This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by
It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
Such packages will typically include various system daemons, network
daemons and network enabled applications.
Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
Some of the ways to implement this proposal are,
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.
2. An alternate approach is to come up with an expanded list of packages
which should be hardened.
Any feedback is welcome!
I'm not sure whether or not this is a bug, but it sure looks strange.
$ rpm -qf /usr/bin/ssh
$ ldd /usr/bin/ssh|grep ldap
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fad274fc000)
/usr/lib64/libldap-2.4.so.2 is a symbolic link to a symbolic link
which passes through a -devel package.
/usr/lib64/libldap-2.4.so.2 -> libldap.so # openldap-2.4.34-1.fc18
/usr/lib64/libldap.so -> libldap-2.4.so.2.9.0 # openldap-devel-2.4.34-1.fc18
/usr/lib64/libldap-2.4.so.2.9.0 is a real file # openldap-2.4.34-1.fc18
To cut a long story short, I fixed this by uninstalling openldap-devel
and reinstalling it. Now there is no -devel package in the chain:
$ ldd /usr/bin/ssh | grep ldap
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe8caf69000)
/lib64/libldap-2.4.so.2 -> libldap-2.4.so.2.9.0
I'd like to understand how the original situation happened, because it
broke a supermin-built appliance (RHBZ#954185). I assume ldconfig
must have something to do with it. There is nothing unusual in the
%scripts of openldap (it just runs ldconfig as you'd expect), nor is
there any special openssh/openldap config file in /etc/ld.so.conf.d.
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
= Proposed Self Contained Change: Snapshot and Rollback Tool =
Change owner(s): Stephen Gallagher <sgallagh(a)redhat.com>, Colin Walters
With the advent of thinly-provisioned LVM pools, it has become possible for us
to implement full-system LVM snapshotting for recording rollback points. We
are planning to support this for yum updates and eventually fedup upgrades
going forwards. This change request notes the addition of new tools provided
by the roller-derby project to present an interface and a CLI for managing and
== Detailed description ==
The roller-derby project will be providing a library and a CLI for creating,
labeling and managing LVM snapshots (plus non-LVM backups of /boot), oriented
primarily towards rpm-managed data, but useful beyond that. The yum plugin
"yum-plugin-fs-snapshot" will be updated to consume this library and save the
system state in a compatible format. The roller-derby CLI tool will provide an
interactive and scriptable interface for manipulating these snapshots and
determining when to remove older ones. It will also allow the tagging of
snapshots as "known-good", to be skipped when automatically-trimming for
space. The roller-derby project will likely provide a small daemon to keep
track of the available space in the LVM pool to proactively clean up snapshots
before the system runs out of space.
In order to prevent "loss" of data when rebooting into an snapshot, the
roller-derby CLI will allow saving a snapshot of the current state before
rolling back and will provide tools to allow mounting of that current state to
recover changes that have occurred since the rollback point.
== Scope ==
The scope of this project is the completion of the initial release of the
roller-derby project and the inclusion of thinly-provisioned LVM as an option
in the Anaconda installer .
Proposal owners: We need to complete the roller-derby project. Other than the
Anaconda change referenced above, all dependencies are available in Fedora
Other developers: OS Installer Support for LVM Thin Provisioning
Release engineering: N/A (not a System Wide Change)
Policies and guidelines: N/A (not a System Wide Change)
devel-announce mailing list
I'm trying to package a web application with bundled fonts. These fonts
are used by the web clients (browsers), and just served from the Fedora
Trying to package the webfonts as dependencies I have run into problem
together with my reviewer. Basically, we don't know what to do. Some
- Where should webfonts be stored? A specific dir would be good, since
some fonts exists in both a webfont and desktop variant with the same
- How shoulld webapps get access to the system webfont? Is the apache
config file approach used for ..js files, where the webapp gets access
to specific system paths, usable also here?
- Given that the primary concern about fonts seems to be licensing, is
it really meaningful to unbundle them?
This is the short story. The somewhat longer:
Any help, out there?
Based on discussions at and around Flock, the Fedora Project Board has
approved a proposal for a big change in the way we put Fedora together.
Rather than presenting one Fedora with multiple slightly-different
install options, future Fedora will be designed, developed, and promoted
as three separate products built around a common core.
To take that idea from talk to reality, we're making a corresponding
change to Fedora leadership. Each product will be guided by a Working
Group, which will function as an independent subcommittee of FESCo, (the
Fedora Engineering Steering Committee). FESCo will resolve issues which
impact multiple working groups, and the Fedora Board will continue to
set overall strategic direction, but the working groups will be largely
autonomous within their own areas.
We are creating a group for each of the three initial products the Board
* Fedora Workstation
* Fedora Server
* Fedora Cloud
The Board asks that the Working Groups determine their own target
audience definition and product description as a first task; the names
aren't set in stone.
We're also creating groups to focus on the common core, and to work on
policies and practices for software operating outside of Fedora's
traditional packaging model, alongside the existing (and continuing)
Fedora Packaging Committee.
* Base Design Working Group
* Environments & Software Stacks Working Group
The working groups' initial membership will be chosen by FESCo from
volunteers. This message is the request for those volunteers to
Each group will have at least one FESCo member, who will act as a
liaison to FESCo and as a representative of the group at FESCo meetings.
We would like each group to also have representation from other major
areas of Fedora - Quality Assurance, Infrastructure, Release
Engineering, Documentation, Design, Websites, Ambassadors, Feature
Wrangler, Marketing. We don't intend for this to be additional work to
current members of those teams; working group members should interact
with and augment the existing subprojects.
These working groups will be more formal than the existing SIGs, with a
documented governing structure and process of operation, voting members,
up-to-date and maintained project materials, and regular open
communication. All working group members will need to actively
The first responsibility will be to establish a governance charter,
followed by a product requirements document. We're obviously in the
middle of Fedora 20 development, and that's the priority for many of us
right now. For that reason, these deliverables won't be required until
after the F20 release, but we do want to start organizing as soon as
Interlude: Interested in Something Else?
Are the projects listed above not your interest? That's fine; you can
keep on working the way you are now. Or, perhaps you're interested in a
target product, but something different from the ones described above.
In that case, you may start a "secondary product" working group
following the same model; if that is successful the Fedora Board may
elect to promote that product to a primary target.
How to Self-Nominate
To volunteer to serve on one of the new Fedora working groups, simply
add yourself to the appropriate section in the wiki page below, along
with a brief description of your current involvement with Fedora and
plans for participation in this group.
The nomination period will be at least one month from this announcement.
FESCo will review the applications, appoint the initial members, and
assist with the development of each group's independent governance.
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
devel-announce mailing list
a bugzilla ticket  requiring a better Bugzilla summary field text
produced by abrt has been filed. Before I start changing the bug summary
format I'd like to do a little survey:
What would you like see in the bug summaries produced by abrt?
a few days ago i upgraded to F19 and my cron-script checking
for updates as well as "yum check-update" reports these
warnings - unsure where to report a bug because it's not
a specific package, so i post it here
Update notice FEDORA-2013-13577 (von updates-testing) is broken, or a bad duplicate, skipping.
You should report this problem to the owner of the updates-testing repository.
Update notice FEDORA-2013-15734 (von updates-testing) is broken, or a bad duplicate, skipping.
Update notice FEDORA-2013-15106 (von updates-testing) is broken, or a bad duplicate, skipping.
Update notice FEDORA-2013-14132 (von updates-testing) is broken, or a bad duplicate, skipping.
Update notice FEDORA-2013-14172 (von updates-testing) is broken, or a bad duplicate, skipping.
For F21, I plan to orphan the following X video drivers:
Effectively this means that the graphics team will be focusing on KMS
for graphics support, with vesa and fbdev available as last-ditch
fallbacks. If anyone is interested in taking on support for these
chips, they're welcome to, though we would encourage anyone doing so to
work towards KMS support and not merely do "keep it building"
One other detail: the intel driver currently has both UMS support for
the i810 chipset, and KMS support for everything newer. To be
consistent with the above changes I'll be dropping the i810 support,
which will then fall back to vesa. Again, if someone wants to own the
i810 support, let me know and we can add you as a comaintainer.
as some of you already noticed ABRT started filling a private bugs which
are only readable by reporter and assigned developer. This is an
unfortunate UX design together with &. Fixing those two bugzillas
should help, but there will always be a possibility that user will
create a private bz ticket which I think is a good thing. However if you
have some idea how to make this a less pain for developers and still
allow users to create private tickets, I'm all ears.