Re: [CentOS] Last few days in CentOS
On 07/29/2015 11:53 PM, Karanbir Singh wrote: > On 29/07/15 22:04, Peter wrote: >> On 07/30/2015 07:13 AM, Zdenek Sedlak wrote: >>> BTW do you have any news about the CentOS 7 32-bit, discussed some time >>> around CentOS 7 release? >> Yes, there's a beta out for the past month or so: >> http://lists.centos.org/pipermail/centos-devel/2015-June/013426.html >> > the biggest blocker to going GA on the x86 build is the kernel; the > distro kernel we end up with isnt going to be the same as the upstream > x86_64 kernel configs. However, there hasent been a huge level of > feedback ( either positive or negative ) around those builds. So if you > are using it, or are interested in using it - do take the distro out for > a spin and let us know! > > Regards, > Thanks, will do! //Zdenek ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 07/30/2015 11:20 AM, Ian Pilcher wrote: > I'm pretty sure that I posted this back when the beta was announced, but > it seems to work just fine on my fanless VIA C7 firewall/router/proxy/ > IPA/CUPS/Asterisk box. I've been waiting impatiently for this to go GA > ever since, so I can start seriously bugging the EPEL guys. I've been trying to bug them, but they don't seem to be interested to even look into it until CentOS 7 goes to GA. Anyways, if you're interested in it now, I've rebuilt *some* of the epel packages for i686 here (just for my personal use but I make them available in case someone else might benefit): http://pajamian.dhs.org/repos/el/7/epel/i386/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] rsyslog.conf
On 7/23/2015 12:15 PM, m.r...@5-cent.us wrote: Leon Fauster wrote: Am 23.07.2015 um 18:06 schrieb "Valeri Galtsev" : On Thu, July 23, 2015 10:45 am, Johnny Hughes wrote: The main reason actually is chronological order. But not just for the reply .. but for IN-LINE posting. In a discussion where you need to make points in-line and where you only need some of and not all of the other posts, something that happens frequently on mailing lists, it is very much easier to read that type of collaborated message in chronological order. I mean, you don't read a book or a newspaper article or a blog post from bottom to top, right? Why would you read communications from bottom to top? And it is not really even bottom to top. If you take 4 emails of 10 lines each (and 40 lines total) .. it is 75% down to 100% (original mail)... then up to 50% and read down to 75% (2nd mail), then up to 25% and read down to 50%, then up to 0% and read down to 25%. What if someone made you read blog posts that way, or books or newspaper articles? OK, the shortest I can re-formulate your message is: on mail lists we are collectively writing the book for someone else to read (much less communicating with each other in real time ;-) Any accepted convention is better than no convention: save everybody's time. Suits me (as far as mail lists are concerned). I consider email as an asynchronous communication, therefore "book style convention" is recommended. Yup. We're writing electronic *mail*, not text messages (here, you've got 140 char, tell me everything you know), and you don't have a two-line pager screen I see it as a slo-mo group conversation, and top-posting is like the person who suddenly utters a nonsequitur, louder than everyone else is speaking mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Add to the above that on every phone I've ever used, new texts appear below older ones (no top posting there either). -chuck -- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why no recent bind update for CentOS 6?
> > On Jul 29, 2015, at 18:20, Nathan Duehr wrote: > >> On Jul 28, 2015, at 18:48, Peter wrote: >> >> On 07/29/2015 11:51 AM, Noam Bernstein wrote: >>> Hi CentOS developers - I’ve been happily using CentOS for several >>> years now, so thanks for all the good work. In the last week, >>> however, I noticed that while the items in RHSA-2015:1443 has shown >>> up as updates (and announced on centos-announce), the analogous >>> update for CentOS 6, RHSA-2015:1471 (according to >>> https://access.redhat.com/security/cve/CVE-2015-4620), doesn’t seem >>> to be there. Is there any reason why those of us using CentOS 6 are >>> left behind, and/or any idea when a CentOS 6 bind update will be >>> available? >> >> It's currently in the CentOS CR repository and will be released when >> CentOS 6.7 drops soon. If you want it now then just enable cr and >> you'll get it with yum update: >> http://wiki.centos.org/AdditionalResources/Repositories/CR > > Why didn’t it just go into CentOS 6.6 like a dozen other packages this week? Disregard, I guess for whatever reason when a new dot-release is going on, things go into CR, but otherwise they go into the dot-release. Or so I just read in the notes about the current repo state. Yay, another goofy annoying thing to remember and another thing to go add to ansible code to deploy and undeploy this goofy CR repo, just to check machines properly for security updates. Not that I don’t love ya, volunteers, but I really hate waiting on security updates while they bounce through CR… that doesn’t make any sense at all. Bug fixes, sure… security, no. Nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] why no recent bind update for CentOS 6?
> On Jul 28, 2015, at 18:48, Peter wrote: > > On 07/29/2015 11:51 AM, Noam Bernstein wrote: >> Hi CentOS developers - I’ve been happily using CentOS for several >> years now, so thanks for all the good work. In the last week, >> however, I noticed that while the items in RHSA-2015:1443 has shown >> up as updates (and announced on centos-announce), the analogous >> update for CentOS 6, RHSA-2015:1471 (according to >> https://access.redhat.com/security/cve/CVE-2015-4620), doesn’t seem >> to be there. Is there any reason why those of us using CentOS 6 are >> left behind, and/or any idea when a CentOS 6 bind update will be >> available? > > It's currently in the CentOS CR repository and will be released when > CentOS 6.7 drops soon. If you want it now then just enable cr and > you'll get it with yum update: > http://wiki.centos.org/AdditionalResources/Repositories/CR Why didn’t it just go into CentOS 6.6 like a dozen other packages this week? -- Nate Duehr denverpi...@me.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
> On Jul 28, 2015, at 6:32 PM, Warren Young wrote: > > On Jul 28, 2015, at 4:37 PM, Nathan Duehr wrote: >> >>> On Jul 28, 2015, at 11:27, Warren Young wrote: >>> >>> So no, your local password quality policy is not purely your own concern. >> >> Other than DDoS which is a problem of engineering design of how the network >> operates (untrusted anything can talk to untrusted anything) > > I’m not sure how you mean that comment. > > If you’re saying that the Internet is badly designed and that we need to rip > it up and replace it before we can address DDoSes, you’re trying to boil the > ocean. We have real-world practical solutions available to us that do not > require a complete redesign of the Internet. One of those is to tighten down > CentOS boxes so they don’t get coopted into botnets. > > If instead you’re saying that DDoSes are solvable with “just” a bit of > engineering, then that’s wrong, too. It takes a really big, expensive slice > of a CDN or similar to choke down a large DDoS attack. I do not accept that > as a necessary cost of doing business. That’s like a 1665 Londoner insisting > that city planning can only be done with close-packed wooden buildings. > > I don’t believe that the Internet must go through the equivalent of the Great > Fire of 1666 before we can put our critical tech onto a more survivable > foundation. You accepted that risk the day you put a public machine on it. He who has the most bandwidth, wins, in a DDoS. It’s the very nature of the network design. Anyone who can fill your pipe with garbage can take you offline until they stop. You can ask for help from the carriers and see how far you get, but the inherent risk was there from day one and you choose to play. >> what “risk” is created to other people’s machines who have done appropriate >> security measures by a cracked machine owned by an idiot > > Resource waste is enough by itself. How many billions of dollars goes into > extra bandwidth, CDN fees, security personnel, security appliances, etc., all > to solve a problem that is not necessary to the design of the Internet in the > first place? > > Back before the commercialization of the Internet, if your box was found to > be attempting to DoS another system, you’d be cut off the Internet. No > appeal, no mercy. It’s all /dev/null for you. > > Now we have entrenched commercial interests that get paid more when you get > DDoS’d. I’ll give you one guess what happens in such a world. What happens? Folks have to think harder about connecting stuff to a worldwide untrusted, and generally unfiltered network? One word: “Duh." > >> easily handled in minutes, if not seconds, by fail2ban? > > fail2ban isn’t in the stock package repo for CentOS 7, much less installed > and configured default. Until it is, it’s off-topic for this thread. > > Mind, I’m all for fail2ban. If Fedora/Red Hat want to start turning it on by > default, too, that’s great. Didn’t realize that. Brilliant move, removing it… (rolls eyes at RH)… > >> Equating this to “vaccination” is a huge stretch. > > Why? If you are unvaccinated and catch some preventable communicable > disease, you begin spreading it around, infecting others. This is exactly > analogous to a box getting pwned, joining a botnet, and attempting to pwn > other boxes. > > When almost everyone is vaccinated, you get an effect called herd immunity, > which means that even those few who cannot be vaccinated for some valid > medical reason are highly unlikely to ever contract the disease because it > cannot spread properly through the population. It’s not a disease. It’s someone using their machine for them because they’re too dumb to use a decent password. Nothing at all happens to the people who used decent passwords other than that aforementioned DDoS problem, which is completely unrelated. You’re making it sound like the OS should be responsible for dumb people… problem with that is, the dumber you let them be, the dumber they stay. And without any harm to the “neighbor” who “pre-vaccinated” I guess, in your world, but simply typing in a decent password, what’s the point? Let them lose data, and they’ll learn. >> It’s more like saying the guy who left his front door unlocked all day is a >> threat to the neighbor’s house. > > That’s only true in a world where you have armed gangs running through the > streets looking for free fortifications from which to attack neighboring > houses. That is the analogous situation to the current botnet problem. > > If that were our physical security situation today, then I would be > advocating fortifying our physical dwellings, too. > > Thankfully, that is not the case where I live. > > The difference appears to be one of global society, rather than technology, > but obviously we aren’t going to solve any of that here. Global society hasn’t changed, and neither has the network in decades. Why should
Re: [CentOS] Fedora change that will probably affect RHEL
On Wed, Jul 29, 2015 at 4:37 PM, Warren Young wrote: > Security is *always* opposed to convenience. False. OS X by default runs only signed binaries, and if they come from the App Store they run in a sandbox. User gains significant security with this, and are completely unaware of it. There is no inconvenience. What is the inconvenience of encrypting your device compared to the security? Zero vs a ton more secure (either when turned off and data is at rest or a remote kill that makes it very fast to effectively wipe all data) > I’m still not seeing how it’s difficult to remember, securely record, type, > or transcribe a password that will pass the new restrictions. They’re on the > mild side, as these things go. I disagree to the point I'd stop using products based on such restrictions. I will not participate in security theatre, other than to be theatrically irritated. I'm guessing you're not a tester or much of a home user. There are many such people using OS X, Windows, and yes Fedora and likely CentOS, where environments and use case preclude compulsory compliance because the risk is managed in other ways. And Apple and Microsoft have been working to kill login passwords for a while. Google and Facebook too. No one likes them. And our trust in them is diminishing. They are not long term tenable. Making longer ones compulsory already causes companies who do so grief as people complain vociferously about such policies. > I have no strong feelings on the new libpwquality rules, exactly. What I do > feel strongly about is that there should be *some* reasonable minima that > can’t easily be bypassed. This idea that opt in is not sufficient demonstrates how archaic and busted computer security is when you have to become coercive to everyone regardless of use case to make it safe. In any case, the complaint over on the Fedora proposal has been sufficiently addressed, even though the details are still being worked out. The gist is that the user will have informed consent, and will opt in to better quality passwords. So they will essentially be told a. the password they've proposed sucks, b. fairly clear information on why it sucks, c. the option to change it or continue anyway. > I don’t see why we can’t take some responsibility for this mess and try to > build up some herd immunity. Because there is no such thing when it comes to computers. Computers with strong passphrases still sometimes get pwned, and at a much higher rate than vaccines not working. Please stop with this hideously bad analogy. Computers with NO passwords are often not ever getting pwned for their entire lifetime, and those computers, a.k.a. mobile devices, are used in public spaces, on public wifi, on public networks. Anyone without vaccines in such proximity to illness would definitely get sick. That doesn't happen with computers. The environment has changed, and the old architectures and methods aren't working the way they did. And somehow free open source software has got to do better than it has been with security, because proprietary systems are innovating more in this space right now, and aren't passing the buck onto the user with this burden in the form of stronger password requirements. Besides, it's FOSS for a reason and people will opt out because ultimately you can't make them do what you want. Apple and Microsoft could possibly get away with it. I think their customers would become foaming irate, however. -- Chris Murphy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 07/29/2015 10:23 AM, Digimer wrote: > On 29/07/15 12:45 PM, Karanbir Singh wrote: >> hi everyone, >> >> I know this update has been a bit delayed, things have been pretty >> hectic. But lots of good updates for everyone: >> >> Distro >> >> * Updates for CentOS Linux 5/7 : All updates from upstream are >> released into the CentOS mirror network. >> >> * Upstream 6.7 was released a few days back, we have all the rpms from >> that release built and released to the early-adopters into the CentOS-CR >> repos ( ref: http://wiki.centos.org/AdditionalResources/Repositories/CR >> ); lots of people have applied these updates and there are no major >> reports of issues so far. If you are one of the people running with CR, >> please let us know if you hit any issues. >> >> * Updates released to EL6 since 6.7 was released are also rolled into >> CR/ so if you are running this repo, you would be updated all the way. >> >> * We have a first cut of the ISOS for CentOS-6.7 ready and in QA, there >> are a couple of package changes, and we need to tweak the content that >> ends up on DVD1 Vs/ DVD2 to make sure we can still retain max installs >> from just DVD1. I aim to have these done and available to the QA folks >> in the next day or two, with the intention to release early next week to >> mirror.centos.org. >> >> * Another key piece that we've been working on is the AltArch SIG; The >> aim of this Special Interest Group is to help build and help maintain >> CentOS Linux on other architectures than what the Core group is able to >> do. Our first major build there is for the ARM 64bit platform called >> Aarch64. CentOS Linux 7 has been in beta there for a few weeks and is >> nearing the end of the beta term. If you have an ARM 64 bit platform, we >> would appreciate feedback on the distro. ref: >> http://lists.centos.org/pipermail/arm-dev/2015-July/000309.html >> >> >> Other: >> * the SCL sig has been making great progress, we now have their use >> cases fully supported in cbs.centos.org; Honza posted an update recently >> on their status for the devtools-3 effort at : >> http://lists.centos.org/pipermail/centos-devel/2015-July/013682.html >> >> * Some of our GSoC Students have been blogging at >> http://seven.centos.org about their projects and the great work they are >> doing in their areas. Its worth a read through. >> >> >> Tip: there are some great installation tips and tricks on the wiki at >> http://wiki.centos.org/TipsAndTricks/KickStart - and we maintain a >> collection of community contributed kickstarts at >> https://github.com/CentOS/Community-Kickstarts - its a great resource to >> get ideas for your own kickstarts, and also a fantastic place, with a >> low barrier for people to contribute their own tips and kickstarts! >> >> >> Engage: As some of you might already know, I've been running office >> hours every Wed at 16:00 UTC and every Thu at 08:30 UTC over in >> #centos-devel on irc.freenode.net; you also have the option to call me >> on the phone for a chat during these times. The last few weeks have been >> really fruitful, with many great conversations. If there is anything you >> want to talk about or have questions around the CentOS ecosystem, feel >> free to drop in. Office hours are run as a open house, free question and >> answer sessions. >> >> regards, > > Thanks for taking the time to send this update. As a user, it is > reassuring to hear how progress is coming behind the scenes. > Yes it is! :) -- MzK “The journey of a thousand miles begins with a single step.” --Lao Tzu ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 07/29/2015 04:53 PM, Karanbir Singh wrote: the biggest blocker to going GA on the x86 build is the kernel; the distro kernel we end up with isnt going to be the same as the upstream x86_64 kernel configs. However, there hasent been a huge level of feedback ( either positive or negative ) around those builds. So if you are using it, or are interested in using it - do take the distro out for a spin and let us know! I'm pretty sure that I posted this back when the beta was announced, but it seems to work just fine on my fanless VIA C7 firewall/router/proxy/ IPA/CUPS/Asterisk box. I've been waiting impatiently for this to go GA ever since, so I can start seriously bugging the EPEL guys. Re the kernel, how do the Springdale/PUIAS handle this issue? It might be worth copying their approach and/or coordinating. -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Jul 29, 2015, at 3:16 PM, Chris Murphy wrote: > > On Wed, Jul 29, 2015 at 2:15 PM, Warren Young wrote: >> Just because one particular method of prophylaxis fails to protect against >> all threats doesn’t mean we should stop using it, or increase its strength. > > Actually it does.There is no more obvious head butting than with > strong passwords vs usability. Strong login passwords and usability > are diametrically opposed. Security is *always* opposed to convenience. The question is not “security or no security,” it’s “how much security?” The correct answer must balance the threats and risks. Given that the threats and risks here are nontrivial, the password quality restrictions should also be nontrivial. > The rate of brute force attack success is exceeding that of human > ability (and interest) to remember ever longer more complex passwords. You must consider offline and online attack scenarios separately. Online we have already dealt with: 50 guesses max/sec, allowing a 9-character random password to survive a million years of constant attack. Offline is an entirely separate matter, and is already addressed by /etc/shadow salting and hashing in CentOS. We know how to make it even stronger if the threat requires it: move to OTP keys, use a better KDF than SHA512, etc. > I just fired my ISP because of the asininity of setting a 180 > compulsory expiration on passwords. Good for you. Password expiration is silly. A good strong password should last years under any reasonable threat. But we’ve not been talking about password expiration here. > The highest risk, by a lot, is from a family member. Of course. It’s why Bruce Schneier wrote only one book on cryptography, but several on human factors. That does not tell us that we should be sloppy with our crypto and authentication methods, though. > it doesn't scale I’m still not seeing how it’s difficult to remember, securely record, type, or transcribe a password that will pass the new restrictions. They’re on the mild side, as these things go. If you wanted to use the GRC password haystack calculator results to argue for a slight reduction in the defaults, I could get behind that. Six random characters pulled only from the unambiguous subset of the alphanumeric set, no uppercase, and one symbol gets you a password that should withstand constant pounding for the life of the machine. I could live with that minimum. I have no strong feelings on the new libpwquality rules, exactly. What I do feel strongly about is that there should be *some* reasonable minima that can’t easily be bypassed. Where that level is set is not only a sensible subject for debate, it is one that’s easy to separate from emotion; it’s basically a question of arithmetic. > Making policies > opt out let alone compulsory is unacceptable. I don’t see why we can’t take some responsibility for this mess and try to build up some herd immunity. > Even as the policies > get stronger people's trust in password efficacy relating to security > continues to diminish. Passwords are what we have today. Strengthening them to a level that will suffice until something better comes along is reasonable. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Jul 29, 2015, at 2:51 PM, Nathan Duehr wrote: > >> On Jul 28, 2015, at 5:46 PM, Warren Young wrote: >> >> The Apple ID password rules are a fair bit stronger than the libpwquality >> rules we’ve been discussing here, and have been so for some time: > > Disingenuous. It does not REQUIRE you to use your AppleID as the user > password, and it’s probably not a good practice anyway. I don’t see how you got any requirement from my post. I pointed out that it was only a “want” in the post you quoted. I’m not trying to obscure anything, just pointing out that other OSes are in fact already moving toward libpwquality-like restrictions. Windows 8+ makes bypassing the cloud login even more difficult than Apple does, and Chrome OS doesn’t even offer the option. iOS requires a cloud login now on hard boots. It allows a short PIN for unlocking a device that is only sleeping, but the equivalent of that in CentOS would be a separate password on the X screensaver, which really isn’t on-point here. I assume Android does this now, too. (Haven’t used Android myself since 2.3.) The important point is that there’s a clear trend here. The fact that you can currently bypass the cloud login in some of these cases does not invalidate that point. > Using it as an example is silly, in that it LOWERS security. Really? As others have already pointed out in this thread, the local-only password policy on these OSes is far weaker than the rules proposed for F23. Human nature and the contents of this thread should tell you how many people will use stronger local passwords than these cloud services demand. You may point out that the move to a cloud authentication system extends the attack surface out into the public Internet, but when you implement a public login service using strong security — as it appears that Apple, Google, and Microsoft have done — it’s still a net win. As I have already pointed out, a 9-character purely-random password can survive a million years of constant pounding with reasonable rate limiting. Given that Microsoft, Apple, and Google all do more than just rate limiting on their cloud login systems, that means that even a relatively short but random password will survive any sustained frontal attack. Offline attacks are far more dangerous, but strong mitigations for those have been well-known for decades. I assume that Google, Apple and Microsoft are using these techniques to defeat offline attacks, in case their secure password stores are ever compromised. (Key derivation, salting, hashing, zero-knowledge proofs...) I am not wholeheartedly in favor of these cloud login systems, nor am I arguing that CentOS 8 should have one, too. I am only pointing out that the security features they’ve all been designed with are worth emulation in CentOS’s local-only password authentication system, too. > Comparing CentOS (an OS quite often used on servers on well-protected > networks) CentOS should not require a well-protected network in order to be secure. It should be secure in its own right, from the moment it first boots after installation. Anyway, your premise that your CentOS boxes are on networks so well protected that you don’t need strong passwords is quite unsound: https://en.wikipedia.org/wiki/Stuxnet https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise I doubt your LAN is more secure than that of RSA, Iran’s nuclear program, and several CAs. Security professionals do not rely solely on borders to secure individual systems. They rely on defense in depth, a concept at least as old as the ancient Greek phalanx formation: https://en.wikipedia.org/wiki/Phalanx ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 29/07/15 22:04, Peter wrote: > On 07/30/2015 07:13 AM, Zdenek Sedlak wrote: >> >> BTW do you have any news about the CentOS 7 32-bit, discussed some time >> around CentOS 7 release? > > Yes, there's a beta out for the past month or so: > http://lists.centos.org/pipermail/centos-devel/2015-June/013426.html > the biggest blocker to going GA on the x86 build is the kernel; the distro kernel we end up with isnt going to be the same as the upstream x86_64 kernel configs. However, there hasent been a huge level of feedback ( either positive or negative ) around those builds. So if you are using it, or are interested in using it - do take the distro out for a spin and let us know! Regards, -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Wed, Jul 29, 2015 at 2:15 PM, Warren Young wrote: > Just because one particular method of prophylaxis fails to protect against > all threats doesn’t mean we should stop using it, or increase its strength. Actually it does.There is no more obvious head butting than with strong passwords vs usability. Strong login passwords and usability are diametrically opposed. The rate of brute force attack success is exceeding that of human ability (and interest) to remember ever longer more complex passwords. I just fired my ISP because of the asininity of setting a 180 compulsory expiration on passwords. Now I use Google. They offer MFA opt in. And now I'm more secure than I was with the myopic ISP. Apple and Microsoft (and likely others) have been working to deprecate login passwords for years - obviously they're not ready to flip the switch over yet, it isn't an easy problem to solve, but part of why they haven't had more urgency is because they are doing a lot of work on peripheral defenses that obviate, to pretty good degree, the need for strong passwords, relegating the login password to something like "big sky theory" - it's safe enough to tolerate very weak passwords in most use cases. The highest risk, by a lot, is from a family member. I'm not arguing directly against strong passwords as much as I'm arguing against already unacceptable usability problems resulting from stronger password policies, because it doesn't scale. Making policies opt out let alone compulsory is unacceptable. Even as the policies get stronger people's trust in password efficacy relating to security continues to diminish. -- Chris Murphy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 07/30/2015 07:13 AM, Zdenek Sedlak wrote: > > BTW do you have any news about the CentOS 7 32-bit, discussed some time > around CentOS 7 release? Yes, there's a beta out for the past month or so: http://lists.centos.org/pipermail/centos-devel/2015-June/013426.html Peter ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
> On Jul 28, 2015, at 5:46 PM, Warren Young wrote: > > The Apple ID password rules are a fair bit stronger than the libpwquality > rules we’ve been discussing here, and have been so for some time: > > https://support.apple.com/en-us/HT201303 > > Given that recent OS X releases want to use your Apple ID as the OS login > credentials, that effectively makes these the OS password quality rules, too. Disingenuous. It does not REQUIRE you to use your AppleID as the user password, and it’s probably not a good practice anyway. Using it as an example is silly, in that it LOWERS security. Comparing CentOS (an OS quite often used on servers on well-protected networks) to a consumer-grade OS that wants to integrate your login to “the cloud”, is rediculous. Of COURSE the defaults for a cloud connected machine are higher. Nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Jul 28, 2015, at 8:50 PM, Chris Murphy wrote: > > On Tue, Jul 28, 2015 at 6:32 PM, Warren Young wrote: >> On Jul 28, 2015, at 4:37 PM, Nathan Duehr wrote: > >>> Equating this to “vaccination” is a huge stretch. >> >> Why? > > It's not just an imperfect analogy it really doesn't work on closer scrutiny. Every analogy will break down if you look too closely. The question is, is it a *useful* analogy? > ...a login password is...about > user authentication...not...meant or designed to provide > immunity from malware. Fine. If you want to be picky, a better analogy to a good password and reasonable limits on SSH logins is a healthy integument and healthy cell walls. Has that changed any of the conclusions about bad passwords? No. Therefore we have succeeded in clarifying nothing except our application of biology, which is interesting, but not on topic here. > That we're trying to use it to prevent > infections is more like putting ourselves into bubbles; and humans put > into bubbles for this reason are called immune compromised. Now it is you who are off the rails. The hygiene hypothesis explains a great deal about human disease because we have an active immune system to deal with an evolving set of biological challenges. CentOS’s immune system doesn’t get stronger purely by subjecting it to more attacks. It improves only through human intervention. > So this push to depend on stronger passwords just exposes how "immune > compromised" we are in these dark ages of computer security. While true, that doesn’t tell us that it is a good idea to allow weak passwords. If you will allow me to return to biology, it’s like saying that prophylaxis is a bad idea because it points out how imperfect our immune systems are. Stop covering your face when you sneeze, stop using condoms, stop going to the dentist: we need stronger humans, so let’s evolve some! > There are > overwhelmingly worse side effects of password dependency than > immunization. That seems like a falsifiable statement, so I expect you will be able to point to a scientific paper that supports that assertion. > And also, a large percent of malware doesn't even depend on brute > force password attacks. So let’s dial back my previous proposal. We’ll just stop using dental prophylaxis, then, because it doesn’t prevent the contraction of oral STIs. Just because one particular method of prophylaxis fails to protect against all threats doesn’t mean we should stop using it, or increase its strength. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Jul 28, 2015, at 8:37 PM, Gordon Messmer wrote: > > On 07/28/2015 04:29 PM, Warren Young wrote: >> They turned off "PermitRootLogin yes" and "Protocol 1" in EL6 or EL7, the >> previous low-hanging fruit. Do you think those were bad decisions, too? > > As far as I know, PermitRootLogin has not been set to "no" by default. My mistake. I grepped sshd_config on a fresh EL7 machine here and saw #PermitRootLogin yes and assumed it meant “no”. It’s just documenting the default. I explicitly set it to “no” on systems I am solely in control of, and I’d prefer that upstream changed that default in the precursor(s) to CentOS 8, too. EL7 ships ready to use sudo out-of-the-box, if you tick the “administrative user” checkbox on the non-root user during install. That removes the last good reason to allow remote root logins by default. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Jul 29, 2015, at 7:24 AM, James B. Byrne wrote: > > > On Tue, July 28, 2015 19:46, Warren Young wrote: >> >> iPads canât be coopted into a botnet. The rules for iPad passwords >> must necessarily be different than for CentOS. >> > > http://www.tomsguide.com/us/ios-botnet-hacking,news-19253.html So many flaws: 1. It’s just a gloss on a Wired article, which itself is a scare report ahead of publication of a paper that hadn’t been presented at the time of writing. All this pair of articles says is, “This could happen, and Apple is bad because it can happen!” Rational response: “With what likelihood can it happen?” Answer: crickets. I finally managed to track down the paper, here: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-wang-tielei.pdf tl;dr: You have to hook the iOS device up to a PC that’s already been rooted. Then it can infect the iOS device through the previously-trusted iTunes sync channel. If you’re worried enough about that to do something about it, I want you to tell me your experiences either never using SSH and WiFi PSKs, or always using passphrase protection on them. I also want you to tell me about how you never download device firmware to a PC, but only direct to the device that needs to be flashed with it, and only from SSL protected hosts. In most cases, this is a far bigger risk than the iOS flaw you point out, because you don’t need to jump through all the hoops the researchers did in order to exploit the iTunes sync process. (Oh, and by the way, no, the “23%” value from the paper is not a likelihood. If 23% of rocks can fall from the sky, it doesn’t mean 23% of rocks *will* fall from the sky.) 2. It’s been a year since that report, during which time Apple have released 8 updates containing security patches for iOS. Apple doesn’t generally say much, if anything, about security flaws they’ve fixed, so any one of them could have closed this door already. 3. No massive new iOS botnet has appeared in the past year. Meanwhile, CentOS boxes actually exist in botnets today. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 07/29/2015 06:45 PM, Karanbir Singh wrote: > hi everyone, > > I know this update has been a bit delayed, things have been pretty > hectic. But lots of good updates for everyone: > > Distro > > * Updates for CentOS Linux 5/7 : All updates from upstream are > released into the CentOS mirror network. > > * Upstream 6.7 was released a few days back, we have all the rpms from > that release built and released to the early-adopters into the CentOS-CR > repos ( ref: http://wiki.centos.org/AdditionalResources/Repositories/CR > ); lots of people have applied these updates and there are no major > reports of issues so far. If you are one of the people running with CR, > please let us know if you hit any issues. > > * Updates released to EL6 since 6.7 was released are also rolled into > CR/ so if you are running this repo, you would be updated all the way. > > * We have a first cut of the ISOS for CentOS-6.7 ready and in QA, there > are a couple of package changes, and we need to tweak the content that > ends up on DVD1 Vs/ DVD2 to make sure we can still retain max installs > from just DVD1. I aim to have these done and available to the QA folks > in the next day or two, with the intention to release early next week to > mirror.centos.org. > > * Another key piece that we've been working on is the AltArch SIG; The > aim of this Special Interest Group is to help build and help maintain > CentOS Linux on other architectures than what the Core group is able to > do. Our first major build there is for the ARM 64bit platform called > Aarch64. CentOS Linux 7 has been in beta there for a few weeks and is > nearing the end of the beta term. If you have an ARM 64 bit platform, we > would appreciate feedback on the distro. ref: > http://lists.centos.org/pipermail/arm-dev/2015-July/000309.html > > > Other: > * the SCL sig has been making great progress, we now have their use > cases fully supported in cbs.centos.org; Honza posted an update recently > on their status for the devtools-3 effort at : > http://lists.centos.org/pipermail/centos-devel/2015-July/013682.html > > * Some of our GSoC Students have been blogging at > http://seven.centos.org about their projects and the great work they are > doing in their areas. Its worth a read through. > > > Tip: there are some great installation tips and tricks on the wiki at > http://wiki.centos.org/TipsAndTricks/KickStart - and we maintain a > collection of community contributed kickstarts at > https://github.com/CentOS/Community-Kickstarts - its a great resource to > get ideas for your own kickstarts, and also a fantastic place, with a > low barrier for people to contribute their own tips and kickstarts! > > > Engage: As some of you might already know, I've been running office > hours every Wed at 16:00 UTC and every Thu at 08:30 UTC over in > #centos-devel on irc.freenode.net; you also have the option to call me > on the phone for a chat during these times. The last few weeks have been > really fruitful, with many great conversations. If there is anything you > want to talk about or have questions around the CentOS ecosystem, feel > free to drop in. Office hours are run as a open house, free question and > answer sessions. > > regards, > Hi, thank you for the update, really appreciated! BTW do you have any news about the CentOS 7 32-bit, discussed some time around CentOS 7 release? Found this blog: http://www.karan.org/blog/2013/12/15/where-is-the-i686-in-rhel-7/ Thanks //Zdenek ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Wed, Jul 29, 2015 at 06:20:44AM -0500, Johnny Hughes wrote: > > You (and others) are misunderstanding my off-the-cuff remark. > > It was purely an observation about the lack of statistics. > > I rarely if ever see a statement of the kind > > "Among Fedora users 37% use KDE and 42% Gnome". > > Or (after the remark I was responding to) > > "83% of CentOS machines are in datacenters, and 7% are home-servers". > > (Or "x% of Fedora users have turned SELinux to permissive".) > > > > I'm not saying that Fedora or CentOS should work on democratic principles. > > I welcome Johnny Hughes unambiguous statement that CentOS follows RHEL. > > This saves a lot of time arguing about things that cannot be changed. > > > > But I hold the (old-fashioned?) view that before expressing an opinion > > one should get the facts. > > We can't gather facts about people .. people go bat shit crazy if their > machines report stuff back. > > At CentOS, we can't even tell you how many users we have, because we > can't possibly buy all the mirrors that are required to give out updates > to all users. > > Instead, we have a couple hundred mirrors JUST to distribute CentOS to > external mirrors run by the community (currently 624 mirrors in 85 > countries) when we do a release. We don't have the ability to gather > statistics on servers we don't own. > > Fedora is in the same boat. Yeah, pretty much, although I might be less... direct about the language. :) We are very sensitive to user privacy concerns. And gathering this kind of information accurately in other ways is expensive. I can tell you some ad hoc numbers from F21, which come with tons of caveats. This is based on ISO download numbers from the master mirror, which is very imprecise and does not reflect installations — someone might have downloaded the cloud image once and installed a million nodes. Or downloaded it a million times and never actually booted it. But, anyway, from this: * About 70% Fedora Workstation (our GNOME-based desktop primarily targetted at software developers and technical users.) * About 20% Fedora Server * About 5% Fedora Cloud * About 2% KDE Desktop Spin * About 2% Xfce Desktop Spin * About 1% other spins and images -- Matthew Miller Fedora Project Leader ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Wed, Jul 29, 2015 at 05:58:51AM -0400, Scott Robbins wrote: > I've seen various decisions made by Fedora, which weren't even necessarily > bad for its apparent target audience, the desktop user, that, while not > insurmountable, get put into RHEL, and therefore CentOS. I would highly recommend looking into Fedora Server; over the past couple of years, we've made a deliberate effort to address Fedora's cloud computing and traditional server userbases as intentional target audiences. Take a look at * https://fedoraproject.org/wiki/Server/Product_Requirements_Document#User_Profiles.2C_Primary_Use_Cases_and_Goals * https://fedoraproject.org/wiki/Cloud/Cloud_PRD?rd=Cloud_PRD#User_Profiles.2C_Goals.2C_and_Primary_Use_Cases and see if you feel like your uses are better represented. > Fedora has made several decisions where a developer or developers will > ignore popular opinion. I remember when pkgkit would allow any user to > update through the GUI without authentication and it took the story making > the front page of slashdot to get it changed. It may have seemd that way, but I don't think Slashdot was a major factor in this decision either. > Like any organization, Fedora has some people who are very responsive to user > input and others who aren't. To me the reason to make noise about > something in Fedora is to try to keep it from getting into RHEL and hence > CentOS. I'd like to encourage you to think of this in a different direction. Instead of interacting with Fedora when you want to stop a decision you don't like, help us build something you *do* like. When people just scream "this new password policy is the worst thing ever quit doing things differently!", developers who are genuinely trying to make things better get discouraged, and while dissuading someone from contributing in this way may _feel_ like a victory when it was something you didn't like, it's a loss long term. So, instead: "I have the use case ABC, which doesn't seem to fit in. I think it's an important situation for target audience, so I propose...". And, as always, triple bonus points when there's a complete design or an example implementation, because we certainly don't lack for _ideas_. -- Matthew Miller Fedora Project Leader ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On Wed, 29 Jul 2015, Karanbir Singh wrote: hi everyone, I know this update has been a bit delayed, things have been pretty hectic. But lots of good updates for everyone: [...snipped, sadly...] KB, Thank you, for the message and all the work behind it! It's all very encouraging. -- Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Last few days in CentOS
On 29/07/15 12:45 PM, Karanbir Singh wrote: > hi everyone, > > I know this update has been a bit delayed, things have been pretty > hectic. But lots of good updates for everyone: > > Distro > > * Updates for CentOS Linux 5/7 : All updates from upstream are > released into the CentOS mirror network. > > * Upstream 6.7 was released a few days back, we have all the rpms from > that release built and released to the early-adopters into the CentOS-CR > repos ( ref: http://wiki.centos.org/AdditionalResources/Repositories/CR > ); lots of people have applied these updates and there are no major > reports of issues so far. If you are one of the people running with CR, > please let us know if you hit any issues. > > * Updates released to EL6 since 6.7 was released are also rolled into > CR/ so if you are running this repo, you would be updated all the way. > > * We have a first cut of the ISOS for CentOS-6.7 ready and in QA, there > are a couple of package changes, and we need to tweak the content that > ends up on DVD1 Vs/ DVD2 to make sure we can still retain max installs > from just DVD1. I aim to have these done and available to the QA folks > in the next day or two, with the intention to release early next week to > mirror.centos.org. > > * Another key piece that we've been working on is the AltArch SIG; The > aim of this Special Interest Group is to help build and help maintain > CentOS Linux on other architectures than what the Core group is able to > do. Our first major build there is for the ARM 64bit platform called > Aarch64. CentOS Linux 7 has been in beta there for a few weeks and is > nearing the end of the beta term. If you have an ARM 64 bit platform, we > would appreciate feedback on the distro. ref: > http://lists.centos.org/pipermail/arm-dev/2015-July/000309.html > > > Other: > * the SCL sig has been making great progress, we now have their use > cases fully supported in cbs.centos.org; Honza posted an update recently > on their status for the devtools-3 effort at : > http://lists.centos.org/pipermail/centos-devel/2015-July/013682.html > > * Some of our GSoC Students have been blogging at > http://seven.centos.org about their projects and the great work they are > doing in their areas. Its worth a read through. > > > Tip: there are some great installation tips and tricks on the wiki at > http://wiki.centos.org/TipsAndTricks/KickStart - and we maintain a > collection of community contributed kickstarts at > https://github.com/CentOS/Community-Kickstarts - its a great resource to > get ideas for your own kickstarts, and also a fantastic place, with a > low barrier for people to contribute their own tips and kickstarts! > > > Engage: As some of you might already know, I've been running office > hours every Wed at 16:00 UTC and every Thu at 08:30 UTC over in > #centos-devel on irc.freenode.net; you also have the option to call me > on the phone for a chat during these times. The last few weeks have been > really fruitful, with many great conversations. If there is anything you > want to talk about or have questions around the CentOS ecosystem, feel > free to drop in. Office hours are run as a open house, free question and > answer sessions. > > regards, Thanks for taking the time to send this update. As a user, it is reassuring to hear how progress is coming behind the scenes. -- Digimer Papers and Projects: https://alteeve.ca/w/ What if the cure for cancer is trapped in the mind of a person without access to education? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Semi-OT: configuring mongodb for sharding
On 07/29/2015 04:43 PM, m.r...@5-cent.us wrote: > Anyone know about this? Googling, all I can find is mongodb's 3.x manual, > nothing for the 2.4 we get from epel. > > What I need to do, CentOS 6.6, is start it as a service, not a user, and > have it do sharding. I see examples of how to start it as a user... but I > can't find if there's a syntax for /etc/mongodb.conf to tell it that, and > I don't want to have to edit /etc/init.d/mongod > > Clues for the poor? Use the packages from the official MongoDB repo and not the packages from epel. MongoDB is rather buggy and you always want to run recent versions. The last version I ran in a sharded setup was 2.6.5 and that contained some rather ugly bugs that resulted in no proper balancing happening between the shards and replica sets becoming confused about the number of servers that were members of a set. Regards, Dennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Last few days in CentOS
hi everyone, I know this update has been a bit delayed, things have been pretty hectic. But lots of good updates for everyone: Distro * Updates for CentOS Linux 5/7 : All updates from upstream are released into the CentOS mirror network. * Upstream 6.7 was released a few days back, we have all the rpms from that release built and released to the early-adopters into the CentOS-CR repos ( ref: http://wiki.centos.org/AdditionalResources/Repositories/CR ); lots of people have applied these updates and there are no major reports of issues so far. If you are one of the people running with CR, please let us know if you hit any issues. * Updates released to EL6 since 6.7 was released are also rolled into CR/ so if you are running this repo, you would be updated all the way. * We have a first cut of the ISOS for CentOS-6.7 ready and in QA, there are a couple of package changes, and we need to tweak the content that ends up on DVD1 Vs/ DVD2 to make sure we can still retain max installs from just DVD1. I aim to have these done and available to the QA folks in the next day or two, with the intention to release early next week to mirror.centos.org. * Another key piece that we've been working on is the AltArch SIG; The aim of this Special Interest Group is to help build and help maintain CentOS Linux on other architectures than what the Core group is able to do. Our first major build there is for the ARM 64bit platform called Aarch64. CentOS Linux 7 has been in beta there for a few weeks and is nearing the end of the beta term. If you have an ARM 64 bit platform, we would appreciate feedback on the distro. ref: http://lists.centos.org/pipermail/arm-dev/2015-July/000309.html Other: * the SCL sig has been making great progress, we now have their use cases fully supported in cbs.centos.org; Honza posted an update recently on their status for the devtools-3 effort at : http://lists.centos.org/pipermail/centos-devel/2015-July/013682.html * Some of our GSoC Students have been blogging at http://seven.centos.org about their projects and the great work they are doing in their areas. Its worth a read through. Tip: there are some great installation tips and tricks on the wiki at http://wiki.centos.org/TipsAndTricks/KickStart - and we maintain a collection of community contributed kickstarts at https://github.com/CentOS/Community-Kickstarts - its a great resource to get ideas for your own kickstarts, and also a fantastic place, with a low barrier for people to contribute their own tips and kickstarts! Engage: As some of you might already know, I've been running office hours every Wed at 16:00 UTC and every Thu at 08:30 UTC over in #centos-devel on irc.freenode.net; you also have the option to call me on the phone for a chat during these times. The last few weeks have been really fruitful, with many great conversations. If there is anything you want to talk about or have questions around the CentOS ecosystem, feel free to drop in. Office hours are run as a open house, free question and answer sessions. regards, -- Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Semi-OT: configuring mongodb for sharding
Anyone know about this? Googling, all I can find is mongodb's 3.x manual, nothing for the 2.4 we get from epel. What I need to do, CentOS 6.6, is start it as a service, not a user, and have it do sharding. I see examples of how to start it as a user... but I can't find if there's a syntax for /etc/mongodb.conf to tell it that, and I don't want to have to edit /etc/init.d/mongod Clues for the poor? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Tue, July 28, 2015 19:46, Warren Young wrote: > > iPads canât be coopted into a botnet. The rules for iPad passwords > must necessarily be different than for CentOS. > http://www.tomsguide.com/us/ios-botnet-hacking,news-19253.html -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS-announce Digest, Vol 125, Issue 12
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org
You can reach the person managing the list at
centos-announce-ow...@centos.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."
Today's Topics:
1. CESA-2015:1513 Important CentOS 7 bind Security Update
(Johnny Hughes)
2. CESA-2015:1515 Important CentOS 5 bind97 Security Update
(Johnny Hughes)
3. CESA-2015:1514 Important CentOS 5 bind Security Update
(Johnny Hughes)
--
Message: 1
Date: Wed, 29 Jul 2015 01:43:33 +
From: Johnny Hughes
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2015:1513 Important CentOS 7 bind
SecurityUpdate
Message-ID: <20150729014333.ga58...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2015:1513 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1513.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9c5c7ecb8477d65dbee21c713bc1682a186491a9b81885e5369fc85cf6db2ca1
bind-9.9.4-18.el7_1.3.x86_64.rpm
62eab23efa33dc6860cebfc4fa472778386c953783327068459cb832852aa470
bind-chroot-9.9.4-18.el7_1.3.x86_64.rpm
4d038f6059f4b05e0eef1d3e54ea0d30384e7184e484c7298c68de4d14a4ba34
bind-devel-9.9.4-18.el7_1.3.i686.rpm
3a6e11021ddadfecd3ae3ad6e44c9967655cbd03cbce5b3e81dec1894780bae6
bind-devel-9.9.4-18.el7_1.3.x86_64.rpm
c373ece790e2529f3712cf6b949a50560811381d1275bd4a8a395a91f1533aec
bind-libs-9.9.4-18.el7_1.3.i686.rpm
412969a1cf5a64b6e2b76f61fbd80e0b398710091cc5675c83294ec5ea60a1b9
bind-libs-9.9.4-18.el7_1.3.x86_64.rpm
5ca41fdbb73ea32acfcc9ee32ea8732090165d131970ea6cba1df926f1c3a207
bind-libs-lite-9.9.4-18.el7_1.3.i686.rpm
06fcfad4fe46cf5bb869aeeaf5d2aa39e1252ce2d98164eef25595883ee3741c
bind-libs-lite-9.9.4-18.el7_1.3.x86_64.rpm
b4bdecc323c44527ad29102062a902c61e0d49e19f90ec9a3a2c94e83cb33b7b
bind-license-9.9.4-18.el7_1.3.noarch.rpm
f3bc495f2f068075712f59bb446ff262771371b9729d946ed58e2d380655326b
bind-lite-devel-9.9.4-18.el7_1.3.i686.rpm
ba5e6f001722090f86e6d6f7c5f13a70aaa2fd83d494793da689324c2a7603d1
bind-lite-devel-9.9.4-18.el7_1.3.x86_64.rpm
091830f725b50163e503be86e4973ab95613b3cc9934a2151285305d79e3c4d0
bind-sdb-9.9.4-18.el7_1.3.x86_64.rpm
4b4bb1c576931457478a6f4864fd10c085ec5d612698650d029bb33a95919090
bind-sdb-chroot-9.9.4-18.el7_1.3.x86_64.rpm
0ec01671e720be4e5678b2ee2593668fe98d8b5db83215e94abc10b346bdd2c7
bind-utils-9.9.4-18.el7_1.3.x86_64.rpm
Source:
b0702c059ab0c337a06f36f078a2e036291bcb53fa53f6eea65a2bdc2c66b119
bind-9.9.4-18.el7_1.3.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
--
Message: 2
Date: Wed, 29 Jul 2015 02:03:50 +
From: Johnny Hughes
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2015:1515 Important CentOS 5 bind97
SecurityUpdate
Message-ID: <20150729020350.ga25...@chakra.karan.org>
Content-Type: text/plain; charset=us-ascii
CentOS Errata and Security Advisory 2015:1515 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1515.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
70be08407007ee373075a7f4c0e8f30f9ae9486cc6e86d758e145c7e0452fbba
bind97-9.7.0-21.P2.el5_11.2.i386.rpm
4b4e40fca6cf07b64db40860a6b5c9102f4d1968d3996bd0cff8804a92273bce
bind97-chroot-9.7.0-21.P2.el5_11.2.i386.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e
bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e
bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
a3d8ecd851aeb1600abc328b35b48e1afaa6f64b3ac9bae46033e7cfc1db7353
bind97-utils-9.7.0-21.P2.el5_11.2.i386.rpm
x86_64:
b826b3406eec2980fb56649f18d0b5372589d49ede9656ea0a8fcca3634e3943
bind97-9.7.0-21.P2.el5_11.2.x86_64.rpm
6a39f618114777091a0a35f879465d6fb7365b253a53f8802d4cb328d70fffaa
bind97-chroot-9.7.0-21.P2.el5_11.2.x86_64.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e
bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
415af4cc884957116f9b7111dbe75a65bdfe60fb52d9c864cb2718b04bf8711c
bind97-devel-9.7.0-21.P2.el5_11.2.x86_64.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e
bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
d8045281af26202376e42d47bed00998946e2005db418c114843da05b728bc05
bind97-libs-9.7.0-21.P2.el5_11.2.x86_64.rpm
93d966dcf44c39c8f07a3b46d74d46ae0cd57fa29d6ffab510fb0a5d1acbe7c8
bind97-utils-9
Re: [CentOS] Fedora change that will probably affect RHEL
On 07/29/2015 06:00 AM, Timothy Murphy wrote: > Chris Murphy wrote: > No, I am making the assumption that the vast majority of CentOS installs are racked up in datacenters, VPS hosts, etc. > >>> Is that true, I wonder? >>> For some reason Fedora and CentOS seem reluctant to find out anything >>> about their users (or what their users want). > >> This is confusing. I think it's overwhelmingly, abundantly clear that >> Fedora care about their users and are listening. CentOS cares with a >> hard and fast upper limit which is binary compatibility with RHEL. So >> if you want to change CentOS behavior you'd have to buy into RHEL and >> convince Red Hat, and then it'd trickle down to CentOS. > > You (and others) are misunderstanding my off-the-cuff remark. > It was purely an observation about the lack of statistics. > I rarely if ever see a statement of the kind > "Among Fedora users 37% use KDE and 42% Gnome". > Or (after the remark I was responding to) > "83% of CentOS machines are in datacenters, and 7% are home-servers". > (Or "x% of Fedora users have turned SELinux to permissive".) > > I'm not saying that Fedora or CentOS should work on democratic principles. > I welcome Johnny Hughes unambiguous statement that CentOS follows RHEL. > This saves a lot of time arguing about things that cannot be changed. > > But I hold the (old-fashioned?) view that before expressing an opinion > one should get the facts. We can't gather facts about people .. people go bat shit crazy if their machines report stuff back. At CentOS, we can't even tell you how many users we have, because we can't possibly buy all the mirrors that are required to give out updates to all users. Instead, we have a couple hundred mirrors JUST to distribute CentOS to external mirrors run by the community (currently 624 mirrors in 85 countries) when we do a release. We don't have the ability to gather statistics on servers we don't own. Fedora is in the same boat. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
Chris Murphy wrote: >>> No, I am making the assumption that the vast majority of CentOS installs >>> are racked up in datacenters, VPS hosts, etc. >> Is that true, I wonder? >> For some reason Fedora and CentOS seem reluctant to find out anything >> about their users (or what their users want). > This is confusing. I think it's overwhelmingly, abundantly clear that > Fedora care about their users and are listening. CentOS cares with a > hard and fast upper limit which is binary compatibility with RHEL. So > if you want to change CentOS behavior you'd have to buy into RHEL and > convince Red Hat, and then it'd trickle down to CentOS. You (and others) are misunderstanding my off-the-cuff remark. It was purely an observation about the lack of statistics. I rarely if ever see a statement of the kind "Among Fedora users 37% use KDE and 42% Gnome". Or (after the remark I was responding to) "83% of CentOS machines are in datacenters, and 7% are home-servers". (Or "x% of Fedora users have turned SELinux to permissive".) I'm not saying that Fedora or CentOS should work on democratic principles. I welcome Johnny Hughes unambiguous statement that CentOS follows RHEL. This saves a lot of time arguing about things that cannot be changed. But I hold the (old-fashioned?) view that before expressing an opinion one should get the facts. -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Tue, Jul 28, 2015 at 07:37:45PM -0700, Gordon Messmer wrote: > On 07/28/2015 04:29 PM, Warren Young wrote: > >They turned off "PermitRootLogin yes" and "Protocol 1" in EL6 or EL7, the > >previous low-hanging fruit. Do you think those were bad decisions, too? > > As far as I know, PermitRootLogin has not been set to "no" by > default. At least, I've never seen that on a system I've installed. > Am I missing something? RHEL (and Fedora) unlike FreeBSD and a few other systems, has PermitRootLogin set to yes by default. On a minimal install, (I don't know about workstation) I've always found sshd to be enabled by default. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora change that will probably affect RHEL
On Tue, Jul 28, 2015 at 08:01:21PM -0600, Chris Murphy wrote: > On Tue, Jul 28, 2015 at 6:17 PM, Timothy Murphy wrote: > > Warren Young wrote: > > > > > >> No, I am making the assumption that the vast majority of CentOS installs > >> are racked up in datacenters, VPS hosts, etc. > > > > Is that true, I wonder? > > For some reason Fedora and CentOS seem reluctant to find out anything > > about their users (or what their users want). > > This is confusing. I think it's overwhelmingly, abundantly clear that > Fedora care about their users and are listening. CentOS cares with a > hard and fast upper limit which is binary compatibility with RHEL. So > if you want to change CentOS behavior you'd have to buy into RHEL and > convince Red Hat, and then it'd trickle down to CentOS. > As the one who started this thread, and has watched it explode, I feel like a troll, and apologize to everyone. I've seen various decisions made by Fedora, which weren't even necessarily bad for its apparent target audience, the desktop user, that, while not insurmountable, get put into RHEL, and therefore CentOS. Fedora has made several decisions where a developer or developers will ignore popular opinion. I remember when pkgkit would allow any user to update through the GUI without authentication and it took the story making the front page of slashdot to get it changed. Like any organization, Fedora has some people who are very responsive to user input and others who aren't. To me the reason to make noise about something in Fedora is to try to keep it from getting into RHEL and hence CentOS. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
