= Proposed Self Contained Change: Replace Bacula with Bareos =
Change Owner(s): Simone Caronni <negativo17 at gmail.com>
The powerful Bacula network backup solution has switched from being Open
Source friendly to being almost closed source. Originally the project was
conceived totally as Open Source, but since the creation of Bacula Systems and
its proprietary Bacula Enterprise Edition product, the Open Source (now called
"Community Edition") has received less and less updates and is mostly
== Detailed description ==
The most important points that are left "abandoned" are the following:
* Installation scripts and updates to makefiles are not updated anymore.
* New plugins and functionalities are not added anymore, except those in the
* Gaphical (and buggy) console has not received any update in almost two
* Patches and bugs opened in the bug tracker are mostly left abandoned. Even
trivial fixes are not imported in the source.
* Windows binaries are no longer provided, nor the source for the clients has
been updated. Even if compiled with difficulties, there is no support for recent
A former Bacula developer, frustrated by the situation created the fork Bareos
a long time ago from Bacula 5.2.x (the current Fedora and RHEL 7 version).
This version has now received '''a lot of bugfixes''' compared to the original
Bacula source. This makes compilation and installation a lot easier than it
was with Bacula.
On top of this, a '''lot of new features''' have been added; some unique to
Bareos but many available only in the closed source Bacula Enterprise.
Here is the list of new features compared to the current Bacula 5.2.13:
Some highlights include NDMP support for enterprise class storage (NetApp,
etc.), support for enterprise class tape libraries and Windows support
(including Windows Server 2012) with Bareos generated binaries.
For further details on why a Bacula fork was created please look at the
Bareos can also be '''fully compatible with Bacula''' by setting a specific
configuration directive in the Daemon configuration files; thus providing the
option for RHEL 6/7 users to interoperate with Fedora systems.
== Scope ==
To accomplish the goal, the following Bacula packages need to be replaced with
Currently, the same Fedora packages can be rebuilt as they are, to work also
on CentOS/RHEL 5 and 6, upgrading the EPEL or official Bacula packages in the
distributions. This is to have a consistent backup infrastructure across all
the Fedora/CentOS/RHEL ecosystem.
To ease installation, a repository for installing those packages on a
CentOS/RHEL system do exist:
The idea is the same for Bareos: import into Fedora 21 packages that can be
rebuilt for all supported Fedora/RHEL/CentOS releases and provide a repository
that can upgrade any Bacula release currently installed in the system with the
new one. In detail; the upgrade scenarios supported when going from Bacula to
Bareos would be:
From Bacula 2.4:
* RHEL/CentOS 5 with EPEL repository
From Bacula 5.0:
* RHEL/CentOS 6
From Bacula 5.2.13:
* Fedora 18+
* RHEL/CentOS 5
* RHEL/CentOS 6
As written before, the change is impacting only Fedora 21, the list of
upgrades supported are only for users who want a consistent backup solution
across the enterprise.
=== External activities ===
Proposal owners: I'm the current Bacula mantainer in Fedora and will complete
the transition in time for the release.
Other developers: N/A (not a System Wide Change)
Release engineering: the release engineering team should make sure the new
Bareos packages are in place instead of the current Bacula packages for the
Policies and guidelines: N/A (not a System Wide Change)
devel-announce mailing list
So a friend of mine has been wrangling with suexec trying to configure it
for his needs, and he has become quite furious over the fact that suexec
Then he finds out that Debian actually has a version of suexec that lets
you use a conf file to configure suexec. My question is, why the heck isn't
this in Fedora? How is it that Debian can offer both versions, but
I'm honestly surprised that Fedora doesn't offer this little piece of
flexibility. I would think that this would be in Fedora and RHEL, because
of how useful this would be. So what's going on here?
真実はいつも一つ！/ Always, there's only one truth!
first $SUBJ is available at:
It's just a src.spm and plugin support it not finished (don't browse
youtube ;-)) but may work as a preview.
I'll provide Fedora builds and repo later.
This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by
It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
Such packages will typically include various system daemons, network
daemons and network enabled applications.
Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
Some of the ways to implement this proposal are,
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.
2. An alternate approach is to come up with an expanded list of packages
which should be hardened.
Any feedback is welcome!
I am looking to have the following package reviewed for inclusion into
Tayga is a NAT64 implementation in userland. With the help of DNS64
(BIND), it allows an ipv6 only client to communicate with the ipv4
I have attached the SRPM of what I have created.
There are a few things that could change. First, I had thought that I
would need more selinux policy than I did. At the moment the policy just
provides a filecontext. Is there a better way to do this?
The ifup / ifdown script read their variables from the /etc/tayga
configuration file. In most scenarios, a system will run only one
instance of this. However I would like feedback on:
Should I enable it so that the ifup/down can accept a tayga.conf
parameter to read
Should the ifup/ifdown script generate the tayga.conf on the fly to
say /var/run/tmp somewhere from values provided in the ifup / ifdown?
Additionally, what I have in these scripts should really be reviewed, as
I have never written them before.
Finally, tayga is a long running process, as such, I have enabled the
hardened build. It is possible to run as an alternate user and in a
chroot of it's DB dir. What is the best way to go about adding a user
for this package for the daemon to run as?
Looking forwards to comments and advice,
I'm rebasing libgcrypt in rawhide to libgcrypt-1.6.1. The new upstream
release contains many improvements over the old one especially in terms
of new crypto algorithm support and performance improvements.
Unfortunately the rebase bumps soname to libgcrypt.so.20 due to dropping
some long-ago deprecated API calls. This should not break builds of any
reasonably current software. I've included the temporary old shared
library so the buildroots are not broken.
I will try to rebuild the dependencies eventually.
No matter how far down the wrong road you've gone, turn back.
(You'll never know whether the road is wrong though.)
devel-announce mailing list
I wonder whether it wouldn't be time to say goodbye to tcpwrappers in
Fedora. There has been a request in systemd upstream to disable support
for it by default, but I am not sure I want to do that unless we can
maybe say goodbye to it for the big picture too.
Why would we get rid of them?
Well, to make things simpler, primarily. They have not seen any
development since 2003 (that's 11 years I mind you, an eternity in IT).
I doubt there are many people even using them anymore, firewalls are
more comprehensive and a lot more powerful, and while every admin knows
firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
actively make use of them...
The API is awful, too, with lot's of open-coded structures, feature
checks in the headers, fixed length strings, globally exported variables,
non-namespaced symbols, really weird exported compatibility wrappers for
I'd propose we make a clear cut, and just start disabling it in all
services that link to it, instead of letting rot on in Fedora for all
It's bad code, little used, crufty. We have much better stuff now, and
that enables us to say goodbye to the old mess...
I figure there will be a bit of opposition to this change, thus I
thought I start the discussion on the fedora ML first. Unless there are
major concerns I will propose a feature about this in the next few
days. If somebody wants to join me on this and put his name on the
feature proposal I'd be delighted!
Lennart Poettering, Red Hat
= Proposed System Wide Change: cron to systemd time units =
Change owner(s): Jóhann B. Guðmundsson <johannbg AT gmail DOT com>
Fix dependency on crontab in packages containing cron jobs as well as migrate
cron jobs that are applicable to native systemd timer units.
== Detailed description ==
Add dependency on crontab in packages containing cron jobs as well as migrate
cron jobs that are applicable to native systemd timer units in packages that
already depend on systemd.
== Scope ==
* Policies and guidelines:
** Adjust packaging guidelines to fix dependency in cron packages [Package Cron
Files 1] DONE
** Adjust packaging guidelines to mention migration of cron jobs to timer
units for packages that already depend on systemd
* Fix spec files in packages that are not applicable for migration [Fix Cron
Dependency Tracking Bug 2]
* Review and migrate if applicable cron jobs shipped in packages that already
depend on systemd [Timer Migration Tracking Bug 3]
* Update systemd wikipage to contain timer units example
devel-announce mailing list
Greetings, we've been told that the email addresses for three package
maintainers are no longer valid. I'm starting the unresponsive maintainer
policy to find out if they are still interested in maintaining their
packages (and if so, have them update their email addresses in FAS). If
they're not interested in maintaining or we can't locate them I'll have
FESCo orphan the packages so that others can take them over.
If you have a way to contact any of these maintainers, please let them know
that we'd appreciate knowing what to do with their packages. Thanks!
* awnuk -- former email address awnuk(a)redhat.com
- comaintainer of dogtag-pki, dogtag-pki-theme, pki-console, pki-core,
pki-ra, and pki-tps
* llim -- Lawrence Lim -- former email address llim(a)redhat.com
- Bugzilla owner of redhat-lsb
* osier -- Osier Yang -- former email address jyang(a)redhat.com
- comaintainer of libvirt
If we get to the point of removing acls for these people, only redhat-lsb
will need a new owner. The other packages just have these package
maintainers as comaintianers.
There's a new devel release of the above just landed. I'll be looking
to get them into rawhide over the new couple of days but there's been
quite some change so I'm going to deal with it all locally first to
see what the impact is before I push it.