Re: Half-OT: Secure boot and thirdy party kernel modules
On 07/06/2014 07:10 PM, Sergio Belkin wrote: So, the question is: Is it worth signing "my own" kernel? Only if you keep your own key on a sufficiently separated machine, otherwise it's equivalent to disabling Secure Boot anyway. It's also not clear if the Virtualbox kernel modules themselves are capable of bypassing Secure Boot, so the entire effort might be futile for this reason as well. Note that Microsoft's current policy may not allow unrestricted virtualization (KVM or Virtualbox—does not matter) because that "permits launch of another operating system instance after execution of unauthenticated code"—the wording is rather unclear. If Microsoft clarifies that this is forbidden, a future Fedora update will remove this functionality, so you will be forced to disable Secure Boot at this point anyway if you want to continue to use virtualization. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
easy review: abduco
Hi, I've just submitted[0] abduco package for review. Because program is small I think review should take minimal time. Please review it. [0]https://bugzilla.redhat.com/show_bug.cgi?id=1116653 -- -Igor Gnatenko signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Half-OT: Secure boot and thirdy party kernel modules
On Sun, Jul 06, 2014 at 02:10:45PM -0300, Sergio Belkin wrote: > I've found that Oracle VirtualBox kernel module are not signed so I have to > disable secure boot. Oracle says that is not a VirtualBox bug. And Fedora > cannot sign it because of license, can it? Correct. You can generate your own key, enroll it with mokutil and then sign the modules with that key. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Half-OT: Secure boot and thirdy party kernel modules
Hi Fedora folks, I've found that Oracle VirtualBox kernel module are not signed so I have to disable secure boot. Oracle says that is not a VirtualBox bug. And Fedora cannot sign it because of license, can it? So, the question is: Is it worth signing "my own" kernel? Of course I can circunvent this problem simply by disabling secureboot... what do you think, is there a simple way of doing that, or should I spend a weekend doing all of it? I've found this: http://www.linuxfoundation.org/news-media/blogs/browse/2013/09/booting-self-signed-linux-kernel Can I sign only the virtualbox kernel module, or should I recompile the entire kernel and sign it? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On Sun, Jul 06, 2014 at 01:41:08PM +0200, Sandro Mani wrote:
>
> On 06.07.2014 13:38, drago01 wrote:
> >On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
> >>| 301 os.chdir("/")
> >>| 302 shutil.rmtree(os.getcwd())
> >Ouch ... can we ban this guy from Fedora?
> This is a bit dramatic. I really sincerely apologize for this and please
> realize that I wrote this with the best intentions. I've fixed the issue...
Thank you for taking care of it so fast.
Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On 06.07.2014 13:59, Reindl Harald wrote:
Am 06.07.2014 13:51, schrieb Sandro Mani:
On 06.07.2014 13:48, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
* A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines
301-302:
| 301 os.chdir("/")
| 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please
realize that I wrote this with the best
intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident?
and that combined with make / to the current dir?
line 302 is a no-go in general
line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
It was a line ordering issue.
The cwd before that call was the temporary directory.
Please trust me, I really feel bad about this, and will never again push code
which was written late at night.
Again, I really apologize
accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering
issue
it's from a developers perspective because it leads *always* to
unpredictable
behavior if the "chdir" fails for whatever reason, be it a typo, wrong
permissions
somewhere or SELinux comes in place
that's horrible dangerous in any context
Fully accepted, and trust me, I fully realize how utterly stupid the
code was. I probably was just over-eager to get the script done and go
to bed. I just really hope that I did not cause any loss of data to anyone.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On Sun, Jul 6, 2014 at 1:41 PM, Sandro Mani wrote:
>
> On 06.07.2014 13:38, drago01 wrote:
>>
>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
>>>
>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>
* A script automating most of the process of validating and processing
the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>>
>>> Do not run this script, because it contains malicious code that
>>> might remove all files from your system! The code can be found in lines
>>> 301-302:
>>>
>>> | 301 os.chdir("/")
>>> | 302 shutil.rmtree(os.getcwd())
>>
>> Ouch ... can we ban this guy from Fedora?
>
> This is a bit dramatic. I really sincerely apologize for this and please
> realize that I wrote this with the best intentions. I've fixed the issue...
OK that was indeed a bit premature I should have waited for you to
respond before drawing any conclusions.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FEVer or?
2014-07-06 13:59 GMT+02:00 Conrad Meyer : > Hi lazy-list, > > Back in the day, there was FEver for monitoring new upstream > releases. Is that still what we use, or is there a new thing > now? And where does it live? Cursory googling failed to > locate it. > It's called cnucnu All details here: http://fedoraproject.org/wiki/Upstream_release_monitoring Regards, H. > Thanks, > Conrad > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: FEVer or?
Put this in the bookmarks: https://fedoraproject.org/wiki/Upstream_release_monitoring -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
2014-07-06 13:51 GMT+02:00 Sandro Mani : > > It was a line ordering issue. > The cwd before that call was the temporary directory. > Please trust me, I really feel bad about this, and will never again push > code which was written late at night. Again, I really apologize. > Sounds likely, I was more worried that your credentials were stolen. @everyone mistakes *happen*, don't be hasty http://fedoraproject.org/en/code-of-conduct This stresses the importance of code review, and not running code that has been reviewed once. best regards, H. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
Am 06.07.2014 13:51, schrieb Sandro Mani:
> On 06.07.2014 13:48, Reindl Harald wrote:
>>
>> Am 06.07.2014 13:41, schrieb Sandro Mani:
>>> On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>
>>* A script automating most of the process of validating and
>> processing the
>> request can be found at
>>
>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
> Do not run this script, because it contains malicious code that
> might remove all files from your system! The code can be found in lines
> 301-302:
>
> | 301 os.chdir("/")
> | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
>>> This is a bit dramatic. I really sincerely apologize for this and please
>>> realize that I wrote this with the best
>>> intentions. I've fixed the issue...
>> how can a "rm -rf currentdir" happen by accident?
>> and that combined with make / to the current dir?
>>
>> line 302 is a no-go in general
>> line 301 before that smells like intention
>>
>> i can't imagine that two lines together happen by mistake
>>
> It was a line ordering issue.
> The cwd before that call was the temporary directory.
> Please trust me, I really feel bad about this, and will never again push code
> which was written late at night.
> Again, I really apologize
accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering
issue
it's from a developers perspective because it leads *always* to
unpredictable
behavior if the "chdir" fails for whatever reason, be it a typo, wrong
permissions
somewhere or SELinux comes in place
that's horrible dangerous in any context
signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
FEVer or?
Hi lazy-list, Back in the day, there was FEver for monitoring new upstream releases. Is that still what we use, or is there a new thing now? And where does it live? Cursory googling failed to locate it. Thanks, Conrad -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code (was: Re: [Announce] Simple Patch Policy)
On Sun, Jul 6, 2014 at 1:54 PM, Christopher Meng wrote:
> On Sun, Jul 6, 2014 at 7:38 PM, drago01 wrote:
>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>
* A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>>
>>> Do not run this script, because it contains malicious code that
>>> might remove all files from your system! The code can be found in lines
>>> 301-302:
>>>
>>> | 301 os.chdir("/")
>>> | 302 shutil.rmtree(os.getcwd())
>>
>> Ouch ... can we ban this guy from Fedora?
>
> Why it's considered as "simple"? I couldn't find it behind.
I can't parse that.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code (was: Re: [Announce] Simple Patch Policy)
On Sun, Jul 6, 2014 at 7:38 PM, drago01 wrote:
> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>
>>> * A script automating most of the process of validating and processing the
>>> request can be found at
>>>
>>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>
>> Do not run this script, because it contains malicious code that
>> might remove all files from your system! The code can be found in lines
>> 301-302:
>>
>> | 301 os.chdir("/")
>> | 302 shutil.rmtree(os.getcwd())
>
> Ouch ... can we ban this guy from Fedora?
Why it's considered as "simple"? I couldn't find it behind.
Yours sincerely,
Christopher Meng
Noob here.
http://cicku.me
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On 06.07.2014 13:48, Reindl Harald wrote:
Am 06.07.2014 13:41, schrieb Sandro Mani:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
* A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines
301-302:
| 301 os.chdir("/")
| 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please
realize that I wrote this with the best
intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident?
and that combined with make / to the current dir?
line 302 is a no-go in general
line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
It was a line ordering issue.
The cwd before that call was the temporary directory.
Please trust me, I really feel bad about this, and will never again push
code which was written late at night. Again, I really apologize.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On 06.07.2014 13:46, Igor Gnatenko wrote:
Hi,
On Sun, Jul 6, 2014 at 3:41 PM, Sandro Mani wrote:
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
* A script automating most of the process of validating and processing
the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines
301-302:
| 301 os.chdir("/")
| 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please
realize that I wrote this with the best intentions. I've fixed the issue...
Seems that you have NOT fixed issue.
--
-Igor Gnatenko
I pushed one second ago...
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
Am 06.07.2014 13:41, schrieb Sandro Mani:
> On 06.07.2014 13:38, drago01 wrote:
>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>
* A script automating most of the process of validating and processing
the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>> Do not run this script, because it contains malicious code that
>>> might remove all files from your system! The code can be found in lines
>>> 301-302:
>>>
>>> | 301 os.chdir("/")
>>> | 302 shutil.rmtree(os.getcwd())
>> Ouch ... can we ban this guy from Fedora?
>
> This is a bit dramatic. I really sincerely apologize for this and please
> realize that I wrote this with the best
> intentions. I've fixed the issue...
how can a "rm -rf currentdir" happen by accident?
and that combined with make / to the current dir?
line 302 is a no-go in general
line 301 before that smells like intention
i can't imagine that two lines together happen by mistake
signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
Hi,
On Sun, Jul 6, 2014 at 3:41 PM, Sandro Mani wrote:
>
> On 06.07.2014 13:38, drago01 wrote:
>>
>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
>>>
>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>
* A script automating most of the process of validating and processing
the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>>
>>> Do not run this script, because it contains malicious code that
>>> might remove all files from your system! The code can be found in lines
>>> 301-302:
>>>
>>> | 301 os.chdir("/")
>>> | 302 shutil.rmtree(os.getcwd())
>>
>> Ouch ... can we ban this guy from Fedora?
>
> This is a bit dramatic. I really sincerely apologize for this and please
> realize that I wrote this with the best intentions. I've fixed the issue...
Seems that you have NOT fixed issue.
--
-Igor Gnatenko
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code
On 06.07.2014 13:38, drago01 wrote:
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
* A script automating most of the process of validating and processing the
request can be found at
https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines
301-302:
| 301 os.chdir("/")
| 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
This is a bit dramatic. I really sincerely apologize for this and please
realize that I wrote this with the best intentions. I've fixed the issue...
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: WARNING: malicious code (was: Re: [Announce] Simple Patch Policy)
On Sun, Jul 6, 2014 at 1:04 PM, Till Maas wrote:
> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>
>> * A script automating most of the process of validating and processing the
>> request can be found at
>>
>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>
> Do not run this script, because it contains malicious code that
> might remove all files from your system! The code can be found in lines
> 301-302:
>
> | 301 os.chdir("/")
> | 302 shutil.rmtree(os.getcwd())
Ouch ... can we ban this guy from Fedora?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
WARNING: malicious code (was: Re: [Announce] Simple Patch Policy)
On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
> * A script automating most of the process of validating and processing the
> request can be found at
>
> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
Do not run this script, because it contains malicious code that
might remove all files from your system! The code can be found in lines
301-302:
| 301 os.chdir("/")
| 302 shutil.rmtree(os.getcwd())
Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Package reviev : tayga
After some review in bugzilla, some progress from me, some time to collect dust I have once again turned to look at getting tayga into fedora. https://bugzilla.redhat.com/show_bug.cgi?id=1028206 https://copr.fedoraproject.org/coprs/firstyear/tayga/ Any help and advice is appreciated! -- William signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: fedora-release-$PRODUCT, /etc/issue, /etc/os-release, Per-Product Configs and more!
On Thu, 2014-07-03 at 10:05 -0400, Josh Boyer wrote: > On Thu, Jul 3, 2014 at 9:57 AM, Stephen Gallagher wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On 07/03/2014 01:42 AM, William wrote: > >> On Wed, 2014-07-02 at 20:40 -0700, Samuel Sieb wrote: > >>> On 07/02/2014 06:55 PM, William wrote: > > > First of all, I'd like to formally propose that each of the > > products will have a fedora-release-$PRODUCT (and > > corresponding generic-release-$PRODUCT) package. This package > > will meet several needs (with magical hand-waving in this > > initial email). > > How will this work with fedup from 20 to 21? Will there be > multiple upgrade targets? > > >>> Why would that be necessary? All packages are in one repository, > >>> so fedora-release-$PRODUCT will be upgraded to the next version > >>> and everything will be fine. > >> > >> My machine doesn't currently have a fedora-release-$PRODUCT > >> package installed. So how will fedup work out what one to put on my > >> system? Will these packages be added to 20, and the user need to > >> preinstall before fedup? > >> > > > > It won't put one on your system. Upgrades from a non-Productized > > Fedora will remain non-Productized. It's not *less* Fedora than before. > > > > The Products are basically a statement that "this minimal set of > > packages and services are available on the system". A non-productized > > Fedora install is essentially just a continuation of the classic > > do-it-yourself approach that Fedora has been up to this point. > > That's misleading. Fedora hasn't been releasing "do-it-yourself" > releases. Our previous install images were composed and tested by QA, > including testing fedup upgrades from the previous release. With > Fedora.next, we don't have an install image that is an equivalent of > <= F20. > > Perhaps I have missed them, but I've seen no discussion or plans > around testing upgrades to F21 from F20. Unless the Products intend > to test upgrading from F20, and/or QA intends to somehow test fedup > from F20 to F21 in a non-product manner, we're essentially changing > the semantics of upgrades. I agree it should still work, but saying > it's a continuation of existing practice when it isn't is wrong. > > josh It's also misleading given how much focus has been given to the three new products that will be released: So why now is there a "non-productised" version? That's not been advertised much. I think that some attention needs to be paid to the F20 -> F21 upgrade path, and it shouldn't be left to the last minute. Do you need to choose a product via fedup at upgrade time? Do you support a non-productised version? -- William -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
