Re: security update process failure
On Tuesday, September 06, 2011 09:02:17 AM Chuck Anderson wrote: > On Tue, Sep 06, 2011 at 08:57:01AM -0400, Genes MailLists wrote: > > libcap provides posix capabilities support - fair question would be > > > > how to get a list of applications which use libcap stuff it provides. > > > > rpm -q -l libcap > > > > shows these are provided: > > /lib64/libcap.so.2 > > /lib64/libcap.so.2.17 > > /lib64/security/pam_cap.so > > /usr/sbin/capsh > > /usr/sbin/getcap > > /usr/sbin/getpcaps > > /usr/sbin/setcap > > > > One could troll all binaries on the system asking which ones employ > > > > libcap.so.2 using ldd - and perhaps egrep for calls to getcap and the > > like ... > > > > I suspect someone has or has written a tool to catalog these things - > > > > anyone? > > repoquery --whatrequires libcap # rpm -q --whatrequires 'libcap.so.2()(64bit)' -Steve -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On 09/06/2011 07:57 AM, Genes MailLists wrote: > I suspect someone has or has written a tool to catalog these things - > > anyone? # lsof | grep libcap.so -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Tue, Sep 06, 2011 at 08:57:01AM -0400, Genes MailLists wrote: > libcap provides posix capabilities support - fair question would be > how to get a list of applications which use libcap stuff it provides. > > rpm -q -l libcap > > shows these are provided: > > /lib64/libcap.so.2 > /lib64/libcap.so.2.17 > /lib64/security/pam_cap.so > /usr/sbin/capsh > /usr/sbin/getcap > /usr/sbin/getpcaps > /usr/sbin/setcap > > One could troll all binaries on the system asking which ones employ > libcap.so.2 using ldd - and perhaps egrep for calls to getcap and the > like ... > > I suspect someone has or has written a tool to catalog these things - > > anyone? repoquery --whatrequires libcap To verify this update, I just ran the setcap and getcap commands and checked their results. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
> On Sun, 2011-09-04 at 23:14 -0400, Chuck Anderson wrote: > >> I need guidance. I've installed the F14 libcap from updates-testing. >> I have no idea if it works or how to test it--it doesn't appear to >> "break" anything as far as normal operation of my system. Is that >> good enough to give +1 karma to the package? If not, it would be >> helpful for the maintainer would put instructions in the update text >> saying how to test the update. >> libcap provides posix capabilities support - fair question would be how to get a list of applications which use libcap stuff it provides. rpm -q -l libcap shows these are provided: /lib64/libcap.so.2 /lib64/libcap.so.2.17 /lib64/security/pam_cap.so /usr/sbin/capsh /usr/sbin/getcap /usr/sbin/getpcaps /usr/sbin/setcap One could troll all binaries on the system asking which ones employ libcap.so.2 using ldd - and perhaps egrep for calls to getcap and the like ... I suspect someone has or has written a tool to catalog these things - anyone? -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Sun, 2011-09-04 at 23:14 -0400, Chuck Anderson wrote: > I need guidance. I've installed the F14 libcap from updates-testing. > I have no idea if it works or how to test it--it doesn't appear to > "break" anything as far as normal operation of my system. Is that > good enough to give +1 karma to the package? If not, it would be > helpful for the maintainer would put instructions in the update text > saying how to test the update. > > So, I guess what I'm asking is, is it ok to give +1 to any/all > packages if they work at all/we don't notice any regressions, or do we > have to actually test what they are supposed to fix? It kinda varies update to update, which I know is tricky to deal with. For critical path updates, the critical issue is 'does it break the critpath' - but you do have to check exactly what the package does. For instance, a package which deals with network authentication might break login for people who use network auth, but you won't notice if you only have a local user account. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
Am 05.09.2011 05:14, schrieb Rahul Sundaram: > On 09/05/2011 02:31 AM, Karsten Hopp wrote: > > Hi ! > > > > > > I'd call it a failure when a security update for a critical path package > > gets stuck in > > -updates-testing for 6 weeks. I'm talking about the F14 libcap update, > > where only one > > proventester cared to test the updated package and commented on it. > > You should file this issue with FESCo and ask for a amended policy > > Rahul https://fedorahosted.org/fesco/ticket/664 -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Mon, Sep 05, 2011 at 08:48:07AM +0530, Rahul Sundaram wrote: > On 09/05/2011 08:44 AM, Chuck Anderson wrote: > > So, I guess what I'm asking is, is it ok to give +1 to any/all > > packages if they work at all/we don't notice any regressions, or do we > > have to actually test what they are supposed to fix? Thanks. > > It is ok to +1 if you don't notice any regressions. It would be very > helpful to explicitly mention what you tested however. Thanks. I just did a fedora-easy-karma run through most of the F14 critical-path updates and many non-critical ones as well. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On 09/05/2011 08:44 AM, Chuck Anderson wrote: > So, I guess what I'm asking is, is it ok to give +1 to any/all > packages if they work at all/we don't notice any regressions, or do we > have to actually test what they are supposed to fix? Thanks. It is ok to +1 if you don't notice any regressions. It would be very helpful to explicitly mention what you tested however. Rahul -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Sun, Sep 04, 2011 at 05:34:43PM -0700, Adam Williamson wrote: > On Sun, 2011-09-04 at 23:01 +0200, Karsten Hopp wrote: > > Hi ! > > > > > > I'd call it a failure when a security update for a critical path package > > gets stuck in > > -updates-testing for 6 weeks. I'm talking about the F14 libcap update, > > where only one > > proventester cared to test the updated package and commented on it. > > Sure, it is only a minor security issue, but shouldn't security updates > > have priority in > > testing over any pet packages you have ? > > Security updates certainly take preference for me as I'm trying to get them > > submitted as > > early as possible. But when a package sits in -testing for such a long time > > I need to ask > > myself why I should bother with doing timely security updates at all. > > The problem is really that not enough people test old releases. Barely > any proventesters are on F14. If you look it's hardly just your update > that's waiting on karma, there are quite a few waiting for F14. > > I've had 'do f14 karma' on my todo list for about a week and a half, but > f16 keeps eating the time. > > I've mentioned this several times and floated a few ideas to fix it (as > have others), but they haven't really gone anywhere. I haven't seen any > indication that FESCo (which defined the update requirements - it's not > a QA thing) considers it a big problem. I need guidance. I've installed the F14 libcap from updates-testing. I have no idea if it works or how to test it--it doesn't appear to "break" anything as far as normal operation of my system. Is that good enough to give +1 karma to the package? If not, it would be helpful for the maintainer would put instructions in the update text saying how to test the update. So, I guess what I'm asking is, is it ok to give +1 to any/all packages if they work at all/we don't notice any regressions, or do we have to actually test what they are supposed to fix? Thanks. -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On 09/05/2011 02:31 AM, Karsten Hopp wrote: > Hi ! > > > I'd call it a failure when a security update for a critical path package gets > stuck in > -updates-testing for 6 weeks. I'm talking about the F14 libcap update, where > only one > proventester cared to test the updated package and commented on it. You should file this issue with FESCo and ask for a amended policy Rahul -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Mon, Sep 5, 2011 at 1:34 AM, Adam Williamson wrote: > On Sun, 2011-09-04 at 23:01 +0200, Karsten Hopp wrote: >> Hi ! >> >> >> I'd call it a failure when a security update for a critical path package >> gets stuck in >> -updates-testing for 6 weeks. I'm talking about the F14 libcap update, where >> only one >> proventester cared to test the updated package and commented on it. >> Sure, it is only a minor security issue, but shouldn't security updates have >> priority in >> testing over any pet packages you have ? >> Security updates certainly take preference for me as I'm trying to get them >> submitted as >> early as possible. But when a package sits in -testing for such a long time >> I need to ask >> myself why I should bother with doing timely security updates at all. > > The problem is really that not enough people test old releases. Barely > any proventesters are on F14. If you look it's hardly just your update > that's waiting on karma, there are quite a few waiting for F14. > > I've had 'do f14 karma' on my todo list for about a week and a half, but > f16 keeps eating the time. > > I've mentioned this several times and floated a few ideas to fix it (as > have others), but they haven't really gone anywhere. I haven't seen any > indication that FESCo (which defined the update requirements - it's not > a QA thing) considers it a big problem. One thing I have noticed is that once an update hits the 2 week "old update" period they seem to drop off the updates email that goes out and lists the updates that still need testing, is there a reason for that? Peter -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
Re: security update process failure
On Sun, 2011-09-04 at 23:01 +0200, Karsten Hopp wrote: > Hi ! > > > I'd call it a failure when a security update for a critical path package gets > stuck in > -updates-testing for 6 weeks. I'm talking about the F14 libcap update, where > only one > proventester cared to test the updated package and commented on it. > Sure, it is only a minor security issue, but shouldn't security updates have > priority in > testing over any pet packages you have ? > Security updates certainly take preference for me as I'm trying to get them > submitted as > early as possible. But when a package sits in -testing for such a long time I > need to ask > myself why I should bother with doing timely security updates at all. The problem is really that not enough people test old releases. Barely any proventesters are on F14. If you look it's hardly just your update that's waiting on karma, there are quite a few waiting for F14. I've had 'do f14 karma' on my todo list for about a week and a half, but f16 keeps eating the time. I've mentioned this several times and floated a few ideas to fix it (as have others), but they haven't really gone anywhere. I haven't seen any indication that FESCo (which defined the update requirements - it's not a QA thing) considers it a big problem. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test