Expanding the list of "Hardened Packages"
by Dhiru Kholia
Hi,
This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)
...
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by
default."
It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
or remotely).
Such packages will typically include various system daemons, network
daemons and network enabled applications.
Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
hardened?
Some of the ways to implement this proposal are,
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.
2. An alternate approach is to come up with an expanded list of packages
which should be hardened.
Any feedback is welcome!
--
Dhiru
6 years, 7 months
Strange ssh / openldap linking problem
by Richard W.M. Jones
I'm not sure whether or not this is a bug, but it sure looks strange.
$ rpm -qf /usr/bin/ssh
openssh-clients-6.1p1-6.fc18.x86_64
$ ldd /usr/bin/ssh|grep ldap
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fad274fc000)
/usr/lib64/libldap-2.4.so.2 is a symbolic link to a symbolic link
which passes through a -devel package.
/usr/lib64/libldap-2.4.so.2 -> libldap.so # openldap-2.4.34-1.fc18
/usr/lib64/libldap.so -> libldap-2.4.so.2.9.0 # openldap-devel-2.4.34-1.fc18
/usr/lib64/libldap-2.4.so.2.9.0 is a real file # openldap-2.4.34-1.fc18
To cut a long story short, I fixed this by uninstalling openldap-devel
and reinstalling it. Now there is no -devel package in the chain:
$ ldd /usr/bin/ssh | grep ldap
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe8caf69000)
/lib64/libldap-2.4.so.2 -> libldap-2.4.so.2.9.0
I'd like to understand how the original situation happened, because it
broke a supermin-built appliance (RHBZ#954185). I assume ldconfig
must have something to do with it. There is nothing unusual in the
%scripts of openldap (it just runs ldconfig as you'd expect), nor is
there any special openssh/openldap config file in /etc/ld.so.conf.d.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
6 years, 11 months
F20 Self Contained Change: Snapshot and Rollback Tool
by Jaroslav Reznik
= Proposed Self Contained Change: Snapshot and Rollback Tool =
https://fedoraproject.org/wiki/Changes/Rollback
Change owner(s): Stephen Gallagher <sgallagh(a)redhat.com>, Colin Walters
<walters(a)redhat.com>
With the advent of thinly-provisioned LVM pools, it has become possible for us
to implement full-system LVM snapshotting for recording rollback points. We
are planning to support this for yum updates and eventually fedup upgrades
going forwards. This change request notes the addition of new tools provided
by the roller-derby project to present an interface and a CLI for managing and
initiating rollbacks.
== Detailed description ==
The roller-derby project will be providing a library and a CLI for creating,
labeling and managing LVM snapshots (plus non-LVM backups of /boot), oriented
primarily towards rpm-managed data, but useful beyond that. The yum plugin
"yum-plugin-fs-snapshot" will be updated to consume this library and save the
system state in a compatible format. The roller-derby CLI tool will provide an
interactive and scriptable interface for manipulating these snapshots and
determining when to remove older ones. It will also allow the tagging of
snapshots as "known-good", to be skipped when automatically-trimming for
space. The roller-derby project will likely provide a small daemon to keep
track of the available space in the LVM pool to proactively clean up snapshots
before the system runs out of space.
In order to prevent "loss" of data when rebooting into an snapshot, the
roller-derby CLI will allow saving a snapshot of the current state before
rolling back and will provide tools to allow mounting of that current state to
recover changes that have occurred since the rollback point.
== Scope ==
The scope of this project is the completion of the initial release of the
roller-derby project and the inclusion of thinly-provisioned LVM as an option
in the Anaconda installer [1].
Proposal owners: We need to complete the roller-derby project. Other than the
Anaconda change referenced above, all dependencies are available in Fedora
already.
Other developers: OS Installer Support for LVM Thin Provisioning
Release engineering: N/A (not a System Wide Change)
Policies and guidelines: N/A (not a System Wide Change)
[1] https://fedoraproject.org/wiki/Changes/InstallerLVMThinProvisioningSupport
_______________________________________________
devel-announce mailing list
devel-announce(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
6 years, 11 months
Q: webfonts:
by Alec Leamas
Hi!
I'm trying to package a web application with bundled fonts. These fonts
are used by the web clients (browsers), and just served from the Fedora
webapp. The case is similar to javascript .js files.
Trying to package the webfonts as dependencies I have run into problem
together with my reviewer. Basically, we don't know what to do. Some
questions:
- Where should webfonts be stored? A specific dir would be good, since
some fonts exists in both a webfont and desktop variant with the same
filenames.
- How shoulld webapps get access to the system webfont? Is the apache
config file approach used for ..js files, where the webapp gets access
to specific system paths, usable also here?
- Given that the primary concern about fonts seems to be licensing, is
it really meaningful to unbundle them?
This is the short story. The somewhat longer:
https://fedorahosted.org/fpc/ticket/277
Any help, out there?
--alec
7 years, 2 months
--Wl,-z,relro in LDFLAGS required?/Inconsistency when not using %configure
by Till Maas
Hi,
https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelin...
mentions only %optflags to be required for packages but I noticed that
%configure sets LDFLAGS to a value different than %optflags:
rpm --eval %configure
[...]
LDFLAGS="${LDFLAGS:--Wl,-z,relro }"; export LDFLAGS;
[...]
Also using '%global _hardened_build 1' modifies %configure to add
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld to LDFLAGS.
Therefore it seems that packages with a single Makefile where a package
maintainers set the CFLAGS according to the current guidelines are built
differently than packages using autoconf.
Do we need a %ldflags macro for packages not using %configure (or other
build systems with proper RPM macros)? Or do the LDFLAGS not matter if
CFLAGS are set properly?
Regards
Till
7 years, 3 months
openssl multilib broken
by Reindl Harald
currently on a x86_64 system distro-sync to F19 is broken
i saw the same in F18 with updates-testing enabled on
a machine with i686 packages some days ago and download
the openssl packages for both archs from koji and
doing a "yum localupdate" worked fine
Error: Package: 1:openssl-1.0.1e-29.fc18.i686 (@/openssl-1.0.1e-29.fc18.i686/18)
Requires: openssl-libs(x86-32) = 1:1.0.1e-29.fc18
Removing: 1:openssl-libs-1.0.1e-29.fc18.i686 (@/openssl-libs-1.0.1e-29.fc18.i686/18)
openssl-libs(x86-32) = 1:1.0.1e-29.fc18
Updated By: 1:openssl-libs-1.0.1e-30.fc19.i686 (updates)
openssl-libs(x86-32) = 1:1.0.1e-30.fc19
Available: 1:openssl-libs-1.0.1e-4.fc19.i686 (fedora)
openssl-libs(x86-32) = 1:1.0.1e-4.fc19
7 years, 3 months
Is Gnome Software ready for primetime ?
by Tim Lauridsen
I have tested gnome-software to see the current state, compaired to gpk in
F19, there is a lot stuff there cant be done.
1. You cant install backgrounds / icons
2. Not all application found in the menu, can be found under installed, you
can search for them and find them, but cant remove them (ex. Document
viewer)
3. if you search for 'icons' you get at lot of wrong positives, where there
is no visible relation to icons in the text shown
4. Description is missing from almost every application.
This is just a few of the issues i have made bug reports on, but the main
question is gnome-software ready for the one an only software manager for
the primary
desktop for Fedora ?
I think the current state will make Fedora look limitted for new Fedora
users.
PS. Please dont turn this into a flame war for/against gnome :)
Tim
7 years, 3 months
Fedora 20 Beta blocker bug status: fix and karma requests
by Adam Williamson
Hi folks, and welcome to the Fedora 20 Beta blocker bug news...
The bad news is that we're still some way from a viable Beta RC. We need
work on several blockers, all of which is outlined below. I'll start
with bugs that need work from developers; QA folks, there are tasks for
us listed later on.
Accepted blockers - anaconda and python-blivet
----------------------------------------------
* https://bugzilla.redhat.com/show_bug.cgi?id=986575 - "installer fails
to apply lower bound to resize requests in custom spoke" - this bug has
been open for a while and needs a fix from anaconda team, when they have
time.
* https://bugzilla.redhat.com/show_bug.cgi?id=1010495 - "Apple Mac EFI:
you have not created a bootloader stage1 target device" - this bug
breaks the most common installation scenarios for Apple systems (guided
install alongside an existing OS X install). bcl has been working on
fixing it: back in September he posted an initial patch, then decided
that it was not sufficient -
https://lists.fedorahosted.org/pipermail/anaconda-patches/2013-September/... . There is no information since then that I can find.
* https://bugzilla.redhat.com/show_bug.cgi?id=1016959 - "ValueError:
Cannot remove non-leaf device 'btrfs.14'" - this is a crasher with
certain existing btrfs volumes. dlehman posted a plan on how to fix it,
but there is no proposed patch that I can find.
Accepted blockers - other
-------------------------
* https://bugzilla.redhat.com/show_bug.cgi?id=1000891 - "DVD is
oversized (larger than 4.7 GB)" (spin-kickstarts, comps, pungi) - a fix
for this was scheduled for TC3, but it caused the DVD compose to break,
and was backed out to produce a testable TC4. TC5 continued without the
problematic fix (and hence is still over-size). AIUI, dgilmore was
supposed to be looking into the compose issue, but I believe he is now
on vacation, so we may need someone else to step in: CCing nirik and
notting.
* https://bugzilla.redhat.com/show_bug.cgi?id=1013767 - "rootfs on thinp
not found, startup failure" (dracut) - an update containing a fix for
this has been submitted -
https://admin.fedoraproject.org/updates/dracut-034-18.git20131018.fc20 -
but one reliable tester has reported that it breaks boot on their
system, so further developer work may be required here, harald:
https://bugzilla.redhat.com/show_bug.cgi?id=1021083
* https://bugzilla.redhat.com/show_bug.cgi?id=1015234 - "F20 Beta TC1
ARM disk images unable to find root filesystem" (dracut) - this bug is
marked as an unresolved blocker but has in fact been worked around
since, I believe, TC2. We can probably ship Beta with the workaround,
and this may just need some Bugzilla Bureaucracy rather than developer
attention at this point.
Proposed blockers
-----------------
* https://bugzilla.redhat.com/show_bug.cgi?id=1020974 - "incorrectly
treats a disk with partially corrupt GPT as having no partition at
all" (anaconda) - this looks like it could well be accepted as a
blocker, so developer attention would be appreciated.
* https://bugzilla.redhat.com/show_bug.cgi?id=1005895 - "Upgrade to f20
fails because of deltarpms" (fedup) - Will posted a proposed fix for
informal testing; Will, one of the reporters has confirmed the fix is
good, so can you please submit an update? Thanks!
Bugs requiring QA attention
---------------------------
* https://bugzilla.redhat.com/show_bug.cgi?id=1017435 - "Anaconda uses
LVM when Standard Partition is selected in text mode" (anaconda) - this
bug has been verified fixed by the update
https://admin.fedoraproject.org/updates/python-blivet-0.23.1-1.fc20,anaco... , but that update needs more karma to go stable. That is the build that is in TC5, so anyone who's tested TC5 and found it generally OK (no worse than previous builds) can +1 the update: please do!
* https://bugzilla.redhat.com/show_bug.cgi?id=1013800 -
"devicetree.py:1293:handleVgLvs:DeviceTreeError: failed to look up thin
pool" (python-blivet) - this is believed to be fixed by the
https://admin.fedoraproject.org/updates/python-blivet-0.23.1-1.fc20,anaco... update (and hence in TC5). We need to verify the fix and add karma to the update so it can be pushed stable and the bug closed.
* https://bugzilla.redhat.com/show_bug.cgi?id=1019500 - "device
factories need to set a default name if empty name given for defined
device" - exactly the same as 1013800: this should be fixed in TC5,
please confirm the fix and up-karma the update.
This has been your blocker bug news, folks - if everyone can help out
with fixing the remaining issues and testing the anaconda/blivet update,
that'd be a great help. Thanks!
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin DOT net
http://www.happyassassin.net
7 years, 3 months