docs-qa March 2013

docs-qa@lists.fedoraproject.org

1 participants
35 discussions

[Bug 892673] New: UEFI Secure Boot Guide: suggestions for edits
by Red Hat Bugzilla 27 Jun '14

27 Jun '14

Product: Fedora Documentation https://bugzilla.redhat.com/show_bug.cgi?id=892673 Bug ID: 892673 Summary: UEFI Secure Boot Guide: suggestions for edits Product: Fedora Documentation Version: devel Component: uefi-secure-boot-guide Severity: unspecified Priority: unspecified Reporter: fweimer(a)redhat.com Replace: "With the planned release of Windows 8, Microsoft has decided that all hardware that is marked "Windows 8 client ready" should" With: "Microsoft requires that client devices carrying the Windows 8 logo must" Replace: "This means that Fedora as it stands booted on such hardware will refuse to boot until the user disables secure boot in the firmware." With: "The UEFI boot loader on Fedora installation media and on the installed system are signed with the Microsoft key, to enable booting and installation on such systems." Remove the following paragraph, ending in "This plan has been approved by the Fedora Engineering Steering Committee as of 23-Jul-2012." After: "any operations from userland which cause userland-defined DMA" Insert: "disable support for hibernate/suspend-to-disk, and other features which would allow executing arbitrary code in kernel mode (even for the root user)." -- You are receiving this mail because: You are the QA Contact for the bug.

1 1

[Bug 782916] New: value of security measures; no metric, no scope description
by Red Hat Bugzilla 27 Jun '14

27 Jun '14

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: value of security measures; no metric, no scope description https://bugzilla.redhat.com/show_bug.cgi?id=782916 Summary: value of security measures; no metric, no scope description Product: Fedora Documentation Version: devel Platform: Unspecified OS/Version: All Status: NEW Severity: unspecified Priority: unspecified Component: security-guide AssignedTo: eric(a)christensenplace.us ReportedBy: budden(a)nps.navy.mil QAContact: docs-qa(a)lists.fedoraproject.org CC: pkennedy(a)redhat.com, eric(a)christensenplace.us, security-guide-list(a)redhat.com, oglesbyzm(a)gmail.com Classification: Fedora Story Points: --- Type: --- Regression: --- Mount Type: --- Documentation: --- Description of problem: The juncture between computer security and network security is inadequate -- too many seams which leaves too many man-in-middle attack opportunities. The most egregious omission in this (otherwise pretty good) document is treatment of SCOPE. This probably belongs in the vicinity of 1.3. Analysis first. Map each of the security solutions you have in the guide onto the ISO Reference Model: Layer 1/2 security measures (like WiFi security) protect frames. The scope of the security is limited to a single segment. No security beyond the router and no security within end systems. Layer 3 security protected datagrams (VPNs do this, IPSec ....). The scope is an enclave tunneled through an internetwork. The protection cannot extend beyond the VPN boxes, so data is wholly unprotected within end systems (and LAN if the VPN box is associated with the last router). Layer 4/5 security includes SSL (aka TLS). You have a how-to for securing an http server (good) but no admonitions regarding scope -- the security extends from the TCP socket in one end system to the TCP socket at the other end of the connection -- again no security inside the OS comes from SSL. All of the above security measures protect infrastructure. But they do not protect the data. Layer 6/7 security measures protect the data. Here the scope _can be_ truly end to end. S/MIME is a good example (so is ssh and XML sign/crypt) where the data passes over the internet and through the OS in protected form. Only in a fairly small space is the data unprotected. In Evolution, for example, only the parts of the UA that deal with composing, reading, ... mail are places where the authenticity and confidentiality of the data is possible. Most of the rest of the UA (including all the filing system deals with data that has been protected exactly the way it's been sent over the network. In the case of Evolution (UAs differ in implementation) secured data is stored in the file system exactly the way it was transmitted. Recommendations: 1) include a mapping similar to above so users have an idea what the scope of this or that security measure is. 2) emphasize those security measures that apply to applications (layer 6/7) as Fedora distribution evolves and matures. (What got me here this morning is the continuing frustration getting Evolution to properly play ball with DoD CAC cards ... works, but doesn't 'just work'). Version-Release number of selected component (if applicable): Security Guide 16.3 (doesn't have a date) How reproducible: The above analysis doesn't invent anything; it only organizes and sorts. Anyone can reproduce it. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.

1 2

[Bug 831619] New: Inaccuracy in Fedora 17 “Power Management Guide”
by Red Hat Bugzilla 12 Nov '13

12 Nov '13

https://bugzilla.redhat.com/show_bug.cgi?id=831619 Bug ID: 831619 QA Contact: docs-qa(a)lists.fedoraproject.org Severity: low Version: devel Priority: unspecified CC: ddomingo(a)redhat.com, oglesbyzm(a)gmail.com Assignee: r.landmann(a)redhat.com Summary: Inaccuracy in Fedora 17 “Power Management Guide” Regression: --- Story Points: --- Classification: Fedora OS: Linux Reporter: vaskodd(a)yahoo.com Type: Bug Documentation: --- Hardware: x86_64 Mount Type: --- Status: NEW Component: power-management-guide Product: Fedora Documentation Created attachment 591487 --> https://bugzilla.redhat.com/attachment.cgi?id=591487&action=edit The problem description in .pdf format - easy to follow Hi, First I want to notice I am a Linux newbie and my English is not that good. Now straight to the point! (The same description is available in the attached pdf file and is more easy to follow) I've noticed some inaccuracy in Fedora 17 “Power Management Guide” (Fedora Documentation), particularly in section “2.5. Tuned and ktune” including “2.5.1. The tuned.conf file” and “2.5.2 Tuned-adm”. In section “2.5. Tuned and ktune” right bellow the “yum install tuned” command it's written: “Installing the tuned package also sets up a sample configuration file at /etc/tuned.conf and activates the default profile.” There is no such file in /etc. I found a /etc/tuned/active_profile file containing the following: “/usr/lib/tuned/balanced/tuned.conf”. I'm not sure this file (/etc/tuned.conf) is missing only on my system or it has a new location by default for each profile - /usr/lib/tuned/profileX/tuned.conf. Bellow in this section and in “2.5.1. The tuned.conf file” it is pointed again that the default location for the tuned.conf file is /etc/tuned.conf. In section “2.5.2 Tuned-adm” in the first paragraph it is written “Fedora 17 includes a number of predefined profiles for typical use cases...”. Just to be precise it is good to be mentioned that these profiles are not installed by default with “yum install tuned” command (tuned-2.0.1-1.fc17 package), but can be found in tuned-profile-compat-2.0.1-1.fc17 package (I found it in Gnome Package Manager). Another thing in this section is in the last third of the page where it is written: “All the profiles are stored in separate subdirectories under /etc/tune-profiles. So /etc/tune-profiles/desktop-powersave contains all the necessary files and settings for that profile. Each of these directories contains up to four files:” There /etc/tune-profiles directory does not exist. Instead I found the profiles stored in /run/lib/tuned. Each directory for the corresponding profile typically contains only 2 files - script.sh and tuned.conf. The presence of script.sh is not mentioned in the directories contains description – it is mentioned ktune.sh insetad. That's all. I hope this is helpful. Best regards Vasil Draganov Fedora 17 3.4.0-1.fc17.x86_64 P.S. “Power Management Guide” is great. It's really useful. The moment i run tuned service i noticed how quieter my laptop became (less heat – less fan needed :) ). The first thing I noticed about new Fedora installation was that the laptop was noisier in comparison to Win7 (I dual-boot with Win7). Tuned just fixed that :) Many thanks to the creators of Fedora Documentation!!! -- You are receiving this mail because: You are the QA Contact for the bug.

1 9

[Bug 919666] New: Update Old links to Announce mailing list
by Red Hat Bugzilla 17 Sep '13

17 Sep '13

Product: Fedora Documentation https://bugzilla.redhat.com/show_bug.cgi?id=919666 Bug ID: 919666 Summary: Update Old links to Announce mailing list Product: Fedora Documentation Version: devel Component: install-guide Severity: unspecified Priority: unspecified Reporter: bryan.sutherland(a)gmail.com Description of problem:URL pointing to mailman "fedora-announce-list" points to old location on RH server. Link needs to be updated to point to https://admin.fedoraproject.org/mailman/listinfo/announce 18.4. Subscribing to Fedora Announcements and News To receive information about package updates, subscribe to either the announcements mailing list, or the RSS feeds. Fedora Project announcements mailing list https://www.redhat.com/mailman/listinfo/fedora-announce-list Version-Release number of selected component (if applicable): How reproducible: Everytime Steps to Reproduce: 1.Read section 18.1 of Install Guide 2. 3. Actual results: Expected results: Should be linked to https://admin.fedoraproject.org/mailman/listinfo/announce Additional info: -- You are receiving this mail because: You are the QA Contact for the bug.

1 3

[Bug 857583] New: Typo - Page pertaining to Fedora 17 has links to Fedora 16
by Red Hat Bugzilla 17 Sep '13

17 Sep '13

https://bugzilla.redhat.com/show_bug.cgi?id=857583 Bug ID: 857583 QA Contact: docs-qa(a)lists.fedoraproject.org Severity: medium Version: devel Priority: unspecified CC: oglesbyzm(a)gmail.com Assignee: rlandman(a)redhat.com Summary: Typo - Page pertaining to Fedora 17 has links to Fedora 16 Regression: --- Story Points: --- Classification: Fedora OS: Linux Reporter: kellybellis(a)gwi.net Type: Bug Documentation: --- Hardware: i686 Mount Type: --- Status: NEW Component: installation-quick-start-guide Product: Fedora Documentation Description of problem: URL looks like it might need attention Version-Release number of selected component (if applicable): Fedora 17 Live CD Image File How reproducible: typo - seems so at any rate Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: at page:http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Quick_… Link is to The image file for the Fedora 17 live CD is available from http://download.fedoraproject.org/pub/fedora/linux/releases/16/Live/i686/Fe…. Shouldn't this be 17 instead of 16 -- You are receiving this mail because: You are the QA Contact for the bug.

1 3

[Bug 857729] New: Build errors out due to missing Package_Selection-dvd.xml file.
by Red Hat Bugzilla 17 Sep '13

17 Sep '13

https://bugzilla.redhat.com/show_bug.cgi?id=857729 Bug ID: 857729 QA Contact: docs-qa(a)lists.fedoraproject.org Severity: high Version: devel Priority: unspecified CC: oglesbyzm(a)gmail.com Assignee: rlandman(a)redhat.com Summary: Build errors out due to missing Package_Selection-dvd.xml file. Regression: --- Story Points: --- Classification: Fedora OS: Unspecified Reporter: joat(a)757.org Type: Bug Documentation: --- Hardware: Unspecified Mount Type: --- Status: NEW Component: installation-quick-start-guide Product: Fedora Documentation Description of problem: Publican issues the following error when trying to build the Installation Quick Start Guide: FATAL ERROR: XInclude:1604 in Installation_Quick_Start_Guide.xml on line 37: could not load Package_Selection-dvd.xml, and no fallback was found Verified that Package_Selection-dvd.xml does not exist in en-US/. Version-Release number of selected component (if applicable): How reproducible: consistent Steps to Reproduce: 1. mkdir projects 2. cd projects 3. git clone git://git.fedorahosted.org/git/docs/installation-quick-start-guide.git 4. cd installation-quick-start-guide 5. publican build --langs=en-US --formats=html Same error is emitted for --formats=pdf Actual results: Expected results: Additional info: -- You are receiving this mail because: You are the QA Contact for the bug.

1 3

[Bug 836383] New:=?UTF-8?Q?=20Merging=20teams=20and=E2=80=A6=20zanata=20or=20TXN?=?!
by Red Hat Bugzilla 12 Aug '13

12 Aug '13

https://bugzilla.redhat.com/show_bug.cgi?id=836383 Bug ID: 836383 QA Contact: docs-qa(a)lists.fedoraproject.org Severity: high Version: devel Priority: unspecified CC: oglesbyzm(a)gmail.com Assignee: rlandman(a)redhat.com Summary: Merging teams and… zanata or TXN?! Regression: --- Story Points: --- Classification: Fedora OS: Unspecified Reporter: kev.raymond(a)gmail.com Type: Bug Documentation: --- Hardware: Unspecified Mount Type: --- Status: NEW Component: installation-quick-start-guide Product: Fedora Documentation Hi, I am a maintainer of this guide at TXN, but before doing the full merge, i wanted to be sure… https://fedora.transifex.com/projects/p/fedora-ins-quick-start-guide/ * fb03c3c Adding zanata config file I can see some zanata things. You serious guys, you are moving to zanata? If so… * Please *MERGE* before. * Also, be notified that you won't benefit of any Fedora translators. Only RH folks are there… That's not good, we use a unified platform, already spreading translators between teams… having many platform is going to be a pain. * delete the transifex one. And prevent us, translators… If the project stay at TXN, why it does not have any .tx/config file? (or no lang_map?) Could I help? Thanks, -- You are receiving this mail because: You are the QA Contact for the bug.

1 5

[Bug 920298] New: press "any key" to show GRUB menu incorrect
by Red Hat Bugzilla 31 Jul '13

31 Jul '13

Product: Fedora Documentation https://bugzilla.redhat.com/show_bug.cgi?id=920298 Bug ID: 920298 Summary: press "any key" to show GRUB menu incorrect Product: Fedora Documentation Version: devel Component: install-guide Severity: unspecified Priority: unspecified Reporter: bugzilla(a)colorremedies.com Description of problem: Documentation says to use "any key" to get to a hidden GRUB menu on startup, needs to be changed to Esc key. Version-Release number of selected component (if applicable): 18 Actual results: http://docs.fedoraproject.org/en-US/Fedora/18/html/Installation_Guide/s1-gr… "any key" appears twice "a key" appears once Expected results: All three should say "Esc key" -- You are receiving this mail because: You are the QA Contact for the bug.

1 3

[Bug 891467] New: Need a section in the install guide regarding pxe booting on UEFI systems
by Red Hat Bugzilla 31 Jul '13

31 Jul '13

Product: Fedora Documentation https://bugzilla.redhat.com/show_bug.cgi?id=891467 Bug ID: 891467 Summary: Need a section in the install guide regarding pxe booting on UEFI systems Product: Fedora Documentation Version: devel Component: uefi-secure-boot-guide Severity: unspecified Priority: unspecified Reporter: jreed(a)redhat.com Depends On: 871565 +++ This bug was initially created as a clone of Bug #871565 +++ Description of problem: Fedora 18 will see greater use of UEFI systems, and as such we should round out our documentation regarding how to boot UEFI systems via other common methods besides those already addressed. Most notably the use of pxe boot in UEFI environments will now be available with secure boot enabled via both ipv4 and ipv6 the by using shim layer code: https://github.com/mjg59/shim We should further document how to boot a system and setup a pxe server to allow booting UEFI systems in this manner --- Additional comment from Jack Reed on 2012-11-12 01:01:52 EST --- Thanks Neil. Are you able to give me some details on how the procedure for setting up a PXE server for EFI would need to be changed to account for this? http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/s1-ne… And I expect the "Booting from the Network using PXE" section needs to be tweaked to account for EFI as well: http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/sn-bo… Are you able to tell me how this process differs on EFI systems? And what else would you like included here or elsewhere, particularly with regard to secure boot being enabled via via both ipv4 and ipv6 the by using shim layer code? I'm unclear on how this affects the procedure/s. And what are the other common methods that are not addressed that you would like to see covered? --- Additional comment from Neil Horman on 2012-12-18 11:19:16 EST --- Jack I'm sorry, the description above isn't complete. The additional need for documentation here is not exclusively to support UEFI systems, but to support them using PXE for IPV4 and IPV6 using non secureboot and secureboot environments. The documentation you have covers IPV4 in a non-secureboot environment. I'll try to touch on the general changes that need to be made in each case: PXE+UEFI+IPV4+NO Secureboot - You're good to go, no changes need to be made PXE+UEFI+IPV6+No Secureboot - the server dhcp6 option is not filename, you need to instead specify bootfile-url option, which is a text string of the form: bootfile-url="tftp://[ipv6-address-in-brackets]/path/to/grub.efi PXE+UEFI+[IPv4|IPV6]+Secureboot - You can't boot grub directly with secureboot enabled, as its unsigned. We're in the process of getting the shim utility: https://github.com/mjg59/shim It will be signed and needs to be specified as the filename option or the bootfile-url option on the dhcp server. The shim utility will be downloaded, validated, and then it will be responsible for downloading the actual grub image (which must be named grub.efi or grubx64.efi and be tftp-able from the same location that the shim image was located at) So, I'm not sure at how you're looking to organize the docs for fedora (if you want to document secureboot booting procedures separately from non-secureboot environments or not), but thats the information that I was hoping to cover in this bz. If you feel like you have all that information in various locations, and can ennumerate them here, I think that would satisfy this bz in my mind. If any of it is missing however, and can be added, I would greatly appreciate it. I've got some virtual qemu guests setup to run an IPv6+UEFI+secure boot emulated environment here which you're welcome to poke around with to help flesh out the instructions if need be. And of course, I'm happy to answer any further quesstions you might have here. Thanks! Neil --- Additional comment from Jack Reed on 2012-12-19 00:31:51 EST --- Thanks for this, Neil. Having the distinct requirements for each use case outlined is really useful. However, I'm still not clear on the context or exact format of these configuration changes. Are they made in /etc/dhcp/dhcpd.conf, a sample of which is provided in step 4 of the following? http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/s1-ne… If so, I assume that 'filename "pxelinux/bootia32.efi";' should be replaced with 'bootfile-url="tftp://[ipv6-address-in-brackets]/path/to/grub.efi' (in the second use case you outline) or whatever is required for the third use case. Is that correct? But the config file in step 4 is only an example, and the filename strings in it are relevant in case certain conditions are met, whereas the filename and bootname-url strings you're referring to are perhaps uniform rather than conditional. Would you mind providing quick edited versions of that sample config file that incorporate these IPv6 and IPv4/6 Secureboot strings? (I'm particularly unclear on how to configure the latter.) Assuming that's where the editing needs to be done, of course. If it is, then explaining what is needed for IPv6 and SecureBoot in the 'Configuring for EFI' procedure may be enough, as opposed to breaking them off into another procedure. If the steps prove too difficult to integrate though, I will break them off. That said, you might be interested in an F18 draft document I've just been reminded of: http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html-sin… It's only in the early stages, but the material you want to add may also be beneficial here. Or you may feel that it is best suited to that guide alone. I don't have the perspective on the applicability of this new material to gauge that, so let me know what you think. --- Additional comment from Neil Horman on 2012-12-19 09:11:43 EST --- Sure, I'll attach my sample configs in a bit. To answer your specific questions above: 1) When configuring pxe for IPv6 vs. IPv4, the dhcp server configuration needs to change. Specifially, when using ipv4 you need to specify the filename dhcp option, exactly as it appears in the current netboot document you reference above When configuring pxe for ipv6 (weather or not you use secure boot, or UEFI for that matter), in addition to modifying the dhcp server configuration to serve ipv6 addresses, pxe support requires that you, instead of using the filename dhcp option to specify the file to download, you instead use the bootfile-url option, which is formatted as I noted above (its also expanded on in the dhcp-options man page). Note this change is orthogonal to any changes required to enable secureboot over pxe. This is just the change needed to support ipv6 pxe boot. As you not above, your configuration example is just that, an example. I don't know if you want to expand on it to demonstrate how pxe works differently with ipv6. If you do however (and I think it would be a good idea), the bootfile-url option is what you need to document. 2) Secureboot, when enabling secureboot, you have to make some additional changes. Specifically you have to specify a special file to download (not just the grub bootloader). This is because grub won't be signed with the master key. The shim utility I mentioned before will. If you're trying to boot a system via pxe in UEFI secure boot mode using ipv4, you have to use the filename dhcp option to specify that the shim utilty file be downloaded, whereas if you are booting a system via pxe in UEFI secure boot mode over ipv6, then you need to specify the shim utilty file on the dhcp server using the bootfile-url option. Note that if you are _not_ in secure boot mode, then you can specify any pxe boot file that you want on the server. Thats the meat of the change here: When in secure boot mode you need to specify the shim utilty as the file to download via tftp, as opposed to operating in non-secure-boot mode, when you can download and run any arbitrary file. Looking at your Secure boot page, I think thats a good start. Perhaps thats how this documentation should be split up - item (1) above can be edited into the netboot documentation, to show how the dhcp server config changes when using ipv6, and item (2) can be discussed in the secure boot page (since the shim utiltiy is requried when using secure boot, regardless of weather your booting locally or via pxe). I'll attach my sample dhcpd6.conf file in just a moment. --- Additional comment from Neil Horman on 2012-12-19 09:49:06 EST --- Created attachment 666108 sample dhcpd6.conf file Heres my example dhcpd6.conf file, which uses the bootfile-url option. Note that it specifies the shim.efi utility. This setup was used to boot a system in secure boot mode. If we weren't in secure boot mode, we could download any file we wanted. As it is, the shim utility is signed, alowing it to be run in secure boot mode. Once its validated, it will attempt to download the grubx[32|64].efi file from the same location it was downloaded from. -- You are receiving this mail because: You are the QA Contact for the bug.

1 2

[Bug 919665] New: Dead link in Install Guide pointing to yum update settings
by Red Hat Bugzilla 29 Jul '13

29 Jul '13

Product: Fedora Documentation https://bugzilla.redhat.com/show_bug.cgi?id=919665 Bug ID: 919665 Summary: Dead link in Install Guide pointing to yum update settings Product: Fedora Documentation Version: devel Component: install-guide Severity: medium Priority: unspecified Reporter: bryan.sutherland(a)gmail.com Depends On: 901692 Section 18.1 - Updating Your System, has a link pointing to a non-existent set of instructions for configuring daily updates with yum. The particular paragraph is: "If your Fedora system has a permanent network connection, you may choose to enable daily system updates. To enable automatic updates, follow the instructions on the webpage http://docs.fedoraproject.org/yum/sn-updating-your-system.html." Is anyone aware of where this doc set may have gone? -- You are receiving this mail because: You are the QA Contact for the bug.

1 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

docs-qa March 2013