Re: Intro
Thanks Mike, actually I am interested in programming but I have no idea whether my current level of programming skills would be of much help for the current developers involved. - Neo On Tue, Jul 29, 2008 at 1:54 AM, Mike McGrath [EMAIL PROTECTED] wrote: On Mon, 28 Jul 2008, Neo Reeves wrote: Hello everyone, My name is Mohamed Sameeh and I am one of the Fedora Ambassadors for Maldives. I've been in the Linux World Since Redhat 9 and I've been in the field of IT for over 5 years now. During the course I have administered Linux Mail Servers, High Traffic Web Severs with MySQL and Oracle back ends, Linux NAT Firewall/Routers. I have a good undersatanding of Internet and Networking along with a handful of programming skills. I am CompTIA Network+ and CCNA certified. And I currently work for the government of Maldives. I have programming skills in PHP, Perl, C and Shell Scripts. Here are links to some of the scripts that I have written: A simple script I wrote to backup a NAT/Firewall - http://blog.fourthirty.org/wp-content/uploads/2008/05/bacup.pl Another script I wrote to get a dump of my telephone companies phone records from their website - http://blog.fourthirty.org/wp-content/uploads/2008/05/edir.pl I am fairly good with Visual Basic too in case some programming for Mono is needed. I often program small scripts for the servers I manage to perform specific tasks. But I don't think that I am a pro at Programming or a master in System Administration. But I would like to offer all help I could to the Fedora Project as time and my knowledge permits me. I am eager to learn and is always working on ways to improve my various skills in the IT field. So if any of you think that I could be of assistance to you please let me know. It would be an honor to give my best input in it. Welcome Neo, is there a specific area you were interested in? Just the Infrastructure team in general or in programming, documentation, etc? -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- .:: BELIEVE THE UNBELIEVABLE ::. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Intro
On Tue, 29 Jul 2008, Neo Reeves wrote: Thanks Mike, actually I am interested in programming but I have no idea whether my current level of programming skills would be of much help for the current developers involved. Well I'd say start looking at bugs for some of your favorite apps and get to submitting patches. There's almost certainly some simple bugs out there just waiting so you can get comfortable with the process. Then you can challenge yourself with more difficult bugs. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: Intro
Thnx, Will do. -Neo On Tue, Jul 29, 2008 at 6:30 PM, Mike McGrath [EMAIL PROTECTED] wrote: On Tue, 29 Jul 2008, Neo Reeves wrote: Thanks Mike, actually I am interested in programming but I have no idea whether my current level of programming skills would be of much help for the current developers involved. Well I'd say start looking at bugs for some of your favorite apps and get to submitting patches. There's almost certainly some simple bugs out there just waiting so you can get comfortable with the process. Then you can challenge yourself with more difficult bugs. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -- .:: BELIEVE THE UNBELIEVABLE ::. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
EnableSendfile on koji
Can someone please check and let me know what the EnableSendfile setting is on the koji apache configs? Thanks! -- Matthew Galgoci Network Operations Red Hat, Inc 919.754.3700 x44155 ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Review Request
Bret has been working on a package for deployment in Fedora Infrastructure. Anyone care to fast track it? https://bugzilla.redhat.com/457060 -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: YUM security issues...
I was wondering if any changes have been made or are planned for MirrorManager (i.e. preventing mirrors from arbitrary grabbing parts of the address space). We're submitting the final version of our paper soon (the version that will appear in print) and I'd like to include any updates about this. Thanks, Justin On Fri, Jul 25, 2008 at 6:11 PM, Josh Bressers [EMAIL PROTECTED] wrote: On 25 July 2008, Matt Domsch wrote: On Fri, Jul 25, 2008 at 01:52:26PM -0400, Josh Bressers wrote: That's a lot of IPs though. Can I request multiple /16s, or only one? As many as you like. And recall, such changes are made using your FAS credentials. Are these ever checked? Does say a mail get generated every time someone adds one of these? My fear would be that someone could blanket quite a large IP space without anyone noticing. Granted that would no doubt generate a huge volume of traffic, but if they're serving up a frozen repo, they probably won't be pushing all that much data. How many mirrors are doing this? 374 total Hosts 185 have at least 1 netblock entry 94 of these are private - don't serve the public wow, that's quite a few. I wasn't expecting numbers this high honestly. Does the mirror have to be part of the /16 to request it? no. Take for example Dell's mirrors. Netblock 143.166/16 is Dell US, but the mirror IPs are located inside the 10/8 private space. OK, so here is the problem the way I see it, signing the repository won't fix it. I'll try to explain this clearly, Justin can yell at me if I've gotten any of this wrong. So let's say Mallory (the bad guy) decides that he wants to host a malicious mirror and wait for a nasty security flaw. He sets up his mirror and even claims some IP subnets to serve. Bob and Alice are happily installing valid updates from him for some period of time. Since Mallory has claimed to serve a specific subnet, he has a rather impressive view of what Bob and Alice have installed. Now let's say there is a horrible security bug found in a mail server. Mallory knows for a fact that Bob and Alice both have it installed as he's been their mirror for a while. Mallory stops updating his mirror, so none of the users being served will get the mail server updates. Mallory also knows the IP address of the vulnerable clients and can easily break into their systems. So from what I understand MirrorManager will check on the mirrors to ensure they're not out of date. Mallory knows this and makes sure that when MirrorManager connects to his mirror, it lies and serves up current metadata. So here is the problem. The repodata was valid. The packages are signed. Even if we sign the repodata, this attack works. Being able to acquire an IP block simply makes this attack easier to do. It's still very possible that a bad mirror will wait for users to connect, serve up old content then use this knowledge to break into their system. What this problem boils down to, is we need a way for clients to ask MirrorManager what the current valid repo data is. Ideally we want the results to be signed in some manner so it can't be spoofed. Some thoughts I've had are: 1) Have MirrorManager use https and return some repo verification data. 2) Sign the repo data, and if it's older than X, don't use it (I don't like this solution, but it's probably the easiest, just push out a new signed repo file once a day, even if nothing changes.) 3) Always get repo data from fedoraproject.org (probably not practical due to resource issues) 4) use DNS, have the client query repodata sha1sum.repo.fedoraproject.org if the lookup fails, the repo is invalid. (this is really cheap from a resource standpoint, but hard to do technically) 5) ??? Thanks. -- JB ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
x86-8 is offline for a while
I'm getting some of the composer stuff ready for ticket #652 -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
