Re: Why a multilib wrapper for non-multilib architectures?!

[Tomas Mraz]

On Sat, 2009-06-13 at 21:57 +0200, Robert Scheck wrote:
> Hello everbody,
> 
> can somebody please explain me, why we've multilib wrappers for packages
> at non-multilib architectures such as arm, alpha, ia64 and sh?
> 
>  - http://cvs.fedoraproject.org/viewvc/devel/gmp/gmp-mparam.h?view=co
>  - 
> http://cvs.fedoraproject.org/viewvc/devel/e2fsprogs/ext2_types-wrapper.h?view=co
>  - http://cvs.fedoraproject.org/viewvc/devel/apr/apr-wrapper.h?view=co
>  - http://cvs.fedoraproject.org/viewvc/devel/openssl/opensslconf-new.h?view=co
> 
> Where's the reason to have a whatever-archname.h if there's no multilib
> available on that architecture? From my point of view, multilib wrappers
> only make sense on the architectures %{ix86}/x86_64, ppc/ppc64, s390/s390x,
> %{sparc}/%{sparcx} and %{mips}/%{mipsel}/%{mipsx}. Tell me, if I'm wrong,
> but %{arm}, alpha, ia64 and sh are single-lib, ie. they've only 32 or 64
> bit and no multi-arch.
> 
> I've already raised up the question to the package maintainers, and Joe
> has suggested me to ask on fedora-devel for the correct list or reasons
> for the current behaviour.

In case of openssl the only arch which is handled as multiarch and so
the wrapper is added is ia64. It is done like that for historical
reasons and it doesn't break anything. Newly added non-multiarch
architectures are not added to the wrapper.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: ruby-sqlite3 conflicts with rubygem-sqlite3-ruby

[Jeroen van Meeuwen]

On Mon, 15 Jun 2009 13:37:14 +0900, Mamoru Tasaka
 wrote:
> Michael Schwendt wrote, at 06/15/2009 03:52 AM +9:00:
>> https://bugzilla.redhat.com/472621
>> https://bugzilla.redhat.com/472622
>> 
>> Reported in Nov 2008.
>> 
>> Is it really that difficult to fix it?
>>

No, but I have not had the time to do it yet.
 
> 
> Well, actually these two packages are _the same_ (currently
> versions of rpms on Fedora are different, however)
> The difference is that ruby-sqlite3 creates non-gem ruby module,
> while rubygem-sqlite3-ruby creates ruby gem.
> 
> Curret ruby packaging guideline says that [1]
> 
> "
> Packaging for Gem and non-Gem use
> 
> If the same Ruby library is to be packaged for use as a Gem and 
> as a straight Ruby library without Gem support, it must be packaged 
> as a Gem first.
> "
> And we have the way and allow to create non-gem ruby module (rpm)
packages 
> as a subpackage of a package based on rubygem. So for this case 
> ruby-sqlite3 "srpm" must be obsoleted by rubygem-sqlite3-ruby "srpm" and
> ruby-sqlite3 "binary rpm" should be created as the subpackage of 
> rubygem-sqlite3-ruby.
> 

And the ruby-sqlite3 package (as in the separate entity in CVS etc.) has to
be obsoleted.

I have had it on my TODO list for a while now, it's about time I tackle it.
Beat me to it if you will, I know I'll not be able to fix this in the next
4 days. Thanks in advance!

-Jeroen

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeroen van Meeuwen]

On Sun, 14 Jun 2009 18:20:09 +0200, Jeroen van Meeuwen

wrote:
> On Sun, 14 Jun 2009 08:37:41 -0700, Jesse Keating 
> wrote:
>> On Sun, 2009-06-14 at 03:30 -0500, King InuYasha wrote:
>>> A script that takes the DVD image to produce the CD versions would
>>> basically
>>> require extracting the whole DVD image and then generating new ISOs
from
>>> that tree. Maybe mirrors could do it if you want to save space on the
>>> main
>>> server or whatever.
>> 
>> That only serves to complicate matters for the users.  Good chunks of
>> our users have a hard enough time figuring out what to download, how to
>> burn it, and how to install it.  Adding in some weird script to take a
>> DVD.iso file and split it into many smaller files isn't going to help
>> matters, and certainly doesn't improve things for anaconda/qa/releng.
>> 
> 
> This to me sounds like there's two separate problems;
> 
> 1) Users might not know what to download
> 
> 2) We might put resources into something that isn't used as much as we
> would have hoped.
> 
> I'm not sure whether one single solution is appropriate for both
problems.
> 

Looking at a potential cause for the discrepancy in the numbers;

Look at how we offer CDs at http://fedoraproject.org/en/get-fedora

I can't find them linked directly anywhere as opposed to the DVD which is
directly linked from the main page. There's one explanation for the higher
DVD download numbers...

Kind regards,

Jeroen van Meeuwen
-kanarip

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeroen van Meeuwen]

On Sun, 14 Jun 2009 14:34:37 -0700, Jesse Keating 
wrote:
> On Sun, 2009-06-14 at 17:54 +0200, Jeroen van Meeuwen wrote:
>> 
>> If Fedora Unity's motivation to continue a service to the community -at
>> it's own expense, not yours- is holding you and the other teams hostage,
>> call S.W.A.T.
> 
> If it was just Fedora Unity's expense that'd be one thing.  But it's
> not.  Upstream anaconda is still going to have to deal with split media
> bugs and code.  Compose tools are still going to have to handle split
> media cases (createrepo being a notable one).  QA is still going to have
> to test this install method or else be faced with scrambling to fix
> stuff when Fedora Unity goes to make them.
> 

That's not what happened during the Fedora 7 and Fedora 8 release cycles.

> I really don't mind making split media, if there is a real hard need for
> it.  I wish that Fedora Unity would do the legwork to ensure there
> really is a need for split CDs that isn't being met by our other
> offerings before claiming that split CDs are a hard need.
> 

Fedora Unity is not going to do the legwork to ensure you continue to make
split media. Somebody else is going to need to figure out whether it is
worthy of the corporate resources being spent at it.

Like I said before, Fedora Unity can do it, has a proven track record
showing to be able to do it and, if the Fedora Project decides to not ship
split media anymore, will do it, regardless of how valuable you or anyone
else outside Fedora Unity thinks it is.

The question is however, how well is the Fedora Project willing to let us
cooperate within and through the Fedora Project?

Kind regards,

Jeroen van Meeuwen
-kanarip

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Rahul Sundaram]

On 06/15/2009 11:15 AM, Jon Masters wrote:

> 
> The only counterpoint I came up with was that of folks in parts of the
> world who don't have access to modern hardware and don't have broadband.

Yes but they prefer Live CD or regular DVD images usually. Magazines
tend to distribute DVD image. Conferences - Live CD's.

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jon Masters]

On Mon, 2009-06-15 at 00:24 -0500, Matt Domsch wrote:
> On Mon, Jun 15, 2009 at 01:09:52AM -0400, James Antill wrote:
> > On Sat, 2009-06-13 at 08:46 -0500, Matt Domsch wrote:
> > > (Reposting to f-d-l from my blog post last night.
> > > http://domsch.com/blog/?p=85 includes a couple nice graphs to help
> > > illustrate.)

> >  These are believable, but I'd still put money on the fact that more
> > than 2.2% of users use CDs ... one of my machines here is an x86_64 Dell
> > box, about 2 years old. And only has a CD drive.
> >  Now, sure, I normally only burn CD 1 ... and then use an exploded http
> > install for anaconda. So I could probably make DVD only work, but it's
> > much easier to just get the CDs.
> 
> In this case, the netinst.iso (157MB) would suffice, right?  No one is
> proposing removing that.

Actually, your idea is perfect. For almost all cases I can come up with,
the netinst disk is fine (and, incidentally, it's all I use other than
the DVD install images anyway - especially within VMs).

The only counterpoint I came up with was that of folks in parts of the
world who don't have access to modern hardware and don't have broadband.
You might argue they could be supplied with CDs, but that presupposes
that they actually will be, vs. getting Fedora via a Live CD or
something else. I think the latter is far more likely now.

> I'm not saying get rid of all CDs.  Clearly the netinst.iso and
> LiveCDs would remain under any circumstance.

+1

Jon.


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Matt Domsch]

On Mon, Jun 15, 2009 at 01:09:52AM -0400, James Antill wrote:
> On Sat, 2009-06-13 at 08:46 -0500, Matt Domsch wrote:
> > (Reposting to f-d-l from my blog post last night.
> > http://domsch.com/blog/?p=85 includes a couple nice graphs to help
> > illustrate.)
> > 
> > CDs are Dead. Long live CDs.
> > 
> > I was running some stats on the Fedora 11 release, and an interesting
> > thing caught my eye. Very few people are downloading the six (or in
> > the case of PPC, seven) CDs to perform a Fedora install. Very Very
> > few. In fact, at most, six people downloaded split media CDs using the
> > Fedora mirror servers in the first few days.
> 
>  I find that hard to believe, unless you mean via. MirrorManager?
>  I know I downloaded all six CD isos directly from the kernel.org
> mirror, within a few hours of GA.
>  For previous releases I'd tended to use the torrent, to get them all,
> as it was somewhat easier (but slower).

Right, I have no way to get the stats from each individual mirror,
public or private.  This was just looking at the clicks through
mirrors.fp.o/download.fp.o.
 
> >  This in contrast to the
> > over 234,000 direct downloads of DVDs and LiveCDs in the same amount
> > of time. BitTorrent statistics are a little better for CDs: 908
> > completed downloads of the split media CDs, out of 41,235 total
> > downloads (or ~2.2 %).
> 
>  These are believable, but I'd still put money on the fact that more
> than 2.2% of users use CDs ... one of my machines here is an x86_64 Dell
> box, about 2 years old. And only has a CD drive.
>  Now, sure, I normally only burn CD 1 ... and then use an exploded http
> install for anaconda. So I could probably make DVD only work, but it's
> much easier to just get the CDs.

In this case, the netinst.iso (157MB) would suffice, right?  No one is
proposing removing that.

I'm not saying get rid of all CDs.  Clearly the netinst.iso and
LiveCDs would remain under any circumstance.

-- 
Matt Domsch
Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[James Antill]

On Sat, 2009-06-13 at 08:46 -0500, Matt Domsch wrote:
> (Reposting to f-d-l from my blog post last night.
> http://domsch.com/blog/?p=85 includes a couple nice graphs to help
> illustrate.)
> 
> CDs are Dead. Long live CDs.
> 
> I was running some stats on the Fedora 11 release, and an interesting
> thing caught my eye. Very few people are downloading the six (or in
> the case of PPC, seven) CDs to perform a Fedora install. Very Very
> few. In fact, at most, six people downloaded split media CDs using the
> Fedora mirror servers in the first few days.

 I find that hard to believe, unless you mean via. MirrorManager?
 I know I downloaded all six CD isos directly from the kernel.org
mirror, within a few hours of GA.
 For previous releases I'd tended to use the torrent, to get them all,
as it was somewhat easier (but slower).

>  This in contrast to the
> over 234,000 direct downloads of DVDs and LiveCDs in the same amount
> of time. BitTorrent statistics are a little better for CDs: 908
> completed downloads of the split media CDs, out of 41,235 total
> downloads (or ~2.2 %).

 These are believable, but I'd still put money on the fact that more
than 2.2% of users use CDs ... one of my machines here is an x86_64 Dell
box, about 2 years old. And only has a CD drive.
 Now, sure, I normally only burn CD 1 ... and then use an exploded http
install for anaconda. So I could probably make DVD only work, but it's
much easier to just get the CDs.
 I'm also pretty sure my current laptop is DVD RO, but CD RW.

-- 
James Antill 
Fedora

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: ruby-sqlite3 conflicts with rubygem-sqlite3-ruby

[Mamoru Tasaka]

Michael Schwendt wrote, at 06/15/2009 03:52 AM +9:00:

https://bugzilla.redhat.com/472621
https://bugzilla.redhat.com/472622

Reported in Nov 2008.

Is it really that difficult to fix it?



Well, actually these two packages are _the same_ (currently
versions of rpms on Fedora are different, however)
The difference is that ruby-sqlite3 creates non-gem ruby module,
while rubygem-sqlite3-ruby creates ruby gem.

Curret ruby packaging guideline says that [1]

"
Packaging for Gem and non-Gem use

If the same Ruby library is to be packaged for use as a Gem and 
as a straight Ruby library without Gem support, it must be packaged 
as a Gem first.

"
And we have the way and allow to create non-gem ruby module (rpm) packages 
as a subpackage of a package based on rubygem. So for this case 
ruby-sqlite3 "srpm" must be obsoleted by rubygem-sqlite3-ruby "srpm" and
ruby-sqlite3 "binary rpm" should be created as the subpackage of 
rubygem-sqlite3-ruby.


[1] 
https://fedoraproject.org/wiki/Packaging/Ruby#Packaging_for_Gem_and_non-Gem_use

Regards,
Mamoru

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Why a multilib wrapper for non-multilib architectures?!

[Eric Sandeen]

Rex Dieter wrote:
> Tom Lane wrote:
> 
>> Personally I don't use multilib wrappers on arches that don't need it;
>> I think not needing extra cases in the wrapper header outweighs the
>> added complexity in the specfile.  But I'm not going to tell the gmp
>> maintainer he's wrong for doing it the other way.
> 
> +1
> 
> -- Rex

Heh, so I have it both ways in my packages, xfsprogs does it only for
(hand-defined) %{multilib_arches}, e2fsprogs does it for all, inherited
via cut and paste.

If someone who cared provided some nice rpm macros to work with, perhaps
we'd easily have the best of both worlds.  :)

-Eric

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Chris Adams]

Once upon a time, Jeremy Katz  said:
> See the livecd-iso-to-pxeboot script, although it does place some
> (somewhat) different requirements on things.

AFAIK livecd-iso-to-pxeboot is useless for 32 bit, at least for the
standard Fedora LiveCD images.  I think the kernel will only use an
initrd that is less than half the size of lowmem, or 448M.

It would be useful to be able to export the root FS from a LiveCD via
NFS, or maybe have an alternate initrd for PXE booting that could NFS
mount the ISO image (and then the LiveCD root), or fetch the ISO into
RAM via HTTP, or something along those lines.

-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Mike McGrath]

On Sun, 14 Jun 2009, Mike McGrath wrote:

> On Mon, 15 Jun 2009, Lennart Poettering wrote:
>
> > On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote:
> >
> > >
> > > On Sun, 14 Jun 2009, Lennart Poettering wrote:
> > >
> > > > much broken. It's a bit like SELinux: it's one of the first features
> > > > most people disable.
> > >
> > > False.
> > >
> > > Most people leave SELinux enabled, according to the smolt stats which have
> > > been collecting since the F8 era.
> >
> > Are you speaking of the same smolt that lists es1371 as most popular
> > sound card? i.e. a sound card that has been out of production since
> > about 10 years now? Somehow I have serious doubts about the validity
> > of the smolt data.
> >
>
> Based on actual data research or your gut?
>

Sidenote on this specific device, seems vmware emulates it so we should
probably continue to support it :)

-Mike

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Mike McGrath]

On Mon, 15 Jun 2009, Lennart Poettering wrote:

> On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote:
>
> >
> > On Sun, 14 Jun 2009, Lennart Poettering wrote:
> >
> > > much broken. It's a bit like SELinux: it's one of the first features
> > > most people disable.
> >
> > False.
> >
> > Most people leave SELinux enabled, according to the smolt stats which have
> > been collecting since the F8 era.
>
> Are you speaking of the same smolt that lists es1371 as most popular
> sound card? i.e. a sound card that has been out of production since
> about 10 years now? Somehow I have serious doubts about the validity
> of the smolt data.
>

Based on actual data research or your gut?

> Also, isn't the smolt data generated as part of the installation
> process, i.e. at a time where people haven't yet had the time to
> disable SELinux?
>

It updates monthly if you chose to send it in at install time.

-Mike

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: GDM Language list...

[Jeremy Katz]

On Sunday, June 14 2009, Jens Petersen said:
> - "Bill Nottingham"  wrote:
> > > https://fedoraproject.org/wiki/Features/YumLangpackPlugin
> > 
> > My one concern with this is that the conditional stuff is also used
> > on the compose side when making LiveCDs, etc.  We need to make sure that
> > still works somehow.
> 
> Right.  (Though since F11 we have dropped all the lang-support groups from 
> the default spins.)
> 
> Thanks for bringing it up - I see the potential weakness:
> so would it be sufficient to ship the plugin by default then
> or would livecd-tools need to pull it in?

livecd-tools doesn't use any plugins at present, so there'd be some work
needed to ensure the right thing happened

Jeremy

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeremy Katz]

On Sunday, June 14 2009, King InuYasha said:
> Also, maybe we should support PXE/network booting the Live version from
> mirrors or whatever with the advent of netbooks and other computers without
> an optical drive. While doing it via USB is preferable, it is not always
> possible. For example I have a laptop with a completely damaged drive bay
> where the CD drive is and it does not support booting from USB devices.
> Being able to boot the Live distro from a network would be a great
> alternative.

See the livecd-iso-to-pxeboot script, although it does place some
(somewhat) different requirements on things.  If we can get dracut in
for F12, we might be able to be more clever with netboot + live images

Jeremy

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeremy Katz]

On Saturday, June 13 2009, Jussi Lehtola said:
> On Sat, 2009-06-13 at 11:12 -0500, Matt Domsch wrote:
> > On Sat, Jun 13, 2009 at 07:04:12PM +0300, Jussi Lehtola wrote:
> > > Hmm, I'd want netboot.img back, since I normally use a USB stick to
> > > start the network install (OK, there is the possibility of using
> > > livecd-iso-to-disk, but that's a lot more hassle than downloading a
> > > minimalistic img and running dd).
> > 
> > We have it, it's now called netinst.iso
> 
> Yes but not netboot.img that could be dd'd straight away to a USB drive
> or whatnot; the iso needs livecd-iso-to-disk which a) is extra work and
> b) is only available on Fedora and Windows. [Also, the livecd tools need
> an own homepage so that users of other distros can get them.]

We really need to finish the push in F12 to get liveusb-creator working
for all cases (including command line) so that we can kick the silly
shell script to the curb as liveusb-creator has its own homepage, etc.

Also, I want to look a bit more at isohybrid to see if we can build iso
images that can just be dd'd, at least for the case of
boot.iso/netinst.iso 

Jeremy

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Simo Sorce]

On Sun, 2009-06-14 at 14:23 -0800, Jeff Spaleta wrote:
> On Sun, Jun 14, 2009 at 6:45 AM, Simo Sorce wrote:
> > I haven't done a graphical root login in the past 10 years probably and
> > on multiple distribution. Graphical root login is meaningless.
> 
> 
> Let me ask you a question as an example to better define the
> expectation on behavior that people have on what it means to
> administer a computer system.
> 
> Can you run the thread audience through the steps on how you
> personally go about changing permissions on a root owned file or
> directory on a Fedora install to give write access to an admin user..
> using nothing but graphical tools as installed by default in the
> Fedora Desktop?
> 
> I honestly don't know how to do it.  And I wouldn't think to do it
> that way. I'll reach for the commandline somewhere in the process
> whether it be to configure sudo or just doing the chmod under su.
> Nautilus exposes permissions for root owned files but I don't see an
> obvious hook that allows me to use existing authorization
> infrastructure to gain access to change those permissions as an admin
> user under nautilus.  But for someone else...someone new who didn't
> waste time learning how to banner attack their classmates logged into
> the school's Vax system via a serial connection, someone who is
> installing a linux system for personal use and learning how to
> interact with that system and is basically their own admin...,they may
> instinctively reach for a graphical way to do stuff like file
> permissions manipulations.  root login may realistically be the
> simplest way they know to gain access to graphical tools to perform
> simple operations that the user desktop does not allow.
> 
> Its great that sudo exists and can be configured but how do you
> discover that tool as a new user doing a self-administered install?
> Nautilus is the obvious, intuitive for file management tasks, and if
> the only graphical way to get to a version of nautilus that can
> manipulate system files is to login as root..then it sort of makes
> sense that inexperienced users will attempt to do that..because its
> the logic of behavior the that graphical tool UI suggests.  If there
> is an expectation that users can work with the graphical tools to do
> simple administrative tasks, I'm not sure enough thought has been put
> into how to self-consistently expose that functionality.

You certainly have a point here Jeff.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: GDM Language list...

[Jens Petersen]

- "Bill Nottingham"  wrote:
> > https://fedoraproject.org/wiki/Features/YumLangpackPlugin
> 
> My one concern with this is that the conditional stuff is also used
> on the compose side when making LiveCDs, etc.  We need to make sure that
> still works somehow.

Right.  (Though since F11 we have dropped all the lang-support groups from the 
default spins.)

Thanks for bringing it up - I see the potential weakness:
so would it be sufficient to ship the plugin by default then
or would livecd-tools need to pull it in?

Jens

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Simo Sorce]

On Sun, 2009-06-14 at 15:11 -0400, Chuck Anderson wrote:
> On Sun, Jun 14, 2009 at 10:45:09AM -0400, Simo Sorce wrote:
> > > >   * Samba (outbound) browsing requires firewall mods
> > > I don't know how Samba works, so forgive me if I say obvious stupidity,
> > > but shouldn't *client* work even behind closed firewall (like with any
> > > other services like ssh, ftp, ...)? Isn't this a samba bug then?
> > 
> > Samba as a client needs to listen for Netbios packets replies (UDP) to
> > do browsing, so since F-10 (yes this is not something new in F-11) the
> > firewall has strict rules and there is a "samba client" specific rule.
> 
> ...which is broken in that it is too permissive, and in that it isn't 
> enabled by default.  We need to fix it so it only uses the conntrack 
> module but doesn't open inbound ports, and also enable it in the 
> default install.

Conntrack is useless you need to listen to unsolicited traffic.
Also some old MS Oss always reply to port 137 even if the client source
port is higher, conntrack would fail here too.

> https://bugzilla.redhat.com/show_bug.cgi?id=469884

If it were for me I'd close this as NOTABUG/INVALID/WONTFIX.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Lennart Poettering]

On Sun, 14.06.09 16:11, Jeff Spaleta (jspal...@gmail.com) wrote:

> 
> On Sun, Jun 14, 2009 at 3:36 PM, Lennart Poettering 
> wrote:
> > Are you speaking of the same smolt that lists es1371 as most popular
> > sound card? i.e. a sound card that has been out of production since
> > about 10 years now? Somehow I have serious doubts about the validity
> > of the smolt data.
> 
> You might have found a bug in the tallying there in how cards are
> self-identifying product strings. 

ci devices identify them via numeric ids only, the strings come from
the hwdata databases.

> You'll notice the same exact entry
> is listed twice in the Audio device table.  Are cards using the
> ENS1371 driver misreporting their vendor/card version info? There are
> only 5 listings in the table for the ENS1371 driver. There are dozens
> listed for the Intel ICH driver. I bet if you totalled up counts by
> driver, things would look more sensible to you with intel being a
> reasonably large percentage of the drivers in use.

It's not just that ens1371 is shown as unrealistically popular, it's
also that it doesn't know a single HDA device. I mean,
seriously... what will smolt claim next? that santa claus exists?

To me it appears that the data shown on this smolt web thingy originates
from /dev/random. 

Unrelated to this, it's fun to see what happens when one accesses
http://smolt.fedoraproject.org/static/stats or a similar URL... ;-)

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Guido Grazioli]

> That said, I agree the wheel group should be enabled with sudo, though
> I disagree that the initial install user should be automatically added
> to it.
>
> But then again, I hate sudo :P I do most scripting that requires root
> access via root logins directly with ssh and keys.


i completely agree and do mostly the same; it would be a good idea (or
at least, imho better than an option to add the user to wheel group)
to have a "generate dsa keypair and add to root authorized_keys" checkbox
during firstboot user creation. Then just ssh -X for your daily "needed"
root tasks

guido

-- 
Guido Grazioli 
Via Parri 11 48011 - Alfonsine (RA)
Mobile: +39 347 1017202 (10-18)
Key FP = 7040 F398 0DED A737 7337  DAE1 12DC A698 5E81 2278
Linked in: http://www.linkedin.com/in/guidograzioli
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Jeff Spaleta]

On Sun, Jun 14, 2009 at 3:36 PM, Lennart Poettering wrote:
> Are you speaking of the same smolt that lists es1371 as most popular
> sound card? i.e. a sound card that has been out of production since
> about 10 years now? Somehow I have serious doubts about the validity
> of the smolt data.

You might have found a bug in the tallying there in how cards are
self-identifying product strings. You'll notice the same exact entry
is listed twice in the Audio device table.  Are cards using the
ENS1371 driver misreporting their vendor/card version info? There are
only 5 listings in the table for the ENS1371 driver. There are dozens
listed for the Intel ICH driver. I bet if you totalled up counts by
driver, things would look more sensible to you with intel being a
reasonably large percentage of the drivers in use.


>
> Also, isn't the smolt data generated as part of the installation
> process, i.e. at a time where people haven't yet had the time to
> disable SELinux?

smolt updates the info associated with a UUID via its service and
cronjob configuration on a roughly monthly basis, unless someone
disables the smolt service.


-jef

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[James Morris]

On Mon, 15 Jun 2009, Lennart Poettering wrote:

> Are you speaking of the same smolt that lists es1371 as most popular
> sound card? i.e. a sound card that has been out of production since
> about 10 years now? Somehow I have serious doubts about the validity
> of the smolt data.

I've previously asked for specific sql queries to be run on the data (e.g. 
correlated with specific Fedora versions) and it seems the data for 
SELinux at least is reasonably accurate.  The actual figure shown on the 
site is likely to be much lower than the real number of SELinux enabled 
systems, as it aggregates data from systems where no SELinux stats were 
being collected, and now from distros with no real SELinux support.

> 
> Also, isn't the smolt data generated as part of the installation
> process, i.e. at a time where people haven't yet had the time to
> disable SELinux?

Yes, that's a consideration -- those systems report back each month, so 
when there's a new release, the figures spike, and then drop off over 
time.  They're still showing a signifcant majority of people leaving 
SELinux enabled.

There's also the question of whether people who are not saying 'yes' to 
smolt reporting are likely to enable or disable SELinux.  It could go 
either way.

> Anyway, please don't think I was anti-SELinux, I am not. Just wanted
> to state what I observed.

Keep in mind that what you observe as a highly technical distro developer 
may be radically different to what happens elsewhere.


- James
-- 
James Morris


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Lennart Poettering]

On Mon, 15.06.09 09:15, James Morris (jmor...@namei.org) wrote:

> 
> On Sun, 14 Jun 2009, Lennart Poettering wrote:
> 
> > much broken. It's a bit like SELinux: it's one of the first features
> > most people disable.
> 
> False.
> 
> Most people leave SELinux enabled, according to the smolt stats which have 
> been collecting since the F8 era.

Are you speaking of the same smolt that lists es1371 as most popular
sound card? i.e. a sound card that has been out of production since
about 10 years now? Somehow I have serious doubts about the validity
of the smolt data.

Also, isn't the smolt data generated as part of the installation
process, i.e. at a time where people haven't yet had the time to
disable SELinux?

Anyway, please don't think I was anti-SELinux, I am not. Just wanted
to state what I observed.

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[James Morris]

On Sun, 14 Jun 2009, Lennart Poettering wrote:

> much broken. It's a bit like SELinux: it's one of the first features
> most people disable.

False.

Most people leave SELinux enabled, according to the smolt stats which have 
been collecting since the F8 era.

> Fedora is the only big distro that enables a firewall by default and
> thus creates a lot of trouble for many users. I think I mentioned that
> before, and I can only repeat it here: we should not ship a firewall
> enabled by default, like we currently do. If an application cannot be
> trusted then it should not be allowed to listen on a port by default
> in the first place. A firewall is an extra layer of security that
> simply hides the actual problem.

The problem is that you never really know how trustworthy an application 
is.  All software has bugs, and some of those will be exploitable.  A 
significant purpose of firewalling and tighter security policy (e.g. 
SELinux MAC) is to help reduce the impact of bugs (and misconfiguration) 
when they occur.



- James
-- 
James Morris


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Jeff Spaleta]

On Sun, Jun 14, 2009 at 6:45 AM, Simo Sorce wrote:
> I haven't done a graphical root login in the past 10 years probably and
> on multiple distribution. Graphical root login is meaningless.


Let me ask you a question as an example to better define the
expectation on behavior that people have on what it means to
administer a computer system.

Can you run the thread audience through the steps on how you
personally go about changing permissions on a root owned file or
directory on a Fedora install to give write access to an admin user..
using nothing but graphical tools as installed by default in the
Fedora Desktop?

I honestly don't know how to do it.  And I wouldn't think to do it
that way. I'll reach for the commandline somewhere in the process
whether it be to configure sudo or just doing the chmod under su.
Nautilus exposes permissions for root owned files but I don't see an
obvious hook that allows me to use existing authorization
infrastructure to gain access to change those permissions as an admin
user under nautilus.  But for someone else...someone new who didn't
waste time learning how to banner attack their classmates logged into
the school's Vax system via a serial connection, someone who is
installing a linux system for personal use and learning how to
interact with that system and is basically their own admin...,they may
instinctively reach for a graphical way to do stuff like file
permissions manipulations.  root login may realistically be the
simplest way they know to gain access to graphical tools to perform
simple operations that the user desktop does not allow.

Its great that sudo exists and can be configured but how do you
discover that tool as a new user doing a self-administered install?
Nautilus is the obvious, intuitive for file management tasks, and if
the only graphical way to get to a version of nautilus that can
manipulate system files is to login as root..then it sort of makes
sense that inexperienced users will attempt to do that..because its
the logic of behavior the that graphical tool UI suggests.  If there
is an expectation that users can work with the graphical tools to do
simple administrative tasks, I'm not sure enough thought has been put
into how to self-consistently expose that functionality.

-jef

.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Krzysztof Halasa]

Leszek Matok  writes:

>> a false feeling that the "non-privileged" account doesn't need the same
>> level of protection as the root account needs. 
> The feeling isn't false - overtaking a root-run program is potentially more
> harmful to the system, other users and everyone in sight (root can harm the
> network, for example). Hence the root account does need more protection.

... unless the non-privileged account is used to gain root access like
in this case. Then both accounts are security-wise equivalent and thus
need the same level of protection.

Though I've met many sysadmins who don't realize this. Actually I think
most don't and some think sudo is a magic bullet.

The same can be told about accessing from untrusted locations ("I will
change password", "nobody sniffs the second su password") and other
potentialy harmful behaviour ("I have RAID as backup" etc).
-- 
Krzysztof Halasa

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: bind-chroot in F11

[mike cloaked]

Mike Cloaked wrote:
>In F11 the contents contain
>/var/named/chroot and within this directory are
>/dev containing file null, random and zero
>and /etc containing file localtime
>and nothing else.

This is surely a packing error since the bind-chroot package should
install the proper chrooted directory structure and install the
correct basic files in them including a basic named.conf under
/var/named/chroot/etc/
There appears not even to be a root cert file in the chroot.

-- 
mike

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[King InuYasha]

On Sun, Jun 14, 2009 at 9:47 AM, Jesse Keating wrote:

>
>
> On Jun 14, 2009, at 1:30, King InuYasha  wrote:
>
> On Sat, Jun 13, 2009 at 11:38 PM, Bradley Baetz < 
> bba...@gmail.com> wrote:
>
>> On 14/06/09 04:53, Robert 'Bob' Jensen wrote:
>>
>>>
>>> - "Frank Murphy"< frankl...@gmail.com>  wrote:
>>>
>>>  Just curious.

 But if a user has bandwidth problems, how is\are mutiple CD's going
 to help, or is it purely on hardware grounds, no dvd-rom.


>>> Does no one remember what happened last time the CD ball was dropped?
>>> Lets not repeat history just for fun. We have been down this road
>>> before, it was ugly and only lasted one release. Torrent tracker
>>> numbers BTW do not always tell the truth. In many cases in these less
>>> fortunate areas one person will download the ISO images, then make
>>> CDs for any one in the surrounding villages. Sneakernet is alive and
>>> well. I asked about this topic a few minutes ago in the
>>> #fedora-social IRC channel because we seemed to have a pretty diverse
>>> mix of people chatting. There was a resounding response that the CDs
>>> need to be kept.
>>>
>>
>> What about a script that takes the DVD image and produces CD .isos? That
>> saves on mirror space, but still allows people who want/need CDs to make
>> them. Although it would require (temporarily) 2-3 times the disk space for
>> that process, I guess.
>>
>> Bradley
>>
>>
> A script that takes the DVD image to produce the CD versions would
> basically require extracting the whole DVD image and then generating new
> ISOs from that tree. Maybe mirrors could do it if you want to save space on
> the main server or whatever.
>
> Also, maybe we should support PXE/network booting the Live version from
> mirrors or whatever with the advent of netbooks and other computers without
> an optical drive. While doing it via USB is preferable, it is not always
> possible. For example I have a laptop with a completely damaged drive bay
> where the CD drive is and it does not support booting from USB devices.
> Being able to boot the Live distro from a network would be a great
> alternative.
>
>
> Why the live and not the normal install via pxe?
>
> --
> Jes
>


It's more useful, and its smaller. Being able to use the live version
through a network would make it easier for remote or thin client setup,
where you don't want the state of the OS to change in any form of
permanence. For example, loading the live image without persistence to older
machines and when client users are done and shutdown the machine, nothing is
saved. No viruses, documents, personal information, etc. Additionally,
diagnosing issues with machines using PXE live would be much nicer than
using DOS disks or the Windows recovery console, which is practically
useless. Or even diagnosing issues with installed versions of Linux or BSD.
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Krzysztof Halasa]

Richard Fearn  writes:

>> Who says the first created user is root-equivalent?
>
> It wouldn't be root-equivalent. You have to explicitly use sudo, and
> enter your password when you do use it. It's not the same as a root
> prompt.

It is from a security person POV.
If an attacker compromises your non-root account, and if you use sudo or
whatever to "switch" to root then root as compromised as well, password
or no password. You have to use a secure terminal and a secure "path" to
the root session to be really secure.
-- 
Krzysztof Halasa

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Breaking API for python-decorator in Fedora 11

[Toshio Kuratomi]

I'm planning on updating the python-decorator package from 2.3.x to
3.0.x.  This update breaks API in:

1) Some python-2.6 specific functionality
2) Some seldom used idioms.

This update is necessary for python-repoze-what-pylons:
  https://bugzilla.redhat.com/show_bug.cgi?id=499486

a component of TurboGears2.

Only three packages currently depend on it:

python-fedora-0:0.3.12-1.fc11.noarch
bodhi-server-0:0.5.19-1.fc11.noarch
python-pylons-0:0.9.7-0.2.rc4.fc11.noarch

We plan on checking that these work with the new decorator before
pushing the update.

If this update will cause a problem for you please reply to this message
or comment on the python-repoze-what-pylons review.

-Toshio



signature.asc
Description: OpenPGP digital signature
___
Fedora-devel-announce mailing list
fedora-devel-annou...@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-announce-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

One week left for voting

[Paul W. Frields]

There's approximately one week left to vote in the combined Fedora
elections.  To cast your vote, visit:

https://admin.fedoraproject.org/voting

For more information on the specific elections, visit this thread in
the archives for the fedora-advisory-board list:

https://www.redhat.com/archives/fedora-advisory-board/2009-June/msg00025.html

Thanks for participating!

-- 
Paul W. Frieldshttp://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
  irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug


pgpYHDTpzfkcK.pgp
Description: PGP signature
___
Fedora-devel-announce mailing list
fedora-devel-annou...@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-announce-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Fedora 11 Retrospective Happens Tuesday June 16, 2009 at 14:00 UTC (10 AM EDT)

[John Poelstra]

Have you ever wanted to give your perspective on how well the Fedora 
development and release process works, but weren't sure where to do it?


Now you have the perfect opportunity!  For Fedora 11 we are having a 
project wide conference all to reflect on the good and not so good parts 
of the Fedora 11 development cycle.


There are two ways to get involved:
1) Contact your team lead to see if you can attend as the additional 
person from your team

-or-
2) Add your name to the list of lottery participants for a chance to be 
one of the five people randomly selected.


But wait, there is more!  We are extending the cut-off date for the 
lottery to Sunday. Here's a little tip between you and me... as of the 
time of this email your chances of wining are 100% (okay, not exactly, 
but right now nobody else is signed and if that doesn't change, then you 
are on easy street! ;-)


Sign-up details are here: 
https://fedoraproject.org/wiki/Fedora_11_Retrospective#Lottery


Hope to see you there,
John

___
Fedora-devel-announce mailing list
fedora-devel-annou...@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-announce

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Chris Adams]

Once upon a time, Jesse Keating  said:
> If there are those that require split media, I'd much prefer that we as
> a project produce and test the split media as part of our normal
> development cycle, and not do it as some after thought after it's too
> late to fix any problems found.

I agree with all of that.  I just wanted to ask: have you considered
just making split media for 32-bit x86?  Is there really any demand for
x86_64 and ppc split media?

I know that wouldn't remove the anaconda support, but it would reduce
some of the QA, time taken to build and distribute, disk space, etc.
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jesse Keating]

On Sun, 2009-06-14 at 18:20 +0200, Jeroen van Meeuwen wrote:
> If the Fedora Project considers to no longer release split CD media, would
> the Fedora Project then also consider allowing Fedora Unity (members) to
> continue servicing those that request or even require split CD media? If
> that is too much to ask from a anaconda/qa/releng perspective, would the
> Fedora Project maybe consider finally allowing those from Fedora Unity that
> do it anyway, to do it *via* the Fedora Project?

If there are those that require split media, I'd much prefer that we as
a project produce and test the split media as part of our normal
development cycle, and not do it as some after thought after it's too
late to fix any problems found.

However I'd like to see some evidence as to the "require"ment.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jesse Keating]

On Sun, 2009-06-14 at 17:54 +0200, Jeroen van Meeuwen wrote:
> 
> If Fedora Unity's motivation to continue a service to the community -at
> it's own expense, not yours- is holding you and the other teams hostage,
> call S.W.A.T.

If it was just Fedora Unity's expense that'd be one thing.  But it's
not.  Upstream anaconda is still going to have to deal with split media
bugs and code.  Compose tools are still going to have to handle split
media cases (createrepo being a notable one).  QA is still going to have
to test this install method or else be faced with scrambling to fix
stuff when Fedora Unity goes to make them.

I really don't mind making split media, if there is a real hard need for
it.  I wish that Fedora Unity would do the legwork to ensure there
really is a need for split CDs that isn't being met by our other
offerings before claiming that split CDs are a hard need.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Leszek Matok]

Dnia 2009-06-14, o godz. 22:12:47
Krzysztof Halasa  napisał(a):

> a false feeling that the "non-privileged" account doesn't need the same
> level of protection as the root account needs. 
The feeling isn't false - overtaking a root-run program is potentially more
harmful to the system, other users and everyone in sight (root can harm the
network, for example). Hence the root account does need more protection.

I think you wanted to refer to false sense of safety that someone could derive
from running unprivileged. This is a danger much less than giving any OS to any
"normal" (non-technical) user.

You need to educate users about all the risks that are left and NOT give them
deadly weapons which they don't know how to use and presume they'll going to
be scared of them for the rest of their lives (they're not).

Lam


signature.asc
Description: PGP signature
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Richard Fearn]

> Who says the first created user is root-equivalent?

It wouldn't be root-equivalent. You have to explicitly use sudo, and
enter your password when you do use it. It's not the same as a root
prompt.

In any case, I like Mathieu Bridon's idea of having a firstboot option.

Rich

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Richard W.M. Jones]

On Sun, Jun 14, 2009 at 05:45:43PM +1000, Michael Fleming wrote:
> Ich bin ein secure user and you should be too. Logging in as root into
> X directly (or the console for that matter) is a *bad idea*.

Erm, logging as root on the console is a bad idea?  _You've_ obviously
not got any machines running NIS or NFS-mounted /home :-)

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Richard Fearn]

> I didn't say the wheel group was a nonsense or a problem. I was
> responding to Richard who wanted the line to be uncommented (harmless
> per se) AND the first user to be added to the wheel group by default.

I've since changed my mind :-)

> For example, a « add to the wheel group » checkbox in
> system-config-users and firstboot could be great.

That's a good idea.

> Not sure it would be
> a good idea to have it checked and hidden by default.

Agreed.

Rich

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Krzysztof Halasa]

inode0  writes:

> Actually, I am strongly against the way Fedora forces the creation of
> the first user without allowing the admin to set the uid/gid of the
> user. That is a different annoying issue.

Hmm... Does it?
I installed F11 (i386, with netinstall) recently and it didn't create
"normal" accounts (nor asked).
-- 
Krzysztof Halasa

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Krzysztof Halasa]

Richard Fearn  writes:

> But wouldn't it be nice if this line was uncommented by default, and
> firstboot added the first user to this group automatically?

Who says the first created user is root-equivalent?
-- 
Krzysztof Halasa

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Krzysztof Halasa]

Michael Fleming  writes:

> With the likes of sudo / ConsoleKit / console-helper et. al you should
> never, ever need to run an extended session as root. Your day-to-day
> work can be done perfectly well as a standard non-privileged user, the
> applications that *need* root, especially in X, are hooked into
> consolehelper/ConsoleKit anyway and will prompt you for the root
> password in any case (when run as a regular user)

That doesn't mean it's more secure that directly logging as root using
e.g. ssh, tty or xterm. I won't argue about X "desktop".

A non-privileged account ceases to be non-privileged when you use it to
become root. It may save you from incidental rm -rf /, but it creates
a false feeling that the "non-privileged" account doesn't need the same
level of protection as the root account needs. From a security
standpoint, it's thus usually less secure that using root directly.

Obviously one shouldn't use root account for non-admin tasks, sure. But
it has nothing to do with security.
If one has to perform many root tasks, there is nothing wrong in doing
it in "an extended root session". Having to type root password many
times may only create an additional opportunity for a compromise.

> As a systems administrator I applaud this idea, as it stops people from
> shooting themselves in the foot

That may be true. The same can probably be said about alias rm='rm -i'
and so on. This is not security, however.
-- 
Krzysztof Halasa

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: iptables/firewall brainstorming

[Jos Vos]

On Sun, Jun 14, 2009 at 12:30:41PM -0600, Kevin Fenzi wrote:

> I keep wondering if we couldn't come up with something
> like a /etc/iptables.d/ type setup somehow that would work for these
> cases. 
> 
> In the case of a package that does not need any configuration done and
> only needs a firewall rule to function, we could add a file in there to
> add it's rule. 

As long as it (a) will ONLY be taken into account when the firewall
config was created at install/firstboot time and (b) the
package-specific rules will ONLY be used when some variable in
/etc/sysconfig is set to "yes" (for example IPTABLES_PACKAGENAME="yes"
in /etc/sysconfig/iptables-packagename) and is set to "no" by default,
it MIGHT be acceptable.

In general, a package tweaking with firewalls sounds vary scary...

-- 
--Jos Vos 
--X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--Amsterdam, The Netherlands| Fax: +31 20 6948204

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: (Most) Results from the Candidate Questionnaire are available now

[Rahul Sundaram]

On 06/15/2009 01:01 AM, Kevin Kofler wrote:
> Thorsten Leemhuis wrote:
>> * some people dislike questions like "do you prefer Gnome or KDE" that
>> are/should be mostly irrelevant for Fedora as whole and the position the
>> candidate is nominated for
> 
> It's pretty much relevant, we don't want GNOME bias all over the Fedora
> governing bodies. For some of us, the answer to that question was the one
> answer on which to base the decision whom to vote for.

It seems a silly way to make important decisions. Just because a person
prefers to use GNOME doesn't make them biased against KDE. What if a
user uses Xfce or LXDE? It just doesn't make sense.

Rahul

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: No bluetooth for PulseAudio nonbelievers

[Ahmed Kamal]

>
> If you don't want to use gnome-bluetooth and how it integrates with
> all other software and automates things then don't use it. Nobody
> forces you.
>

I didn't even mean using BT for any audio related tasks. I basically use BT
to transfer files back and forth from my cell phone. And gnome-bluetooth is
very good for that. Why is that functionality being removed from me ? Can't
we have gnome-bluetooth-audio with this part only depending on PA ? so that
I can keep the rest of gnome-bluetooth if I choose to remove PA ?

Thanks Lennart, I really wish Skype would update their crap
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Nicolas Mailhot]

Le dimanche 14 juin 2009 à 20:08 +0200, Lennart Poettering a écrit :

> I still think that the current firewall situation on Fedora is pretty
> much broken. It's a bit like SELinux: it's one of the first features
> most people disable.

For the people I know disabling the firewall is very low under disabling
SELinux and (ahem) PulseAudio. At that point iptables is fairly solid
and well understood and documented.

-- 
Nicolas Mailhot


signature.asc
Description: Ceci est une partie de message	numériquement signée
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: iptables/firewall brainstorming

[Nicolas Mailhot]

Le dimanche 14 juin 2009 à 12:30 -0600, Kevin Fenzi a écrit :

> In the case of a package that does not need any configuration done and
> only needs a firewall rule to function, we could add a file in there to
> add it's rule. 

Anything that does not include a way to signal the admin a hole was just
poked in the firewall is broken security-wise

-- 
Nicolas Mailhot


signature.asc
Description: Ceci est une partie de message	numériquement signée
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Yaakov Nemoy]

2009/6/14 Richard Fearn :
>> # grep -n wheel /etc/sudoers
>> 81:## Allows people in group wheel to run all commands
>> 82:# %wheel     ALL=(ALL)       ALL
>> 85:# %wheel     ALL=(ALL)       NOPASSWD: ALL
>>
>> All you have to do is uncomment one line ;)
>
> That's exactly what I do, followed by:
>
> $ usermod -a -G wheel rich
>
> But wouldn't it be nice if this line was uncommented by default, and
> firstboot added the first user to this group automatically?

It might be nice, but unless we document that feature heavily and
declare that 'first' user to be administrator with big warnings all
over the place, some noob will still do something stupid.  I don't
mean stupid like 'i'm a noob and i don't know what i'm doing', but
stupid like 'i didn't know firefox had a security vulnerability that
used a hole in sudo to run stuff as root, because i was using some
silly extension'.

We would have to set up a user account that is a non root user with
extra priveleges and constant warnings to the user that i really
wonder what the advantage is to it.

The best argument against all this nonsense is like this. User space
programs are complex and there are many of them. Unless you have
audited each bit that is going to be run as a privileged user, you
should avoid runnning it as some privileged user. When you log in to a
graphical desktop environment with lots of userspace programs, they
should all be running on the least amount of privileges necessary and
furthermore confined with SELinux where possible. Seriously, who wants
to audit the entire GNOME or KDE codebase? There should never be a
user that has more privileges and also running in a graphical
environment. Ever.

The only interesting debate i've heard is over two security models
i'll call 'su' and 'sudo', for their recognized behavior. 'su'
requires the root password, and 'sudo' requires your own password. Let
me argue for one more model called 'sird'. 'sird' asks for a per user
'root' password. Each user has two passwords, one is an everyday
password and one is for actions that require root access. Currently
Fedora uses a mix of 'sudo' and 'su', and is inconsistent. Ubuntu
relies only on 'sudo' for the most part, except for certain weird
programs they haven't set up to do so, and then the experince is
inconsistent.

The security issue here though is how do we securely give 'sudo' and
'sird' like rights to users without violating the rule i stated above?
With Fedora we require that you use the root password the first time.
This way the user has to intelligently maintain that the specified
account should be given more privileges. It's then on the user's head
to violate the rule above. Ubuntu just gives sudo to the first user
created, and since i haven't touched the brown since the beginning of
2007, i have no clue how much they alert the user to the possible
security risks.

If i can put my own 2 cents in what needs to be done here: Currently
we implement this barrier to entry via the command line. Perhaps if we
could leverage PolicyKit better so we can have an icon or control tool
for the person who installs Fedora on the machine to use the root
password to grant rights to other users. Then the administrator, aka
the person responsible for instalation, could decide whether to use
su, sudo, or sird style access.

If you're wondering what 'sird' is, it's just an arbitrary name that
sounds like third, because there would be a 'third' password. (Root =
1, User = 2, Sird = 3)

-Yaakov

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: No bluetooth for PulseAudio nonbelievers

[Lennart Poettering]

On Sun, 14.06.09 22:25, Ahmed Kamal (email.ahmedka...@googlemail.com) wrote:

> Hi fedorians,
> 
> Having spent more than a day trying to get Skype working smoothly with PA,
> and failing (cranky sound, or 100% CPU usage). Now I know Skype is closed
> crap that is using deprecated apis and it along with flash should be
> sentenced to software hell, but at the end of the day I need to use it at
> work. So, what I ended up doing was to "yum remove pulseaudio". Alsa
> software dmixing usually works fine for me. However, yum needed to remove
> gnome-bluetooth as it depends on PA! And it refuses to bring it back without
> PA!! duh! I want my bluetooth back, and I don't want PA. Nothing against PA,
> but it doesn't benefit me in anyway and only causes problems. Is this a case
> of rpm dependency abuse ?

Why should it be?

If you don't want to use gnome-bluetooth and how it integrates with
all other software and automates things then don't use it. Nobody
forces you.

In fact some dude called Lennart even made sure that bluez upstream
ships with an alsa config file fragement like this:

http://git.kernel.org/?p=bluetooth/bluez.git;a=blob_plain;f=audio/bluetooth.conf

If installed this will allow you to use a ALSA device "bluetooth:MAC"
for accessing a specific bluetooth headset, without going via
PA. Awesome dude, that Lennart guy.

But generally PA's BT support works way better than the implementation
in the bluez alsa plugin. So YMMV.

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[David]

On 6/13/2009 10:19 PM, Charles Butterfield wrote:
> Okay, so I mostly love Fedora.  However, here are 4 things that got by
> blood really, really boiling, so I thought I’d share my emotions.  They
> are mostly policy issues, where I think you have gotten it very very wrong.
> 
>  
> 
> Just installed F11 64 bit, here are the things I hate about it in the
> first 30 minutes (of course there are a lot of things I like too, but
> they work, these don't). No doubt more will crop up.
> 
> * Root gdm login - gets harder every release - SHAME ON YOU root nazis!
> * Samba (outbound) browsing requires firewall mods
> * Jamming SELinux enforcing mode with no query during install
> 
> And a bug:
> 
> * My "supported" NVIDIA card (Quadro NVS 295) is not detected - okay
>   this may not be due to overt, mulish arrogance, but I did check
>   the supported card list and it is really annoying.
> 
> 
> The first 3 items are just freaking absurd and represent some sort of
> political agenda combined with astonishing arrogance.
> 
> Is a graphical root login dangerous -- of course! So are a lot of
> things, which have obvious enable/disable controls. Was this this
> discussed in the release note? - NO. Should it be inhibited by an
> ever-increasing set of obscure work-arounds (in this case an new file to
> edit in F11)? Of course not.  (Well as was pointed out to me in thread
> http://forums.fedoraforum.org/showthread.php?t=223793  this is
> discussed... but in non-highlighted text at the end of the boring last
> bullet suggesting you “save and close”).
> 
> 
> And why on earth show the stupid "Windows Network" if it doesn't work --
> just gives an obscure error message "Failed to retrieve share list from
> server". If you install the client, the reasonable man would open the
> ports, OR provide a cluefull error message.
> 
> SELinux - enforcing So all the bugs are worked out? I think not.
> 
>  
> 
>  
> 
> Regards
> 
> -- Charlie Butterfield
> 
>  
> 
> P.S. Here is a bit more context:
> 
>  
> 
> Bob -- Thanks for the tip, I did NOT realize the developers didn't scan
> the forums. I have been using Fedora since FC2 (I think), and overall
> think its great, esp as a bleeding edge incubator for RHEL/CentOS. BUT
> there are some annoying trends occurring that finally pushed me over
> rant/no-rant threshold.
> 
> Dan -- I like all manner of stuff, but what caused me to just wipe my
> CentOS 5.3 root partition and replace it with F11 was a desire to get
> the relatively new GNOME gvfs stuff -- so I can manipulate remote
> windows shares with any tool, not just GnomeVFS aware tools.
> 
> On a higher level I am amazed and impressed by the creative outpouring
> from the various Open Source communities, although it is also a stark
> reminder of the fact that programmers hate, hate, hate documentation :-)


This is an interesting debate that you all are having here. But has
anyone, other than me that is, noticed the complete absence to the OP,
Mr. Charlie Butterfield, after his original rants? Or would this be
trolling?   ;-)

BTW. Great job on Fedora 11.

-- 


  David

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: (Most) Results from the Candidate Questionnaire are available now

[Kevin Kofler]

Thorsten Leemhuis wrote:
> * some people dislike questions like "do you prefer Gnome or KDE" that
> are/should be mostly irrelevant for Fedora as whole and the position the
> candidate is nominated for

It's pretty much relevant, we don't want GNOME bias all over the Fedora
governing bodies. For some of us, the answer to that question was the one
answer on which to base the decision whom to vote for.

Kevin Kofler

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

No bluetooth for PulseAudio nonbelievers

[Ahmed Kamal]

Hi fedorians,

Having spent more than a day trying to get Skype working smoothly with PA,
and failing (cranky sound, or 100% CPU usage). Now I know Skype is closed
crap that is using deprecated apis and it along with flash should be
sentenced to software hell, but at the end of the day I need to use it at
work. So, what I ended up doing was to "yum remove pulseaudio". Alsa
software dmixing usually works fine for me. However, yum needed to remove
gnome-bluetooth as it depends on PA! And it refuses to bring it back without
PA!! duh! I want my bluetooth back, and I don't want PA. Nothing against PA,
but it doesn't benefit me in anyway and only causes problems. Is this a case
of rpm dependency abuse ?
Regards
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: iptables/firewall brainstorming

[Lennart Poettering]

On Sun, 14.06.09 15:09, Chuck Anderson (c...@wpi.edu) wrote:

> > > I think this is actually a problem that needs solving. We have
> > > several network services that are either installed by default or
> > > might be expected to be part of a standard setup, but which don't
> > > work because of the default firewall rules. The Anaconda people have
> > > (sensibly, IMHO) refused to simply add further exceptions to the
> > > firewall policy.
> > > 
> > > So, what should happen here? Should we leave the firewall enabled in 
> > > these cases* by default and require admins to open them? If so, is
> > > there any way that we can make this easier in some
> > > Packagekit-oriented manner? If not, how should we define that
> > > packages indicate that they need ports opened? Should this be handled
> > > at install time or run time?
> > > 
> > > * The case that I keep hitting is mDNS resolution, which requires 
> > > opening a hole in the firewall
> 
> For the case of mDNS resolution, we should create a nf_conntrack 
> module to track outbound requests and allow the related replies back 
> in.  This case is identical to the Samba browsing case where we 
> created nf_conntrack_netbios_ns [1].  We need a nf_conntrack_mdns too.

No. Absolutely not.

Firstly, mDNS is not a client/server protocol where you just send out
a query and then wait for one response. Instead mDNS is about
minimizing traffic by having an elaborate caching logic. And that
logic is based on learning from other machine's queries, from
gratuitious announcement and goodbye packets. mDNS is genuinly
peer-to-peer and it needs the whole traffic that goes on the mdns
multicast group on the local LAN segment.

Secondly, connection tracking is not a magic wand. It creates almost
as many problems as it solves.

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Chuck Anderson]

On Sun, Jun 14, 2009 at 10:45:09AM -0400, Simo Sorce wrote:
> > >   * Samba (outbound) browsing requires firewall mods
> > I don't know how Samba works, so forgive me if I say obvious stupidity,
> > but shouldn't *client* work even behind closed firewall (like with any
> > other services like ssh, ftp, ...)? Isn't this a samba bug then?
> 
> Samba as a client needs to listen for Netbios packets replies (UDP) to
> do browsing, so since F-10 (yes this is not something new in F-11) the
> firewall has strict rules and there is a "samba client" specific rule.

...which is broken in that it is too permissive, and in that it isn't 
enabled by default.  We need to fix it so it only uses the conntrack 
module but doesn't open inbound ports, and also enable it in the 
default install.

https://bugzilla.redhat.com/show_bug.cgi?id=469884

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Lennart Poettering]

On Sun, 14.06.09 14:01, Bruno Wolff III (br...@wolff.to) wrote:

> 
> On Sun, Jun 14, 2009 at 20:08:31 +0200,
>   Lennart Poettering  wrote:
> > 
> > enabled by default, like we currently do. If an application cannot be
> > trusted then it should not be allowed to listen on a port by default
> > in the first place. A firewall is an extra layer of security that
> > simply hides the actual problem.
> 
> The point of the firewall is to block connections to services that are
> only supposed to be connected from trusted locations. This may be things
> you are testing, don't intend to be running, don't bind to 127.0.0.1 instead
> of 0.0.0.0, even though they are intended to be accessed from the local
> machine, or services that you only want to accept connections from a white
> list of IP addresses.

Aha!

The currently existing firewall knows ntohing about "trusted
locations". Which is precisely what makes it so pointless.

Also, if an application listens on 0.0.0.0 but should actually be
listening on 127.0.0.1 then this is a bug, which is simply taped over
by running a firewall. This really needs to be fixed in the
application.

I mean, maybe it is just me, but I actually think that bugs should be
fixed where they are, and not by taping over them.

Everything what you wrote above simply proves my points...

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: iptables/firewall brainstorming

[Chuck Anderson]

On Sun, Jun 14, 2009 at 12:30:41PM -0600, Kevin Fenzi wrote:
> On Sun, 14 Jun 2009 18:34:52 +0100
> Matthew Garrett  wrote:
> 
> > On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote:
> > 
> > > So, solving this is pretty easy, even for newbies. But I agree that
> > > the error message will not help someone without advanced knowledge.
> > > Although I think people running Samba generally will know where to
> > > look for the problem.
> > 
> > I think this is actually a problem that needs solving. We have
> > several network services that are either installed by default or
> > might be expected to be part of a standard setup, but which don't
> > work because of the default firewall rules. The Anaconda people have
> > (sensibly, IMHO) refused to simply add further exceptions to the
> > firewall policy.
> > 
> > So, what should happen here? Should we leave the firewall enabled in 
> > these cases* by default and require admins to open them? If so, is
> > there any way that we can make this easier in some
> > Packagekit-oriented manner? If not, how should we define that
> > packages indicate that they need ports opened? Should this be handled
> > at install time or run time?
> > 
> > * The case that I keep hitting is mDNS resolution, which requires 
> > opening a hole in the firewall

For the case of mDNS resolution, we should create a nf_conntrack 
module to track outbound requests and allow the related replies back 
in.  This case is identical to the Samba browsing case where we 
created nf_conntrack_netbios_ns [1].  We need a nf_conntrack_mdns too.

> I keep wondering if we couldn't come up with something
> like a /etc/iptables.d/ type setup somehow that would work for these
> cases. 

That might be a good idea for services, but for clients (Samba NetBIOS 
browsing, mDNS, other client-initiated broadcast/multicast-based 
browsing or discovery protocols) we should just unconditionally 
install and enable iptables conntrack modules to handle them by 
default [1] [2].  Clients should just work out-of-the-box without 
requiring any user configuration.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=113918
[2] https://bugzilla.redhat.com/show_bug.cgi?id=469884

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Bruno Wolff III]

On Sun, Jun 14, 2009 at 20:08:31 +0200,
  Lennart Poettering  wrote:
> 
> enabled by default, like we currently do. If an application cannot be
> trusted then it should not be allowed to listen on a port by default
> in the first place. A firewall is an extra layer of security that
> simply hides the actual problem.

The point of the firewall is to block connections to services that are
only supposed to be connected from trusted locations. This may be things
you are testing, don't intend to be running, don't bind to 127.0.0.1 instead
of 0.0.0.0, even though they are intended to be accessed from the local
machine, or services that you only want to accept connections from a white
list of IP addresses.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Samba browsing [was: What I HATE about F11]

[Chuck Anderson]

On Sun, Jun 14, 2009 at 10:35:53AM +0200, Martin Sourada wrote:
> >   * Samba (outbound) browsing requires firewall mods
> I don't know how Samba works, so forgive me if I say obvious stupidity,
> but shouldn't *client* work even behind closed firewall (like with any
> other services like ssh, ftp, ...)? Isn't this a samba bug then?

Not a samba bug, but rather a s-c-firewall/iptables bug.  I was 
involved way back when to make this "just work" out of the box [2], 
but it seems we've regressed in this area.  There is an iptables 
module called "nf_conntrack_netbios_ns" that makes browsing possible 
without opening up firewall holes.  You can enable it by adding it to 
the IPTABLES_MODULES list in /etc/sysconfig/iptables-config:

IPTABLES_MODULES="nf_conntrack_netbios_ns"

You shouldn't need to poke a hole for 137/udp or 138/udp in the 
firewall when using this module.  When an outbound browse broadcast is 
made, this module allows the replies back in automatically.

Help would be appreciated with this since there is a scarcity of 
NetBIOS Browsing capability where I am these days:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=469884

Original bug that proposed the creation of the iptables module:

[2] https://bugzilla.redhat.com/show_bug.cgi?id=113918

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: (Most) Results from the Candidate Questionnaire are available now

[Thorsten Leemhuis]

Hi!

Sorry, late answer:

On 05.06.2009 21:28, Paul W. Frields wrote:
> On Fri, Jun 05, 2009 at 09:04:08PM +0200, Thorsten Leemhuis wrote:
>> Sorry, was a bit busy over the past few days and didn't get around to
>> answer all mails.
>>
>> On 04.06.2009 00:30, Andreas Thienemann wrote:
>>> On Wed, 3 Jun 2009, Paul W. Frields wrote:
>> [...]
 I'm disappointed this ended up being a more difficult process than you
 intended, but I have no doubt we can improve it for the next cycle.
>>> Leaving a bit more time between the cut-off date for the questionaire and 
>>> the town hall meeting should hopefully fix that.
>> My basic idea is to have the question finished and in the wiki after the
>> first half of the nomination period is over. I'd also suggest the
>> answers should get sent in no later than "end of nomination period" +
>> something like 2 or 3 days.
>>
>> That way the total time of the whole the election business stays roughly
>> the same. People that are late with the nomination then only have
>> something like two or three days to answer the question, but that's
>> their decision -- they could have had 9 or10 days if they had chosen to
>> nominated earlier.
> 
> Thorsten, if you get a chance, would you mind hanging a link off the
> wiki's [[Elections]] page with a brief summary of the procedure you
> used, and/or any suggestions for improvements?  When it comes time for
> the next election we can refer to it.  If you're willing and able then
> to fill that role, you can refer to it; and if not, we'll be able to
> carry on as needed.

I just added below stuff to
https://fedoraproject.org/wiki/Elections/Questionnaire
Did I forget anything? Does anybody have any other suggestions? Anything
that is disliked?

Cu
knurd

== Notes ==

Workflow:

* aim to collect answers in private and publishing them in one go --
then candidates have no chance to look at the answers from other
candidates; that sounds like a minor detail, but seems to have helped a
lot to encouraged the candidates
* to help with that only add candidates answers to the official answer
documents/pages that were handed in before the deadline
* prepare the questions early and have them ready and public in the wiki
early -- ideally at the beginning of the nomination period or something
like four days or one week before the end of the nomination period; set
a tight deadline for handling in the answers like "end of nomination
plus two days". That should make sure the whole election process doesn't
take to long and give everybody that nominated enough time to sent the
answers -- sure it's tight if people nominate late, but that's their
fault ;-)
* to help with that make sure the deadlines are known before the
nomination period starts
* seems a lot of people liked the OpenOffice table for comparing the
results we had in the past, as it's possible to easily hide candidates
and answers/questions you are not interested in; to reduce copy'n'paste
(and thus reduce error potential) consider to put such a basic table
with the answers (one per row) into the wiki that candidates (one per
column) need to use to hand in the answers; then all that is needed is
to merge the rows with the answers into one table, which is quite easy;
from that table it's easy to export them into many other formats without
too much work

Questions:

* "open ended" questions obviously are highly preferred
* someone needs to review the questions and merge similar questions into
one and remove others to make sure it are not to much questions
(something like 16 to 20 likely should do)
* some of the old question were quite good and universally;
* some people dislike questions like "do you prefer Gnome or KDE" that
are/should be mostly irrelevant for Fedora as whole and the position the
candidate is nominated for, but others people really like the answers as
they give a impression about the person itself. So a few of those
question are good and definitely acceptable, but "few" is likely important

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

ruby-sqlite3 conflicts with rubygem-sqlite3-ruby

[Michael Schwendt]

https://bugzilla.redhat.com/472621
https://bugzilla.redhat.com/472622

Reported in Nov 2008.

Is it really that difficult to fix it?

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Kevin Fenzi]

On Sun, 14 Jun 2009 20:08:31 +0200
Lennart Poettering  wrote:

> Gah. Allowing packages to pierce the firewall just makes the firewall
> redundant.
> 
> I still think that the current firewall situation on Fedora is pretty
> much broken. It's a bit like SELinux: it's one of the first features
> most people disable.

I don't see that. Perhaps people don't mention it much, but I very
seldom hear from people on #fedora or the forums that they disabled the
firewall. (Where I still do hear people say they disabled selinux). 

> Fedora is the only big distro that enables a firewall by default and

from a quick look (feel free to correct me here): 

debian: no firewall by default
ubuntu: default since hardy (ufw)
suse: default (SUSEFirewall2)
mandriva: default 

> thus creates a lot of trouble for many users. I think I mentioned that
> before, and I can only repeat it here: we should not ship a firewall
> enabled by default, like we currently do. If an application cannot be
> trusted then it should not be allowed to listen on a port by default
> in the first place. A firewall is an extra layer of security that
> simply hides the actual problem.

I agree somewhat. Some services should not listen by default until they
are configured. I don't think disabling the firewall matters tho, those
need to be fixed in any case. 

> Now, it's my impression that some people who control the packages in
> question and believe in all this security theater more than I do, seem
> to be unwilling to loosen the default firewall. So as a bit of a
> compromise here's what I suggest:
> 
> Add a very simple per-interface firewall profile system to
> NetworkManager. Something that is easily reachable from the NM
> applet. Something with just two simple profiles by default: one that
> allows everything for use in trusted networks, and one that just
> allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
> APs). Admins could then add more profiles if they feel the need for
> it. And one could bind those profiles to specific networks, so that
> people would just have to configure them once. Of course, as
> mentioned, these firewall profiles need to be per-interface so that a
> vpn interface can be trusted, while the underlying WLAN iface doesn't
> have to be trusted.

Somewhat agreed, but they should use a more general setup like a
iptables.d and config files, they should NOT be internal to
NetworkManager or perhaps even managed by it (it could call
system-config-firewall or something). 

> Lennart

kevin


signature.asc
Description: PGP signature
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Matthew Garrett]

On Sun, Jun 14, 2009 at 10:52:49AM -0700, Arjan van de Ven wrote:
> On Sun, 14 Jun 2009 18:34:52 +0100
> > 
> > I think this is actually a problem that needs solving. We have
> > several network services that are either installed by default or
> > might be expected to be part of a standard setup, but which don't
> > work because of the default firewall rules. The Anaconda people have
> > (sensibly, IMHO) refused to simply add further exceptions to the
> > firewall policy.
> 
> there is an interesting issue;
> if you poke a hole in your firewall for all the ports that are listening
> automatically. you might as well not have a firewall in the first
> place...

Well, not exactly. For instance, making it part of package management 
policy means that runtime user-level compromises can't poke holes. It 
could be tied to packages with recognised signatures. There's various 
ways that it could be tied down in such a way that the firewall still 
provides a benefit without leaving users in the current situation of "I 
installed nss-mdns and I still can't look up my media server".

-- 
Matthew Garrett | mj...@srcf.ucam.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[inode0]

On Sun, Jun 14, 2009 at 1:05 PM, Paul Wouters wrote:
> That said, I agree the wheel group should be enabled with sudo, though
> I disagree that the initial install user should be automatically added
> to it.

Should sudo be treated in this case any differently than su? I think
wheel should be either enabled by default in both or in neither. I'm
happy with the status quo, in both cases the admin is required to
remove one comment from the appropriate configuration file to enable
it. I am strongly against the first user automatically being in the
wheel group but if it were a checkbox that seems ok.

Actually, I am strongly against the way Fedora forces the creation of
the first user without allowing the admin to set the uid/gid of the
user. That is a different annoying issue.

John

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

iptables/firewall brainstorming

[Kevin Fenzi]

On Sun, 14 Jun 2009 18:34:52 +0100
Matthew Garrett  wrote:

> On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote:
> 
> > So, solving this is pretty easy, even for newbies. But I agree that
> > the error message will not help someone without advanced knowledge.
> > Although I think people running Samba generally will know where to
> > look for the problem.
> 
> I think this is actually a problem that needs solving. We have
> several network services that are either installed by default or
> might be expected to be part of a standard setup, but which don't
> work because of the default firewall rules. The Anaconda people have
> (sensibly, IMHO) refused to simply add further exceptions to the
> firewall policy.
> 
> So, what should happen here? Should we leave the firewall enabled in 
> these cases* by default and require admins to open them? If so, is
> there any way that we can make this easier in some
> Packagekit-oriented manner? If not, how should we define that
> packages indicate that they need ports opened? Should this be handled
> at install time or run time?
> 
> * The case that I keep hitting is mDNS resolution, which requires 
> opening a hole in the firewall

I keep wondering if we couldn't come up with something
like a /etc/iptables.d/ type setup somehow that would work for these
cases. 

In the case of a package that does not need any configuration done and
only needs a firewall rule to function, we could add a file in there to
add it's rule. 

For cases of packages that DO need to be configured, add a file, but
have it disabled/commented until the service is configured. This could
be done by hand, or when someone runs a system-config-whatever and
finishes configuring, the rules could be enabled by the tool as part of
a 'make live' or 'activate' or something. 

If we had something like this, packages could ship their
own /etc/iptables.d files. 

Just a thought. 

kevin


signature.asc
Description: PGP signature
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Kevin Fenzi]

On Sun, 14 Jun 2009 15:59:58 +0100
Richard Fearn  wrote:

> > We have the "wheel" group which would fit the bill.
> 
> Yeah, I always uncomment the %wheel line in sudoers and then add
> myself to that group.
> 
> Hmmm, having looked at the Features guidelines I'm not sure if this
> warrants a feature page or not. It would only involve a change to the
> default sudoers file, and a change to firstboot to add the first user
> to the wheel group.
> 
> Can someone from FESCo help out here? Should I make a feature page for
> this or not?

https://fedoraproject.org/wiki/Features/Policy/Definitions

I think this would fall under several of the tests for it being a
feature. 

Note however, making a feature page does not mean that this magically
gets done. It would be up your YOU (or whoever else helps you) to get
the work done, coordinate with package maintainers who are affected,
etc. Basically a feature page says "I am going to work on getting this
done", not "this would be nice, someone should do it". 

That said, if you are willing to work on it, great. :) 

> Thanks,
> 
> Rich

kevin


signature.asc
Description: PGP signature
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: glibc malloc errors

[Xose Vazquez Perez]

On 06/14/2009 08:17 PM, Xose Vazquez Perez wrote:

> running libmicro[1] microbenchmarks, sometimes some of
> them broke for no reason.

Fedora 11 x86_64 (64-bit)

-- 
«Allá muevan feroz guerra, ciegos reyes por un palmo más de tierra;
que yo aquí tengo por mío cuanto abarca el mar bravío, a quien nadie
impuso leyes. Y no hay playa, sea cualquiera, ni bandera de esplendor,
que no sienta mi derecho y dé pecho a mi valor.»

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Bastien Nocera]

On Sun, 2009-06-14 at 10:52 -0700, Arjan van de Ven wrote:
> On Sun, 14 Jun 2009 18:34:52 +0100
> > 
> > I think this is actually a problem that needs solving. We have
> > several network services that are either installed by default or
> > might be expected to be part of a standard setup, but which don't
> > work because of the default firewall rules. The Anaconda people have
> > (sensibly, IMHO) refused to simply add further exceptions to the
> > firewall policy.
> 
> there is an interesting issue;
> if you poke a hole in your firewall for all the ports that are listening
> automatically. you might as well not have a firewall in the first
> place...

This is a chicken-and-egg problem.

FWIW, I'd want my created normal user to be added to wheel
automatically, and the useless firewall removed from the default desktop
install.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: FESCo meeting summary for 2009-06-12

[Kevin Fenzi]

On Sun, 14 Jun 2009 12:09:19 +0200
Thorsten Leemhuis  wrote:

> On 12.06.2009 20:54, Jon Stanley wrote:
> > Here's the minutes and IRC log of today's FESCo meeting
> > 
> > Minutes:
> > http://www.scrye.com/~kevin/fedora/fedora-meeting/2009/fedora-meeting.2009-06-12-17.01.html
> > Log:
> > http://www.scrye.com/~kevin/fedora/fedora-meeting/2009/fedora-meeting.2009-06-12-17.01.log.html
> 
> I actually must say that I don't like this log very much (and that is
> the diplomatic version), but well, it's better then nothing and maybe
> I got used to it.

Could you expand on this? What part of it do you not like? 
How can we improve it? 

We have the source and the upstream maintainer has been very responsive
so far, so hopefully we can enhance it to meet our needs. 

Note that it uses pygments to highlight the logs and it's IRC highlight
is... "minimal". There is a bug to enhance it, see: 

http://dev.pocoo.org/projects/pygments/ticket/341
and
https://bugzilla.redhat.com/show_bug.cgi?id=504648

> Is there a text version that could be cut'n'pasted in the mail? That
> way people can read them immediately and reply to certain parts
> easily.

Sure, we can do that. 

> Cu
> knurd

kevin


signature.asc
Description: PGP signature
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

glibc malloc errors

[Xose Vazquez Perez]

hi,

running libmicro[1] microbenchmarks, sometimes some of
them broke for no reason.

running them again with $ export MALLOC_CHECK_=1 I got.
output:
*** glibc detected *** bin/malloc: free(): invalid pointer: 0x01b16e80 
***
*** glibc detected *** bin/malloc: free(): invalid pointer: 0x01b16a70 
***
*** glibc detected *** bin/malloc: free(): invalid pointer: 0x01b16660 
***
*** glibc detected *** bin/malloc: free(): invalid pointer: 0x01b176a0 
***
*** glibc detected *** bin/malloc: free(): invalid pointer: 0x01b17ec0 
***

dmesg:
Jun 14 19:37:03 querida kernel: malloc[2745] general protection ip:3039e75951 
sp:7fff41ce27f0 error:0 in libc-2.10.1.so[3039e0+164000]
Jun 14 19:37:03 querida kernel: malloc[2744] trap divide error ip:402fa6 
sp:7fff41ce2820 error:0 in malloc[40+6000]


Something similar happens in openSUSE:Factory


-thanks-

regards,

[1] http://opensolaris.org/os/project/libmicro/
-- 
«Allá muevan feroz guerra, ciegos reyes por un palmo más de tierra;
que yo aquí tengo por mío cuanto abarca el mar bravío, a quien nadie
impuso leyes. Y no hay playa, sea cualquiera, ni bandera de esplendor,
que no sienta mi derecho y dé pecho a mi valor.»

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Lennart Poettering]

On Sun, 14.06.09 18:34, Matthew Garrett (m...@redhat.com) wrote:

> > So, solving this is pretty easy, even for newbies. But I agree that the
> > error message will not help someone without advanced knowledge. Although
> > I think people running Samba generally will know where to look for the
> > problem.
> 
> I think this is actually a problem that needs solving. We have several 
> network services that are either installed by default or might be 
> expected to be part of a standard setup, but which don't work because of 
> the default firewall rules. The Anaconda people have (sensibly, IMHO) 
> refused to simply add further exceptions to the firewall policy.
> 
> So, what should happen here? Should we leave the firewall enabled in 
> these cases* by default and require admins to open them? If so, is there 
> any way that we can make this easier in some Packagekit-oriented manner? 
> If not, how should we define that packages indicate that they need ports 
> opened? Should this be handled at install time or run time?

Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.

I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.

Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.

Now, it's my impression that some people who control the packages in
question and believe in all this security theater more than I do, seem
to be unwilling to loosen the default firewall. So as a bit of a
compromise here's what I suggest:

Add a very simple per-interface firewall profile system to
NetworkManager. Something that is easily reachable from the NM
applet. Something with just two simple profiles by default: one that
allows everything for use in trusted networks, and one that just
allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
APs). Admins could then add more profiles if they feel the need for
it. And one could bind those profiles to specific networks, so that
people would just have to configure them once. Of course, as
mentioned, these firewall profiles need to be per-interface so that a
vpn interface can be trusted, while the underlying WLAN iface doesn't
have to be trusted.

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Arjan van de Ven]

On Sun, 14 Jun 2009 19:49:01 +0200
drago01  wrote:

> If you need to login as root into X to "set up the system" you are
> doing something wrong.

 yet you may need this to fix some earlier goof.
not allowing the root user to do what he wants/needs to do is
obnoxious in that sense; when you need something like this, the system
is NOT operating in a normal way, and yet the owner thinks he can fix
his system as a last resort this way.
(while there is no real security upside to ban root from doing things
he can enable in the case the system is not yet hosed)

-- 
Arjan van de VenIntel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Paul Wouters]

On Sun, 14 Jun 2009, Lennart Poettering wrote:


The way it is done right now, you have a system that might give too
few permissions to some users. If that causes a problem, you'll notice
it, and you can correct it in a very simple way (uncomment one line
and add a user to a group).

However, if we change the default, you have a system that may be
giving too much permissions to some users depending on your taste. And
the worse part is that you (as an admin) might not even know it !


Bikeshed!


No. the "bikeshed" is about not agreeing on details and not starting
work on the item. That's not the case here. Here the argument is that
it *needs* to work.

That said, I agree the wheel group should be enabled with sudo, though
I disagree that the initial install user should be automatically added
to it.

But then again, I hate sudo :P I do most scripting that requires root
access via root logins directly with ssh and keys.

Paul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Arjan van de Ven]

On Sun, 14 Jun 2009 18:34:52 +0100
> 
> I think this is actually a problem that needs solving. We have
> several network services that are either installed by default or
> might be expected to be part of a standard setup, but which don't
> work because of the default firewall rules. The Anaconda people have
> (sensibly, IMHO) refused to simply add further exceptions to the
> firewall policy.

there is an interesting issue;
if you poke a hole in your firewall for all the ports that are listening
automatically. you might as well not have a firewall in the first
place...


-- 
Arjan van de VenIntel Open Source Technology Centre
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[drago01]

On Sun, Jun 14, 2009 at 7:41 PM, Petrus de
Calguarium wrote:
> Charles Butterfield wrote:
>
>>...
>
> Does it help if more people (dis)agree? I will add my voice.
>
> - I like a root login option, especially when first setting
> up the system, as it is helpful to do things as root. I
> consciously choose to use root and realize that I MYSELF
> could be exposing MY OWN computer to risks. I ALWAYS
> uncomment %wheel in sudoers and add myself to the wheel
> group, but just to get to do this is sometimes difficult, as
> it gets constantly more awkward to even have the privileges
> to edit sudoers (fortunately, fedora is one of the more
> permissive distros with regard to editing sudoers). It is
> ESSENTIAL that a user be able to modify system settings on
> his OWN computer, if he chooses to do so. I fully support
> your outrage. Luckily, as a kde user, kdm has not been hit my
> the "root nazi" bug, so I am not hugely affected.

If you need to login as root into X to "set up the system" you are
doing something wrong.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Petrus de Calguarium]

Charles Butterfield wrote:

>...

Does it help if more people (dis)agree? I will add my voice.

- I like a root login option, especially when first setting 
up the system, as it is helpful to do things as root. I 
consciously choose to use root and realize that I MYSELF 
could be exposing MY OWN computer to risks. I ALWAYS 
uncomment %wheel in sudoers and add myself to the wheel 
group, but just to get to do this is sometimes difficult, as 
it gets constantly more awkward to even have the privileges 
to edit sudoers (fortunately, fedora is one of the more 
permissive distros with regard to editing sudoers). It is 
ESSENTIAL that a user be able to modify system settings on 
his OWN computer, if he chooses to do so. I fully support 
your outrage. Luckily, as a kde user, kdm has not been hit my 
the "root nazi" bug, so I am not hugely affected.

- Since about fedora 10, selinux is working so well that I no 
longer need to disable it at all, which I used to have to do. 
I am able to do everything I need to do without problems and 
I appreciate the extra security it might provide to my 
system, and hence, to my data and online experience. It is 
easy to disable, too, simply by editing grub's kernel boot 
line or using the gui interface. I cannot support your rage, 
as it IS working well and is so easily disabled.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Matthew Garrett]

On Sun, Jun 14, 2009 at 06:13:51PM +0200, Julian Aloofi wrote:

> So, solving this is pretty easy, even for newbies. But I agree that the
> error message will not help someone without advanced knowledge. Although
> I think people running Samba generally will know where to look for the
> problem.

I think this is actually a problem that needs solving. We have several 
network services that are either installed by default or might be 
expected to be part of a standard setup, but which don't work because of 
the default firewall rules. The Anaconda people have (sensibly, IMHO) 
refused to simply add further exceptions to the firewall policy.

So, what should happen here? Should we leave the firewall enabled in 
these cases* by default and require admins to open them? If so, is there 
any way that we can make this easier in some Packagekit-oriented manner? 
If not, how should we define that packages indicate that they need ports 
opened? Should this be handled at install time or run time?

* The case that I keep hitting is mDNS resolution, which requires 
opening a hole in the firewall
-- 
Matthew Garrett | mj...@srcf.ucam.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[drago01]

On Sun, Jun 14, 2009 at 6:13 PM, Julian
Aloofi wrote:
> Am Sonntag, den 14.06.2009, 17:10 +0200 schrieb Mathieu Bridon
>
>> Samba (outbound) browsing requires firewall mods
>
> So, solving this is pretty easy, even for newbies. But I agree that the
> error message will not help someone without advanced knowledge. Although
> I think people running Samba generally will know where to look for the
> problem.

I doubt that 

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Mathieu Bridon (bochecha)]

>> The way it is done right now, you have a system that might give too
>> few permissions to some users. If that causes a problem, you'll notice
>> it, and you can correct it in a very simple way (uncomment one line
>> and add a user to a group).
>>
>> However, if we change the default, you have a system that may be
>> giving too much permissions to some users depending on your taste. And
>> the worse part is that you (as an admin) might not even know it !
>
> Bikeshed!
>
> Must be some weird stuff smoking admin who simply adds someone to the
> wheel group not knowing what that group was for!
>
> The purpose of the wheel group has always been to be used for more
> privileged users.
>
> http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29
> http://catb.org/~esr/jargon/html/W/wheel.html

Did I say the contrary ? I don't think so, but being a non-native
english speaker, I might have said something I didn't want to :)

I didn't say the wheel group was a nonsense or a problem. I was
responding to Richard who wanted the line to be uncommented (harmless
per se) AND the first user to be added to the wheel group by default.

Having the admin's user in the wheel group to be able to use sudo for
administrative tasks is a great idea. I just don't think it should be
added by default, without an explicit consent of the admin.

For example, a « add to the wheel group » checkbox in
system-config-users and firstboot could be great. Not sure it would be
a good idea to have it checked and hidden by default.

Regards,


--

Mathieu Bridon (bochecha)

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeroen van Meeuwen]

On Sun, 14 Jun 2009 14:58:36 + (UTC), "Robert 'Bob' Jensen"
 wrote:
> - "King InuYasha"  wrote:
> 
>> A script that takes the DVD image to produce the CD versions would
>> basically require extracting the whole DVD image and then generating
>> new ISOs from that tree. Maybe mirrors could do it if you want to save
>> space on the main server or whatever.
>> 
> 
> I think Bradley was suggesting something that the user could use to
create
> CDs from an expanded DVD. I believe that revisor can do this pretty
easily
> for users that already have an existing Fedora or EL install, kanarip
will
> be speaking up on this I hope now that he is home.
> 

Revisor can do this very easily, but it's a hidden feature (not exposed in
the GUI, barely documented, blabla)

It's called --reuse, which allows you to not rebuild the installer images,
but instead reuse existing installer images. You would point it at a
mounted DVD, configure a repository pointing to the DVD, and voila, you can
do anything you like with it.

This is what I use to create the Everything spins too; I just change the
package payload, but do not change the installer images.

Kind regards,

Jeroen van Meeuwen
-kanarip

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeroen van Meeuwen]

On Sun, 14 Jun 2009 08:37:41 -0700, Jesse Keating 
wrote:
> On Sun, 2009-06-14 at 03:30 -0500, King InuYasha wrote:
>> A script that takes the DVD image to produce the CD versions would
>> basically
>> require extracting the whole DVD image and then generating new ISOs from
>> that tree. Maybe mirrors could do it if you want to save space on the
>> main
>> server or whatever.
> 
> That only serves to complicate matters for the users.  Good chunks of
> our users have a hard enough time figuring out what to download, how to
> burn it, and how to install it.  Adding in some weird script to take a
> DVD.iso file and split it into many smaller files isn't going to help
> matters, and certainly doesn't improve things for anaconda/qa/releng.
> 

This to me sounds like there's two separate problems;

1) Users might not know what to download

2) We might put resources into something that isn't used as much as we
would have hoped.

I'm not sure whether one single solution is appropriate for both problems.

I'm also not sure the numbers that Matt has are reflecting the actual
foot-print of users that require CD media, as our numbers show things
differently[1]. Regrettably, we have no numbers on the Jigdo releases. I
know Matt's numbers are accurate, but put in context, isn't this only
redirect links such as
http://download.fedoraproject.org/pub/fedora/linux/releases/11/Fedora/iso/disc1.iso
like shown on http://fedoraproject.org/get-fedora/ ? Are we not missing out
on *a lot* of downloading users that navigate to their mirror of preference
directly?

For Fedora Unity, this is considered a service to those in the community
that need it. It's most definitely not considered the most efficient
balance between corporate resource investments and user satisfaction.
Whether it be 3 or a million smiles we get in return for doing split media,
I don't care.

Split media will continue to exist anyway; I release split dual-layer DVD
images with the Everything Spin. Whether as such Fedora Unity is putting
the pressure on the people that would rather drop the split media, I don't
know. All I'm saying is that if the Fedora Project won't, we will. We've
been down that path before and we all know it's pretty painless[2].

If the Fedora Project considers to no longer release split CD media, would
the Fedora Project then also consider allowing Fedora Unity (members) to
continue servicing those that request or even require split CD media? If
that is too much to ask from a anaconda/qa/releng perspective, would the
Fedora Project maybe consider finally allowing those from Fedora Unity that
do it anyway, to do it *via* the Fedora Project?

Kind regards,

Jeroen van Meeuwen
-kanarip

[1] http://spinner.fedoraunity.org:6969

[2] If not, please show me where it isn't.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: rpmconf - tool to handle rpmnew and rpmsave files

[Seth Vidal]

On Sun, 14 Jun 2009, Jan Kratochvil wrote:


Hi,

from these tools only Gentoo looks to me to do the right thing - one has to do
a 3-files merge.  Just having the old modified file and the new unmodified
files has no solution how to do the automatic merge = how to get the new
configuration file with all the local changes of the old file brought in.

rpm should save originals of all the configuration files it installs.
On Fedora I have to save them by hand before modifying any config file (I save
them to -orig files).  Then by hand (or by the automated attached
script) do the diff/patch merge.




If you want to have all config files of all pkgs you're installing saved 
into a safe location it would not be a very complicated yum plugin to do 
it.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Julian Aloofi]

Am Sonntag, den 14.06.2009, 17:10 +0200 schrieb Mathieu Bridon 

> The way it is done right now, you have a system that might give too
> few permissions to some users. If that causes a problem, you'll notice
> it, and you can correct it in a very simple way (uncomment one line
> and add a user to a group).
> 
> However, if we change the default, you have a system that may be
> giving too much permissions to some users depending on your taste. And
> the worse part is that you (as an admin) might not even know it !
> 
> IMHO, stricter by default in such a case is better. It's easier to add
> permissions, open holes when you need them, rather than having to
> chase some opened-by-default holes you don't even know about.
Full ACK. Stricter by default is definitely better, changing on little
line is not too hard.

Charles Butterfield wrote:

> Samba (outbound) browsing requires firewall mods

So, solving this is pretty easy, even for newbies. But I agree that the
error message will not help someone without advanced knowledge. Although
I think people running Samba generally will know where to look for the
problem.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Deltarpms for Rawhide?

[Josh Boyer]

On Sun, Jun 14, 2009 at 04:24:24PM +0300, Jonathan Dieter wrote:
>Are we no longer generating deltarpms in Rawhide?  Both the June 13 and
>June 14 composes no longer have the drpms directory.

No.  Bill sent out an email saying they were temporarily turned off because
part of the compose involved with it was taking waaay to long to spit out a
daily rawhide.

I believe Seth and Bill are working on this, and will re-enable it as soon as
they can.

josh

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Deltarpms for Rawhide?

[Seth Vidal]

On Sun, 14 Jun 2009, Michael Schwendt wrote:


On Sun, 14 Jun 2009 07:52:04 -0700, Jesse wrote:


We are chasing a bug in the delta path that is making rawhide take
over 24 hours to compose.  For now, no deltas.


Does the bug affect RPM Fusion, too?


is rpmfusion delta'ing 17000 pkgs? If not - then you should be okay.

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Deltarpms for Rawhide?

[Seth Vidal]

On Sun, 14 Jun 2009, Jonathan Dieter wrote:


On Sun, 2009-06-14 at 07:52 -0700, Jesse Keating wrote:


On Jun 14, 2009, at 6:24, Jonathan Dieter  wrote:


Are we no longer generating deltarpms in Rawhide?  Both the June 13
and
June 14 composes no longer have the drpms directory.

Because of bandwidth issues, on our school's private mirror I normally
rsync the drpms first, build the rpms, and then rsync everything.  I
probably won't be able to mirror Rawhide if we're not generating
deltarpms for it anymore.

Jonathan
--


We are chasing a bug in the delta path that is making rawhide take
over 24 hours to compose.  For now, no deltas.


Ok, that's great.  I was afraid it was a policy decision.  /me goes back
to my quiet little corner.



I'm working on solving the problem. Concatenating unicode strings in 
python is a mere 6.9X slower than ascii strings. It's on my very short 
list to fix.


-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Lennart Poettering]

On Sun, 14.06.09 17:10, Mathieu Bridon (bochecha) (boche...@fedoraproject.org) 
wrote:

> Look at it the other way.
> 
> The way it is done right now, you have a system that might give too
> few permissions to some users. If that causes a problem, you'll notice
> it, and you can correct it in a very simple way (uncomment one line
> and add a user to a group).
> 
> However, if we change the default, you have a system that may be
> giving too much permissions to some users depending on your taste. And
> the worse part is that you (as an admin) might not even know it !

Bikeshed!

Must be some weird stuff smoking admin who simply adds someone to the
wheel group not knowing what that group was for!

The purpose of the wheel group has always been to be used for more
privileged users.

http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29
http://catb.org/~esr/jargon/html/W/wheel.html

Would be good if we'd actually make it work like that on Fedora.

Lennart

-- 
Lennart PoetteringRed Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/   GnuPG 0x1A015CC4

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jeroen van Meeuwen]

On Sun, 14 Jun 2009 15:34:19 +, Jesse Keating 
wrote:
> On Sun, 2009-06-14 at 14:53 +, Robert 'Bob' Jensen wrote:
>> 
>> I appreciate the clarification from you and Matt on the request. As
>> you know Jesse my, and Unity's, goal has been for a while has been to
>> get Fedora in to the hands of as many people as possible with the
>> least amount of "pain." That is why we make the Re-Spins, it was why
>> we made the original Live media. I know and understand the extra man
>> hours required to properly test all the different varieties of media.
>> As I said Unity will produce CDs for those that need/want them should
>> RE or whoever decides that it is impractical for Fedora Project to
>> continue producing them. Another compromise I am sure that would work
>> for us is if you produced them, handed them off to us for testing and
>> distribution. 
>> 
> 
> My (mostly unfounded) worry is that Fedora Unity is reacting to requests
> without investigating the reasoning behind the request.  Think of this
> as the Henry Ford problem.  If all Henry Ford did was produce what his
> customers asked for, all we'd have right now is fast horses.  What we
> need to be doing is investigating why these people think they need split
> CDs, to be certain that there is no other offering within the Fedora
> universe that satisfies their needs.
> 
> Just producing it, somebody will download it, because they know no
> better, so having numbers that say "somebody wanted it" isn't enough in
> my book, and right now, I feel that the anaconda, qa, releng teams are
> being held hostage by Fedora Unity due to blanket claims of "if Fedora
> Project does not produce them Fedora Unity will".
> 

If Fedora Unity's motivation to continue a service to the community -at
it's own expense, not yours- is holding you and the other teams hostage,
call S.W.A.T.

-Jeroen

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Fwd: google-gadgets

[Rahul Sundaram]

 Original Message 
Subject: google-gadgets
Date: Sun, 14 Jun 2009 16:28:52 +0200
From: Eric Tanguy 
Reply-To: Community assistance, encouragement,  and advice for using
Fedora. 
To: Community assistance, encouragement,and advice for using Fedora.


Crash bug (#499139) seems to be open since a long time without any
reaction and a new release (0.11) is out since May 31. Someone have news
about this ?
Thanks
Eric

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Matthew Garrett]

On Sun, Jun 14, 2009 at 05:10:14PM +0200, Mathieu Bridon (bochecha) wrote:

> However, if we change the default, you have a system that may be
> giving too much permissions to some users depending on your taste. And
> the worse part is that you (as an admin) might not even know it !

The semantics of the wheel group are pretty well defined.

-- 
Matthew Garrett | mj...@srcf.ucam.org

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jesse Keating]

On Sun, 2009-06-14 at 03:30 -0500, King InuYasha wrote:
> A script that takes the DVD image to produce the CD versions would basically
> require extracting the whole DVD image and then generating new ISOs from
> that tree. Maybe mirrors could do it if you want to save space on the main
> server or whatever.

That only serves to complicate matters for the users.  Good chunks of
our users have a hard enough time figuring out what to download, how to
burn it, and how to install it.  Adding in some weird script to take a
DVD.iso file and split it into many smaller files isn't going to help
matters, and certainly doesn't improve things for anaconda/qa/releng.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Jesse Keating]

On Sun, 2009-06-14 at 15:59 +0100, Richard Fearn wrote:
> > We have the "wheel" group which would fit the bill.
> 
> Yeah, I always uncomment the %wheel line in sudoers and then add
> myself to that group.
> 
> Hmmm, having looked at the Features guidelines I'm not sure if this
> warrants a feature page or not. It would only involve a change to the
> default sudoers file, and a change to firstboot to add the first user
> to the wheel group.
> 
> Can someone from FESCo help out here? Should I make a feature page for
> this or not?
> 
> Thanks,
> 
> Rich
> 

You're going to be touching multiple packages, asking people to write
code for you, and needing to change documentation and user expectations.
I would warrant that this very much is a feature.

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Do we need split media CDs for F12?

[Jesse Keating]

On Sun, 2009-06-14 at 14:53 +, Robert 'Bob' Jensen wrote:
> 
> I appreciate the clarification from you and Matt on the request. As
> you know Jesse my, and Unity's, goal has been for a while has been to
> get Fedora in to the hands of as many people as possible with the
> least amount of "pain." That is why we make the Re-Spins, it was why
> we made the original Live media. I know and understand the extra man
> hours required to properly test all the different varieties of media.
> As I said Unity will produce CDs for those that need/want them should
> RE or whoever decides that it is impractical for Fedora Project to
> continue producing them. Another compromise I am sure that would work
> for us is if you produced them, handed them off to us for testing and
> distribution. 
> 

My (mostly unfounded) worry is that Fedora Unity is reacting to requests
without investigating the reasoning behind the request.  Think of this
as the Henry Ford problem.  If all Henry Ford did was produce what his
customers asked for, all we'd have right now is fast horses.  What we
need to be doing is investigating why these people think they need split
CDs, to be certain that there is no other offering within the Fedora
universe that satisfies their needs.

Just producing it, somebody will download it, because they know no
better, so having numbers that say "somebody wanted it" isn't enough in
my book, and right now, I feel that the anaconda, qa, releng teams are
being held hostage by Fedora Unity due to blanket claims of "if Fedora
Project does not produce them Fedora Unity will".

Looking around the "competition":
 Ubuntu - Live CD or DVD
 Mandriva - DVD, Live CD, or purchasable flash stick
 OpenSuSE - DVD, Live CD, or netinstall iso
 Gentoo - Single CD or Live image.  Mostly set to network install
 Debian - 31 CDs or 5 DVDs
 Slackware - 6 CDs or a DVD

So it seems only Debian and Slackware still dabble in split CDs,
everyone else has moved on to either a Live image, or a minimal install
iso that sets you up for network install.  We have both of those, a
plethora of Live images to choose from as well as a netinst.iso that
sets you up for a network install, and we have our DVD image.  Is that
truly not enough?

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Richard Fearn]

> The way it is done right now, you have a system that might give too
> few permissions to some users. If that causes a problem, you'll notice
> it, and you can correct it in a very simple way (uncomment one line
> and add a user to a group).
>
> However, if we change the default, you have a system that may be
> giving too much permissions to some users depending on your taste. And
> the worse part is that you (as an admin) might not even know it !

I think uncommenting the line by default would be OK as on the two F11
systems I have the only user in the wheel group is root. I had to
manually add myself to wheel to get extra permissions.

If you install the system, you know the root password, so you can use
su to get a root prompt anyway.

So I suppose it comes down to whether we should be adding users to the
wheel group by default. I guess it could be a checkbox in firstboot...
"Allow this user to perform administrative tasks" or something. Then
administrators could choose whether or not to add the user to wheel.

> IMHO, stricter by default in such a case is better. It's easier to add
> permissions, open holes when you need them, rather than having to
> chase some opened-by-default holes you don't even know about.

I agree, but if this were an option in firstboot I think it would be obvious.

Rich

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Deltarpms for Rawhide?

[Michael Schwendt]

On Sun, 14 Jun 2009 07:52:04 -0700, Jesse wrote:

> We are chasing a bug in the delta path that is making rawhide take  
> over 24 hours to compose.  For now, no deltas.

Does the bug affect RPM Fusion, too?

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Frank Murphy]

On 14/06/09 16:07, Orcan Ogetbil wrote:



However I agree with you that samba is always a pain to setup on new
systems. I do not hate it, but I wish this had been made easier.
Logging into X as root? I can't comment on this as I didn't ever feel
the need to do that. I didn't know it was prevented by a Nazi force.
They probably have a very good reason.

Peace,
Orcan



Why not install ebox-platform.

Frank

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Mathieu Bridon (bochecha)]

>> We have the "wheel" group which would fit the bill.
>
> Yeah, I always uncomment the %wheel line in sudoers and then add
> myself to that group.
>
> Hmmm, having looked at the Features guidelines I'm not sure if this
> warrants a feature page or not. It would only involve a change to the
> default sudoers file, and a change to firstboot to add the first user
> to the wheel group.
>
> Can someone from FESCo help out here? Should I make a feature page for
> this or not?

Look at it the other way.

The way it is done right now, you have a system that might give too
few permissions to some users. If that causes a problem, you'll notice
it, and you can correct it in a very simple way (uncomment one line
and add a user to a group).

However, if we change the default, you have a system that may be
giving too much permissions to some users depending on your taste. And
the worse part is that you (as an admin) might not even know it !

IMHO, stricter by default in such a case is better. It's easier to add
permissions, open holes when you need them, rather than having to
chase some opened-by-default holes you don't even know about.


--

Mathieu Bridon (bochecha)

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Orcan Ogetbil]

On Sat, Jun 13, 2009 at 10:19 PM, Charles Butterfield wrote:
> Okay, so I mostly love Fedora.  However, here are 4 things that got by blood
> really, really boiling, so I thought I’d share my emotions.  They are mostly
> policy issues, where I think you have gotten it very very wrong.
>

Do yourself a favor. Don't hate things. Hate is not a healthy emotion.
As master Yoda says, "... hate leads to suffering.".

However I agree with you that samba is always a pain to setup on new
systems. I do not hate it, but I wish this had been made easier.
Logging into X as root? I can't comment on this as I didn't ever feel
the need to do that. I didn't know it was prevented by a Nazi force.
They probably have a very good reason.

Peace,
Orcan

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Deltarpms for Rawhide?

[Jonathan Dieter]

On Sun, 2009-06-14 at 07:52 -0700, Jesse Keating wrote:
> 
> On Jun 14, 2009, at 6:24, Jonathan Dieter  wrote:
> 
> > Are we no longer generating deltarpms in Rawhide?  Both the June 13  
> > and
> > June 14 composes no longer have the drpms directory.
> >
> > Because of bandwidth issues, on our school's private mirror I normally
> > rsync the drpms first, build the rpms, and then rsync everything.  I
> > probably won't be able to mirror Rawhide if we're not generating
> > deltarpms for it anymore.
> >
> > Jonathan
> > --
> 
> We are chasing a bug in the delta path that is making rawhide take  
> over 24 hours to compose.  For now, no deltas.

Ok, that's great.  I was afraid it was a policy decision.  /me goes back
to my quiet little corner.

Jonathan


signature.asc
Description: This is a digitally signed message part
-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: What I HATE about F11

[Richard Fearn]

> We have the "wheel" group which would fit the bill.

Yeah, I always uncomment the %wheel line in sudoers and then add
myself to that group.

Hmmm, having looked at the Features guidelines I'm not sure if this
warrants a feature page or not. It would only involve a change to the
default sudoers file, and a change to firstboot to add the first user
to the wheel group.

Can someone from FESCo help out here? Should I make a feature page for
this or not?

Thanks,

Rich

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list