficient to achieve the desired image
A side-issue discussed was the unwieldiness of jigdo as a download
method. Callum Lerwick suggested that jigdo would benefit from a
userspace ISO implementation.
=== Presto and DeltaRPM Status ===
The ability to download binary diffs of RPM packages has been offered
for some time now on Fedora through the Presto project and
presto-enabled repositories. Interest is high enough in Presto's
bandwidth-saving abilities that no fewer than three separate threads
were started to ensure that it would function properly for Fedora 11.
Warren Togami asked if Presto would be enabled by default for Fedora
11. Last month (2009-03-21) Jonathan Dieter reported that the use of
SHA-256 in rpm had broken deltarpm but that a patched version was
available in rawhide. See FWN#166 for earlier coverage of the
challenges and changes resulting from the introduction of stronger
hashes. Jonathan also reported that the changes necessary in
infrastructure to build deltarpms had been done. These changes were made
fairly rapidly thanks to work done Michael Schroeder, the upstream
deltarpm developer. One issue that concerned Axel Thimm was the
security with which checksums of deltarpms were being made. Till Maas
and Jonathan Dieter provided reassurance that all deltarpms are
generated from original rpms which needed to pass all verifications
which yum and rpm enforce.
Martin Sourada was excited not just about Presto but also about the
slick new PackageKit in Fedora 11. Martin was concerned about the issue
of PackageKit and Presto apparently not working well together. A
bugzilla entry revealed that PackageKit developer [[User:|Richard
Hughes]] quickly created a patch which Martin reported as working.
On 2009-04-16 Bill Nottingham added to the "Rawhide Report" that "[...]
rawhide is composed with deltarpms against the prior rawhide. Due to a
bug, this is only currently working on i386; it should be fixed for
other arches tomorrow. Please test and report any issues."
A Fedora Test Day centering around Presto was also announced by
[[User:|James Laska]]. The usual excellent wikipage suggests that
Presto can deliver significant bandwidth savings.
=== Browser Plugins May Strip SELinux Protections ===
Daniel Walsh asked why mozplugger was being installed by default.
He cautioned that mozplugger broke nsplugin and thus SELinux
An answer posted by Bill Nottingham pointed out the java plugin as
Dan worried that while "[a] confined nsplugin is a nice feature for
confining plugins downloaded from the network. But if you run openoffice
and evince from within nsplugin they get confined, causing the apps to
not work properly." In response to Simo Sorce Dan explained that any
attempt to write transition rules to enable said applications to work
properly would create an easy avenue of attack. Simo wondered if it
would be possible to either write a security wrapper to restrict the
command line, or to get application developers to honor SELinux labels
in some way.
Warren Togami shared that removing mozplugger was "[...] something I
always do. It seems to cause more problems than it solves [...]" and
James Morris expanded upon this with instructions "[...] on both
removing mozplugger and restoring the security protections of SELinux.
Simply removing the package isn't enough[.]" James questioned "[...] how
a package which breaks a security feature not only made it into the
repo, but how it became enabled by default[?]"
A similar issue was raised by Bruno Wolff III about the re-enabling
of disabled Firefox plugins. Comments by Martin Stransky suggest this is
a feature of mozilla-plugin-config.
2. Mozplugger describes itself as "[a] general purpose Mozilla
plugin module that allows the user to embed and launch their favorite
application to handle the various different types of media found on
the Internet." http://mozplugger.mozdev.org/
=== Getting Rid of /usr for Fedora 12 ? ===
Lennart Poettering cheerfully invited any inclined parties to a
flamefest over the elimination of the /usr directory. Lennart suggested
that recent history indicated that more files were being moved from /usr
to / and that confusion between the two was a source of error from some
Enthusiasm for both the flamewar and the proposal was low.
A forceful and well-argued objection was made by Konstantin
Ryabitsev on the basis that he liked to keep /boot and /usr on their own
partitions and use a LUKS-encrypted LVM for everything else. Konstantin
emphasized this was especially well-suited to portable machines which
need to conserve power and are more likely to need encryption.
Ralf Corsepius invoked the FHS on /usr and the need to contain
non-essential packages unavailable at certain boot stages therein. Chris
Adams added that symlinking /usr to / had been shown to break rpm.
Lennart explained how /etc could be made read-only and adduced
OpenSUSE, Debian and Gentoo as further evidence that a read-only root
could be attained. Callum Lerwick pined for the days of floppy
Toshio Kuratomi completely declined to play and asked: "I'm hereby
giving notice that I don't have time to read obvious flamefests anymore.
Once this thread concludes, please summarize whatever the pros and cons
are and send it to the packaging committee to discuss and vote on."
== Translation ==
This section covers the news surrounding the Fedora Translation (L10n)
Contributing Writer: Runa Bhattacharjee
=== Fedora 11 Installation Guide Ready for Translation ===
Ruediger Landmann announced the availability of the Fedora 11
Installation Guide for translation. Due to import of relevant content
from the Red Hat Enterprise Linux Installation Guide into this Guide,
the content has substantially increased. The final translation due date
is 14th of May 2009 with an extension of 1 week for additional
corrections. The .po files would be refreshed on April 28th 2009, to
correct errors identified until that date.
=== New Members in FLP ===
Ali Fakoor has joined the Persian translation team last week.
== Artwork ==
In this section, we cover the Fedora Artwork Project.
Contributing Writer: Nicu Buculei
=== Fedora 11 Landing ===
As a culmination of last week effort, the new and improved Fedora 11
artwork was packaged and landed in Rawhide, as Martin Sourada
announced on his blog.
=== Fedora Weekly Webcomic ===
This week's installment of Nicu Buculei's comic
== Security Week ==
In this section, we highlight the security stories from the week in
Contributing Writer: JoshBressers
=== Malicious Activity Grows in 2008 ===
2008 Saw a surge in malicious code activity This is a disturbing
trend, and for the underground, this is easy money. The threat will
continue to grow until either the money dries up (unlikely) or the
difficulty of exploiting this is greater than the potential gain. Right
now it looks like the trend will continue for several years.
=== Who in the Linux World Would be Responsible for a Worm ? ===
Last week OSNews asked a rather interesting, but easily answered
question: OSNews Asks: Who'd Be Responsible for a Linux Conficker?
The world of Open Source security is mostly a process that happens
behind the scenes, but is quite effective. There is a wiki called
OSS-Security  that provides a number of links to various groups. In
the event of something like a worm, the vast majority of the effort
would end up happening on the Vendor Security (vendor-sec) mailing
list. This is a group of trusted Open Source distributors that
communicate in private in an effort to keep the end users of Open Source
software secure. To date this group has been working out quite well, and
the members are very used to solving security flaws in a cooperative
manner. In the event of a widespread Linux worm, there would be many
tired people, and quite a lot of vendor-sec emails.
== Security Advisories ==
In this section, we cover Security Advisories from
Contributing Writer: David Nalley
=== Fedora 10 Security Advisories ===
* ntop-3.3.8-3.fc10 -
* pam-1.0.4-4.fc10 -
* phpMyAdmin-184.108.40.206-1.fc10 -
* udev-127-5.fc10 -
* argyllcms-1.0.3-5.fc10 -
=== Fedora 9 Security Advisories ===
* pam-1.0.4-4.fc9 -
* phpMyAdmin-220.127.116.11-1.fc9 -
* udev-124-4.fc9 -
* argyllcms-1.0.3-5.fc9 -
== Ambassadors ==
In this section, we cover Fedora Ambassadors Project.
Contributing Writer: Larry Cafiero
=== LinuxFest Northwest Starts Saturday ===
Fedora Project will be attending and presenting at LinuxFest Northwest
this weekend in Bellingham, Wash., U.S.A. With five presentations and a
booth, Fedora is proud to be a sponsor of LinuxFest Northwest this year.
Below is a list of presentations at LFNW by Fedora folks, all of which
will be in room Haskell 203 on the Bellingham Technical College campus.
* Participate or Die by Karsten Wade at 1 p.m. Sunday
* What's under the hat? A sneak peek at Fedora 11! by Jesse Keating
at 11 a.m. Sunday
* Modular Infrastructure design with Messaging by Jesse Keating at 2
* Fedora Remix by Clint Savage at 11 a.m. Sunday.
* Fedora 101 by Larry Cafiero at 10 a.m. Saturday, preceding the
Fedora Activity Day, which will be from approximately 10:30 (or when
Larry decides to quit yammering away) to 4:30 p.m.
The complete presentation schedule for LinuxFest Northwest can be found
=== Got Ambassador News? ===
Any Ambassador news tips from around the Fedora community can be
submitted to me by e-mailing lcafiero-AT-fedoraproject-DOT-org and I'd
be glad to put it in this weekly report.