https://bugzilla.redhat.com/show_bug.cgi?id=1310542https://fedorahosted.org/fedora-security-team/ticket/1
I'm not sure if this belongs in security@ or security-team@ so I've
just flipped a coin.
On macOS there are three distribution+security paths:
- unsigned, and the user is blocked from running the app by default
but they can disable this one time for that application installer or
for all installers
- dev signed, developer distributed
- dev signed, and Apple signed, App Store distributed
Dev keys are only available through the Apple Developer Program, and
only sign code through XCode. There is a way to sign code through a
3rd party but macOS treats it as unsigned, the user would have to use
the CLI to verify the signing of the binary.
There are details in here I'm not certain of, but there is a
qualitative difference in sandboxing of App Store distributed apps.
I'm not certain they can do privilege escalation. In order to image an
ISO to a USB stick on macOS I have to use 'sudo dd' to have the
privileges to write to a raw device.
As for compiling, I'm not totally certain it has to happen within
XCode on macOS, but the signing of the binary happens with XCode which
only runs on macOS. Primary development can happen elsewhere, but
eventually it gets built on Apple hardware, OS, and dev tools. A good
chunk of that is controllable by CLI.
I wonder if there's a way to ship this as a Docker for Mac container
instead? It's still beta, but uses HyperKit framework which is an
Apple provided library rather than depending on VirtualBox. So I'd
also consider evaluating this path since it may turn out to be the
path of least resistance for getting an initial tool on macOS.
--
Chris Murphy
-------- Forwarded Message --------
Return-Path: <devel-bounces(a)lists.fedoraproject.org>
Delivered-To: sheldon.corey(a)openmailbox.org
Received: from h2 ([10.91.130.43]) by h7 (Dovecot) with LMTP id
CtNfH4O9Xlf2VgAAg7Jm4g for <sheldon.corey(a)openmailbox.org>; Mon, 13 Jun
2016 16:04:59 +0200
Received: from mail.openmailbox.org ([10.91.130.43]) by h2 (Dovecot)
with LMTP id qrvUKGu9XlfkYAAAhnpNmg ; Mon, 13 Jun 2016 16:04:59 +0200
Received: by mail.openmailbox.org (Postfix, from userid 20002) id
980E6206834; Mon, 13 Jun 2016 16:04:59 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on h4
X-Spam-Level:
X-Spam-Status: No, score=-5.6 required=5.0 tests=RCVD_IN_DNSWL_HI,
RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,SPF_PASS,
T_HEADER_FROM_DIFFERENT_DOMAINS,URIBL_BLOCKED autolearn=unavailable
autolearn_force=no version=3.4.0
Received: from bastion.fedoraproject.org (bastion01.fedoraproject.org
[209.132.181.2]) by mail.openmailbox.org (Postfix) with ESMTP id
EDE69206834 for <sheldon.corey(a)openmailbox.org>; Mon, 13 Jun 2016
16:04:56 +0200 (CEST)
Received: by bastion01.phx2.fedoraproject.org (Postfix) id
5B5D26067331; Mon, 13 Jun 2016 14:04:56 +0000 (UTC)
Delivered-To: linuxmodder(a)fedoraproject.org
Received: from mailman01.phx2.fedoraproject.org
(mailman01.phx2.fedoraproject.org [10.5.126.36]) by
bastion01.phx2.fedoraproject.org (Postfix) with ESMTP id EB08B6067304;
Mon, 13 Jun 2016 14:04:26 +0000 (UTC)
Received: from mailman01.phx2.fedoraproject.org (localhost [IPv6:::1])
by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id
A1B2A2EFB19AA; Mon, 13 Jun 2016 14:04:25 +0000 (UTC)
Received: by mailman01.phx2.fedoraproject.org (Postfix, from userid
991) id 007872EFB487E; Mon, 13 Jun 2016 14:03:53 +0000 (UTC)
Received: from mailman01.phx2.fedoraproject.org (localhost [IPv6:::1])
by mailman01.phx2.fedoraproject.org (Postfix) with ESMTP id
167082EFB487D for <devel(a)lists.fedoraproject.org>; Mon, 13 Jun 2016
14:03:49 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Subject: Retiring sectool
From: dkopecek(a)redhat.com
To: devel(a)lists.fedoraproject.org
Date: Mon, 13 Jun 2016 14:03:49 -0000
Message-ID: <20160613140349.3316.49073(a)mailman01.phx2.fedoraproject.org>
User-Agent: HyperKitty on https://lists.fedoraproject.org/
Message-ID-Hash: 35ZIJJOHWGSFLNLOT2FIW43F4IFECFYN
X-Message-ID-Hash: 35ZIJJOHWGSFLNLOT2FIW43F4IFECFYN
X-MailFrom: dkopecek(a)redhat.com
X-Mailman-Rule-Misses: approved; emergency; loop; member-moderation;
header-match-config-1; header-match-config-2; header-match-config-3;
header-match-devel.lists.fedoraproject.org-0;
header-match-devel.lists.fedoraproject.org-1;
header-match-devel.lists.fedoraproject.org-2;
header-match-devel.lists.fedoraproject.org-3;
header-match-devel.lists.fedoraproject.org-4; nonmember-moderation;
administrivia; implicit-dest; max-recipients; max-size; news-moderation;
no-subject; suspicious-header
X-Mailman-Version: 3.1.0
Precedence: list
Reply-To: Development discussions related to Fedora
<devel(a)lists.fedoraproject.org>
List-Id: Development discussions related to Fedora
<devel.lists.fedoraproject.org>
Archived-At:
<https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…>
List-Archive:
<https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/>
List-Help: <mailto:devel-request@lists.fedoraproject.org?subject=help>
List-Post: <mailto:devel@lists.fedoraproject.org>
List-Subscribe:
<https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org>,
<mailto:devel-join@lists.fedoraproject.org>
List-Unsubscribe:
<https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org>,
<mailto:devel-leave@lists.fedoraproject.org>
Content-Transfer-Encoding: base64
Dear all,
I have retired the sectool package in rawhide. It will still be available in Fedora 24 because the f24 branch is past the final freeze and packages cannot be retired there.
Retiring of this package is long overdue. The sectool project is no longer developed nor maintained upstream. As a replacement, you can try the OpenSCAP project [1,2] and its sectool SCL content (openscap-content-sectool package).
R.I.P. sectool
[1] https://www.open-scap.org
[2] https://github.com/OpenSCAP
Regards,
--
Daniel Kopeček
Software Engineer, Special Projects
Red Hat, Inc.
--
devel mailing list
devel(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
In IRC channel, yesterday myself, fenrus02 and Sparks were chatting
about some of the tools in the wiki and how some are becoming or have
been ancient. With this retirement on sectool in Rawhide I think we
should at the very least make mention of the pending deprecation and
start phasing in OpenSCAP into both our personal uses and the apprentice
training regime.
On a semi related tangent:
Can all ACTIVE members of fas group security-team please review [1]
and either update their info OR request addition to the roster, I of
course would like to be added to that roster.
Also may I suggest a monthly email much like what Kevin (nirik) does
with Infra team for basic info and metrics on active members to (like
[2] ) keep the group fresh and active?
[1] https://fedoraproject.org/wiki/Security_Team_Roster
[2]
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapr…
----
Corey W. Sheldon
PGP:
0x5A88E539 / C006 564F FA67 CDEA E29B F202 8B4E 8943 5A88 E539
0xD2264944 / 6292 9ABD 6374 6AA7 6D4B 730F 5927 6298 D226 4944
Find me elsewhere: https://gist.github.com/linux-modder/ac5dc6fa211315c633c9
Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and
exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication
in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.