This mail is in regards to WSA-2015-0002: http://webkitgtk.org/security
In short, we have by my count:
* Zero CVEs affecting the webkitgtk4 package in F23
* 40 CVEs affecting the webkitgtk4 package in F22
* 129 CVEs affecting the webkitgtk and webkitgtk3 packages in F22/F23
The vast majority of these issues allow for "remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted web site."
My proposal is to update webkitgtk4 in F22 from 2.8.5 to 2.10.4 and
hope that not much breaks. This is probably relatively safe, since
2.10.4 has been in F23 for a while, I'm not aware of any issues related
to the upgrade, and it's API/ABI compatible. 2.8 -> 2.10 is a major
upgrade encompassing six months of development on WebKit trunk (from
February to August 2015). This means there will inevitably be
regressions. Normally I don't advocate large version updates for stable
Fedora releases, but web engines are special in that it's the only
practical way to provide security support. We can't backport 40 patches
to F22, so if we don't do this update, we should instead announce that
security support for webkitgtk4 is provided only to the latest Fedora
Certainly it's not practical to provide security support for the
webkitgtk or webkitgtk3 packages going forward. We can either remove
them from the distro at some flag date (F25 branch point?), or ignore
the problem like we do for qtwebkit. Probably the later is a better
approach, since there is a lot that still depends on these packages.
'reqoquery --whatrequires webkitgtk' says:
'reqoquery --whatrequires webkitgtk3'
= Proposed Self Contained Change: sen - terminal user interface for
docker engine =
* Tomas Tomecek <ttomecek AT redhat DOT com>
sen enables you to manage your containers and images interactively
directly from command line. Interface is similar to htop, alot or tig.
== Detailed Description ==
* it can interactively manage your containers and images:
-- manage? start, stop, restart, kill, delete,...
* you are able to inspect containers and images
* sen can fetch logs of containers and even stream logs real-time
* all buffers support searching and filtering
* sen receives real-time updates from docker when anything changes
-- e.g. if you create a container in another terminal, sen will pick it up
* sen notifies you whenever something happens (and reports slow queries)
* supports a lot of vim-like keybindings (j, k, gg, /, ...)
== Scope ==
* package sen to Fedora
* provide an information it's available and documentation how to use
it (maybe via developer portal, or release notes)
Other developers: N/A (not a System Wide Change)
Release engineering: N/A (not a System Wide Change)
List of deliverables: N/A (not a System Wide Change)
Policies and guidelines: N/A (not a System Wide Change)
Trademark approval: N/A (not needed for this Change)
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
devel-announce mailing list
I've been using Fedora with a "simple" LVM setup with no problems for the least 3 years. Recently I've decided to set up my laptop with LVM on top of LUKS in F23. While migration from the previous setup was relatively painless, I've been noting issues with shutdown: I consistently observe logs stating failure to properly deactivate the logical volumes and the LUKS device (as reported by others in bug 1097322 , which unfortunately has been closed due to EOL). I don't know if they are spurious, which led me to investigate a bit about how things work, and I'm failing to make sense of it.
I've noticed the existence of `blk-availability.service` in systemd. It's a service that does nothing on start, and calls the `blkdeactivate` executable on system shutdown, after the "special block-device" services (LVM, iSCSI, etc) have stopped. `blkdeactivate` is called with the option to umount devices in use. But I don't see how it can ever succeed for the system root: other services will still be shutting down, and systemd's unmounting phase will not have been reached yet. The same might hold true for non-system-root mounts as well, if services that depend on them are in the same situation.
My understanding was that special block-device handling was a task performed by dracut in the initramfs. It does have a shutdown hook called `dm-shutdown.sh` that uses the `dmsetup` executable to remove any device-mapper devices still enabled. I don't see any shutdown hooks for the LVM module, so I assume the DM module also takes care of them. Is my understanding correct?
Wouldn't it be possible to replace the custom DM hook with a call to `blkdeactivate`, and remove the `blk-availability` service from the "normal root" shutdown? Could that possibly work better than the current setup, since `blkdeactivate` claims to be capable to handle nested device-mapper setups, and to be able to use LVM commands in a more intelligent way (for example, deactivating whole volume groups at once)? Shouldn't `blkactivate` at least be told not to unmount the root, as it will always fail?
Apologies if I said anything egregiously wrong, and I'd be glad to be corrected in that case.
Thanks and happy holidays,
koschei it reporting build failures for octave with new nss/libsecret on i386
(works on x86_64):
scripts/statistics/distributions/unidcdf.m ..................X I/O error
*** Error in `/builddir/build/BUILD/octave-4.0.0/src/.libs/lt-octave-gui':
corrupted double-linked list: 0xecd3bf58 ***
seems a weird error, so perhaps just a coincidence but I'm curious if there
are other issues.
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com