Re: Request for comment: Potential change to dist-git branch structure
Jesse Keating jkeat...@redhat.com writes: However, if a user had a local branch of f14 or f14/master they will be left with mismatched .git/config entries. In this case it's easiest to delete the local branch (git branch -d f14) and check it out again. Or git branch --set-upstream. Andreas. -- Andreas Schwab, sch...@redhat.com GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E And now for something completely different. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Hi, On 12/06/2010 06:34 AM, Michał Piotrowski wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? IMO ssh can be off by default and should be started only if user tries to connect over port 22. Do we really need to install iptables/ip6tables by default (it's in core group)? Do we really need a firewall configured ? Yes we do because of blinkbSECURITY/b/blink I'm sorry but asking if we really need iptables by default is just stupid! Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 10:43 użytkownik Hans de Goede hdego...@redhat.com napisał: Hi, On 12/06/2010 06:34 AM, Michał Piotrowski wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? IMO ssh can be off by default and should be started only if user tries to connect over port 22. Do we really need to install iptables/ip6tables by default (it's in core group)? Do we really need a firewall configured ? Yes we do because of blinkbSECURITY/b/blink I'm sorry but asking if we really need iptables by default is just stupid! LOL :) There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
rawhide report: 20101206 changes
Compose started at Mon Dec 6 08:15:05 UTC 2010 Broken deps for x86_64 -- balsa-2.4.9-1.fc15.x86_64 requires libesmtp.so.5()(64bit) beagle-0.3.9-19.fc14.x86_64 requires libmono.so.0()(64bit) beagle-0.3.9-19.fc14.x86_64 requires libmono.so.0(VER_1)(64bit) db4o-7.4-2.fc13.x86_64 requires mono(Mono.GetOptions) = 0:2.0.0.0 dh-make-0.55-2.fc15.noarch requires debhelper eog-plugins-2.30.0-2.fc14.x86_64 requires libgdata.so.7()(64bit) esmtp-1.0-6.fc12.x86_64 requires libesmtp.so.5()(64bit) gedit-vala-0.10.2-2.fc15.i686 requires libvala-0.10.so.0 gedit-vala-0.10.2-2.fc15.x86_64 requires libvala-0.10.so.0()(64bit) 1:gnome-bluetooth-moblin-2.91.2-1.fc15.x86_64 requires libmoblin-panel.so.0()(64bit) 1:gnome-games-extra-2.31.91.1-1.fc15.x86_64 requires libclutter-gtk-0.10.so.0()(64bit) gnome-gmail-notifier-0.10.1-1.fc14.x86_64 requires libnotify.so.1()(64bit) gnome-pilot-eds-2.32.0-1.fc14.x86_64 requires libcamel-1.2.so.19()(64bit) gnome-python2-brasero-2.32.0-1.fc14.x86_64 requires libbrasero-burn.so.1()(64bit) gnome-python2-brasero-2.32.0-1.fc14.x86_64 requires libbrasero-media.so.1()(64bit) gnome-python2-evince-2.32.0-1.fc14.x86_64 requires libevdocument.so.3()(64bit) gnome-python2-evince-2.32.0-1.fc14.x86_64 requires libevview.so.3()(64bit) gnome-python2-evolution-2.32.0-1.fc14.x86_64 requires libcamel-1.2.so.19()(64bit) gnome-python2-totem-2.32.0-1.fc14.x86_64 requires libgnome-media-profiles.so.0()(64bit) gnome-rdp-0.2.3-6.fc12.x86_64 requires mono(Mono.Data.SqliteClient) = 0:2.0.0.0 gpx-viewer-0.2.0-3.fc14.x86_64 requires libchamplain-0.6.so.0()(64bit) gpx-viewer-0.2.0-3.fc14.x86_64 requires libclutter-gtk-0.10.so.0()(64bit) gpx-viewer-0.2.0-3.fc14.x86_64 requires libchamplain-gtk-0.6.so.0()(64bit) gshutdown-0.2-6.fc12.x86_64 requires libnotify.so.1()(64bit) gsql-0.2.1-4.fc12.i686 requires libnotify.so.1 gsql-0.2.1-4.fc12.x86_64 requires libnotify.so.1()(64bit) gyachi-plugin-libnotify-1.2.10-3.fc14.x86_64 requires libnotify.so.1()(64bit) hornsey-1.5.2-0.3.fc15.x86_64 requires libnotify.so.1()(64bit) hornsey-1.5.2-0.3.fc15.x86_64 requires libclutter-gtk-0.10.so.0()(64bit) ibus-fbterm-0.9.1-10.fc15.x86_64 requires libibus.so.2()(64bit) inkscape-0.48.0-6.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) inkscape-0.48.0-6.fc15.x86_64 requires libwpg-0.1.so.1()(64bit) inkscape-0.48.0-6.fc15.x86_64 requires libwpg-stream-0.1.so.1()(64bit) inkscape-view-0.48.0-6.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) inkscape-view-0.48.0-6.fc15.x86_64 requires libwpg-0.1.so.1()(64bit) inkscape-view-0.48.0-6.fc15.x86_64 requires libwpg-stream-0.1.so.1()(64bit) intellij-idea-9.0.1.94.399-12.fc15.x86_64 requires commons-collections ircp-tray-0.7.4-1.fc14.x86_64 requires libnotify.so.1()(64bit) java-gnome-4.0.16-3.fc14.x86_64 requires libnotify.so.1()(64bit) 3:koffice-filters-2.2.84-2.fc15.i686 requires libwpd-0.8.so.8 3:koffice-filters-2.2.84-2.fc15.i686 requires libwpg-0.1.so.1 3:koffice-filters-2.2.84-2.fc15.i686 requires libwpg-stream-0.1.so.1 3:koffice-filters-2.2.84-2.fc15.x86_64 requires libwpg-0.1.so.1()(64bit) 3:koffice-filters-2.2.84-2.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) 3:koffice-filters-2.2.84-2.fc15.x86_64 requires libwpg-stream-0.1.so.1()(64bit) 1:libabiword-2.8.6-3.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) 1:libabiword-2.8.6-3.fc15.x86_64 requires libwpg-0.1.so.1()(64bit) libnotifymm-0.6.1-8.fc14.i686 requires libnotify.so.1 libnotifymm-0.6.1-8.fc14.x86_64 requires libnotify.so.1()(64bit) libreoffice-core-3.2.99.3-2.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) libreoffice-core-3.2.99.3-2.fc15.x86_64 requires libwpg-0.1.so.1()(64bit) libreoffice-writer-3.2.99.3-2.fc15.x86_64 requires libwpd-0.8.so.8()(64bit) libreoffice-writer-3.2.99.3-2.fc15.x86_64 requires libwps-0.1.so.1()(64bit) log4net-1.2.10-13.fc13.x86_64 requires mono(System) = 0:1.0.5000.0 log4net-1.2.10-13.fc13.x86_64 requires mono(System.Data) = 0:1.0.5000.0 log4net-1.2.10-13.fc13.x86_64 requires mono(mscorlib) = 0:1.0.5000.0 log4net-1.2.10-13.fc13.x86_64 requires mono(System.Xml) = 0:1.0.5000.0 log4net-1.2.10-13.fc13.x86_64 requires mono(System.Web) = 0:1.0.5000.0 mars-sim-2.84-6.fc14.noarch requires commons-collections moblin-panel-media-0.0.8-0.2.fc13.x86_64 requires libmoblin-panel.so.0()(64bit) moblin-panel-status-0.1.21-6.fc14.x86_64 requires libmoblin-panel.so.0()(64bit) moblin-panel-status-0.1.21-6.fc14.x86_64 requires libsocialweb-client.so.1()(64bit)
Re: Testing Xfce 4.8 pre 2 packages available
On Mon, 2010-12-06 at 00:01 +0100, Christoph Wickert wrote: Hi there, I have packaged Xfce 4-8 pre 2 for Fedora 14 and Rawhide. You can find the packages at http://repos.fedorapeople.org/repos/cwickert/xfce-4.8/ The repo is far from complete. ATM it is still rsyncing and Fedora 13 is still building. Also a couple of applications that need a rebuild (e.g. xfce4-mixer) are missing and so are most of the goodies. I will continue to work on this. For more information on Xfce 4.8 in Fedora, please take a look at the feature page at https://fedoraproject.org/wiki/Features/Xfce48 Feedback welcome! Regards, Christoph Thanks! Should I report missing deps? - Gilboa -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
[perl-Params-Util/f14/master] - Upstream update.
commit 64bcb782e5e54d2b5c482321c4066d6e6da07393
Author: Ralf Corsépius corse...@fedoraproject.org
Date: Mon Dec 6 13:47:35 2010 +0100
- Upstream update.
.gitignore|1 +
perl-Params-Util.spec | 11 +++
sources |2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 05b00ce..165a74c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
Params-Util-1.01.tar.gz
+/Params-Util-1.03.tar.gz
diff --git a/perl-Params-Util.spec b/perl-Params-Util.spec
index ca093f0..9a947a8 100644
--- a/perl-Params-Util.spec
+++ b/perl-Params-Util.spec
@@ -1,6 +1,6 @@
Name: perl-Params-Util
-Version: 1.01
-Release: 2%{?dist}
+Version: 1.03
+Release: 1%{?dist}
Summary: Simple standalone param-checking functions
License: GPL+ or Artistic
Group: Development/Libraries
@@ -10,10 +10,10 @@ BuildRoot:
%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo
$version))
-BuildRequires: perl(ExtUtils::MakeMaker) = 6.42
+BuildRequires: perl(ExtUtils::MakeMaker) = 6.52
BuildRequires: perl(Test::More) = 0.47
BuildRequires: perl(File::Spec) = 0.82
-BuildRequires: perl(Scalar::Util) = 1.14
+BuildRequires: perl(Scalar::Util) = 1.18
%description
Params::Util provides a basic set of importable functions that
@@ -49,6 +49,9 @@ make test AUTOMATED_TESTING=1
%{_mandir}/man3/*
%changelog
+* Mon Dec 06 2010 Ralf Corsépius corse...@fedoraproject.org - 1.03-1
+- Upstream update.
+
* Wed Jun 23 2010 Ralf Corsépius corse...@fedoraproject.org - 1.01-2
- Rebuild for perl-5.12.x.
diff --git a/sources b/sources
index 9204388..d870f5b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-624a29683d7ea89a0bda10d7aeddca33 Params-Util-1.01.tar.gz
+9e5ae2987472f15fddf8ab806f4de867 Params-Util-1.03.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-Params-Util/f13/master] - Upstream update.
commit 05e95199f66309e5115af2f2b55e2ea267b9a06a
Author: Ralf Corsépius corse...@fedoraproject.org
Date: Mon Dec 6 13:47:47 2010 +0100
- Upstream update.
.gitignore|1 +
perl-Params-Util.spec | 13 ++---
sources |2 +-
3 files changed, 12 insertions(+), 4 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 05b00ce..165a74c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
Params-Util-1.01.tar.gz
+/Params-Util-1.03.tar.gz
diff --git a/perl-Params-Util.spec b/perl-Params-Util.spec
index 1056a42..cbafae1 100644
--- a/perl-Params-Util.spec
+++ b/perl-Params-Util.spec
@@ -1,5 +1,5 @@
Name: perl-Params-Util
-Version: 1.01
+Version: 1.03
Release: 1%{?dist}
Summary: Simple standalone param-checking functions
License: GPL+ or Artistic
@@ -10,10 +10,10 @@ BuildRoot:
%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo
$version))
-BuildRequires: perl(ExtUtils::MakeMaker) = 6.42
+BuildRequires: perl(ExtUtils::MakeMaker) = 6.52
BuildRequires: perl(Test::More) = 0.47
BuildRequires: perl(File::Spec) = 0.82
-BuildRequires: perl(Scalar::Util) = 1.14
+BuildRequires: perl(Scalar::Util) = 1.18
%description
Params::Util provides a basic set of importable functions that
@@ -49,12 +49,19 @@ make test AUTOMATED_TESTING=1
%{_mandir}/man3/*
%changelog
+* Mon Dec 06 2010 Ralf Corsépius corse...@fedoraproject.org - 1.03-1
+- Upstream update.
+
* Fri May 07 2010 Ralf Corsépius corse...@fedoraproject.org - 1.01-1
- Upstream update.
+- Revert Marcela's 2010-05-04 changes.
- Remove BR's on perl(Test::MinimumVersion), perl(Test::Pod),
perl(Test::CPAN::Meta).
(Reflect upstream having disabled tests depending on them).
+* Tue May 04 2010 Marcela Maslanova mmasl...@redhat.com - 1.00-4
+- Mass rebuild with perl-5.12.0
+
* Mon Dec 7 2009 Stepan Kasal ska...@redhat.com - 1.00-3
- rebuild against perl 5.10.1
diff --git a/sources b/sources
index 9204388..d870f5b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-624a29683d7ea89a0bda10d7aeddca33 Params-Util-1.01.tar.gz
+9e5ae2987472f15fddf8ab806f4de867 Params-Util-1.03.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
move to libreoffice?
Since the fork, I wonder if fedora is going to follow libreoffice? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: move to libreoffice?
On Mon, Dec 6, 2010 at 2:50 PM, Neal Becker ndbeck...@gmail.com wrote: Since the fork, I wonder if fedora is going to follow libreoffice? No it is not going to, it already did (in rawhide). -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora rawhide FTBFS status 2010-12-01 x86_64
Fedora Fails To Build From Source Results for x86_64 using rawhide from 2010-12-01 This is a full rebuild of all 10k packages. Due to the RemoveSUID feature in Fedora 15, mock can no longer use tmpfs buildroots, meaning this run takes 4 days instead of 1. Progress? Full logs at http://linux.dell.com/files/fedora/FixBuildRequires/ (from F14 or earlier) 84 Open Bugs which now build, and can be marked CLOSED RAWHIDE: alliance: [u'631414'] atlas: [u'599791'] autofs: [u'599979'] cgit: [u'599982'] choqok: [u'599953'] chunkd: [u'631073'] clustermon: [u'599836'] crossfire-maps: [u'631426'] cstream: [u'631150'] cyphesis: [u'631441'] deja-dup: [u'631028'] enlightenment: [u'631029'] etherape: [u'599804'] E: [u'600016'] farsight2: [u'631369'] festival: [u'631177'] fpc: [u'631104'] freenx-server: [u'599819'] gbdfed: [u'631395'] gdl: [u'599765'] gnu-efi: [u'631157'] gpredict: [u'631443', u'547946'] grip: [u'631382'] grub: [u'599839'] gstreamermm: [u'631084'] gtest: [u'631297'] gtkdatabox: [u'631349'] gwaei: [u'631385'] hdf: [u'631337'] jack-rack: [u'631251'] kadu: [u'599796'] kdiff3: [u'599860'] kgtk: [u'631081'] kmplayer: [u'599972'] kobby: [u'67'] koffice-langpack: [u'599824'] libclaw: [u'631088'] libfakekey: [u'631218'] libgdata: [u'631405'] libtirpc: [u'582986'] linux_logo: [u'631125'] mingw32-gtkhtml3: [u'599778'] monafont: [u'631326'] mrpt: [u'599853'] nfs-utils: [u'599960'] ocaml-lablgtk: [u'631112'] openhpi: [u'631191'] pacemaker: [u'631330'] perl-Config-Augeas: [u'631130'] perl-DBD-Multi: [u'631224'] perl-Gtk2-Notify: [u'631323'] perl-Log-Log4perl: [u'631192'] perl-Test-Email: [u'631280'] perl-Test-WWW-Selenium: [u'599931'] plee-the-bear: [u'631040'] publican-ovirt: [u'631460'] python-beaker: [u'599947'] python-lxml: [u'600036'] python-telepathy: [u'631458'] readahead: [u'631299'] ricci: [u'599840'] roxterm: [u'631243'] rpcbind: [u'599837'] R-RScaLAPACK: [u'631063'] ruby-augeas: [u'631233'] rubygem-ferret: [u'599792'] rubygem-hoe: [u'631310'] rubygem-json: [u'599827'] scantailor: [u'631389'] scribes: [u'631127'] sdcc: [u'631450'] spring: [u'599958'] starplot: [u'599772'] system-config-bind: [u'631373'] system-config-display: [u'599852'] tanukiwrapper: [u'599954'] tasque: [u'631376'] themonospot-gui-qt: [u'599921'] thunderbird: [u'631228'] tla: [u'631311'] vdr-streamdev: [u'631427'] wpa_supplicant: [u'631416'] xar: [u'599943'] xesam-glib: [u'599812'] Total packages: 10013 Number failed to build: 517 Number expected to fail due to ExclusiveArch or ExcludeArch: 27 Leaving: 490 Of those expected to have worked... Without a bug filed: 380 -- LabPlot-1.6.0.2-8.fc12 (build/make) chitlesh,chitlesh,tnorth NetworkManager-pptp-0.8.1-1.fc14 (build/make) dcbw,dcbw PerceptualDiff-1.1.1-7.fc13 (build/make) kwizart PyKDE-3.16.6-5.fc15 (build/make) rdieter,jamatos PyMca-4.4.0-2.fc14 (build/make) jussilehtola R-Biostrings-2.16.9-1.fc15 (build/make) pingou R-GenomicRanges-1.0.9-2.fc15 (build/make) pingou WindowMaker-0.92.0-20.fc12 (missing_DSO_to_linker__http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking) awjb adaptx-0.9.13-9.fc14 (build/make) pcheung aether-1.7-2.fc15 (build/make) sochotni apache-commons-jexl-2.0.1-2.fc15 (build/make) orion,java-sig apache-commons-launcher-1.1-5.20100521svn936225.fc14 (build/make) mbooth,java-sig ardour-2.8.11-5.fc15 (build/make) green,jwrdegoede,oget autodir-0.99.9-9.fc12 (build/make) thias automake-1.11.1-5.fc14 (build/make) karsten avr-libc-1.7.0-1.fc14 (build/make) tnorth,trondd azureus-4.5.1.0-1.fc15 (build/make) djuran,langel b43-tools-0-0.5.git20090125.fc14 (build/make) peter,linville bitmap-1.0.3-8.fc15 (missing_DSO_to_linker__http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking) kasal,pertusus blackbox-0.70.1-14 (build/make) thias boo-0.9.2.3383-3.fc13 (build/make) pfj,palango bsd-games-2.17-30.fc14 (build/make) wart castor-0.9.5-5.fc12.1 (build/make) pcheung cdcollect-0.6.0-10.fc13 (build/make) sharkcz checkpolicy-2.0.22-1.fc14 (build/make) dwalsh,mgrepl chronojump-0.8.14-1.fc12 (build/make) olea,salimma cluttermm-0.9.6-1.fc15 (build/make) rishi collectd-4.10.1-1.fc15 (unpackaged_files/python-egg-info?) rjones,apevec,virtmaint compiz-0.8.6-3.fc15 (build/make) drago01 conglomerate-0.9.1-7.fc12 (build/make) jamatos contacts-0.12-1.fc15 (build/make) jkeating,pbrobinson cssparser-0.9.5-1.fc14 (build/make) akurtakov,jlaska ctapi-cyberjack-3.3.0-8.fc14 (build/make) frankb cuetools-1.4.0-0.5.svn305.fc14 (build/make) stingray curry-0.9.11-7.fc12 (build/make) orphan dates-0.4.11-7.fc15 (build/make) pbrobinson dbh-1.0.24-9.fc12 (build/make) subhodip dejavu-fonts-2.32-1.fc15 (build/make) nim,fonts-sig detox-1.2.0-2.fc14 (build/make) slankes dev86-0.16.17-16.fc14 (build/make) jnovy devilspie-0.22-5.fc14 (build/make) svahl dfu-util-0.1-0.11.fc14 (build/make) tuju,jreznik dirac-1.0.2-3.fc12 (build/make) kwizart diveintopython-5.4-18.fc15 (build/make) devrim dnstop-20090128-1.fc13 (build/make) konradm dumbster-1.6-9.fc12
Fedora rawhide FTBFS status 2010-12-01 i386
Fedora Fails To Build From Source Results for i386 using rawhide from 2010-12-01 This is a full rebuild of all 10k packages. Due to the RemoveSUID feature in Fedora 15, mock can no longer use tmpfs buildroots, meaning this run takes 4 days instead of 1. Progress? Full logs at http://linux.dell.com/files/fedora/FixBuildRequires/ (from F14 or earlier) 84 Open Bugs which now build, and can be marked CLOSED RAWHIDE: alliance: [u'631414'] atlas: [u'599791'] autofs: [u'599979'] cgit: [u'599982'] choqok: [u'599953'] chunkd: [u'631073'] clustermon: [u'599836'] crossfire-maps: [u'631426'] cstream: [u'631150'] cyphesis: [u'631441'] deja-dup: [u'631028'] enlightenment: [u'631029'] etherape: [u'599804'] E: [u'600016'] farsight2: [u'631369'] festival: [u'631177'] fpc: [u'631104'] freenx-server: [u'599819'] gbdfed: [u'631395'] gdl: [u'599765'] gnu-efi: [u'631157'] gpredict: [u'631443', u'547946'] grip: [u'631382'] grub: [u'599839'] gstreamermm: [u'631084'] gtest: [u'631297'] gtkdatabox: [u'631349'] gwaei: [u'631385'] hdf: [u'631337'] jack-rack: [u'631251'] kadu: [u'599796'] kdiff3: [u'599860'] kgtk: [u'631081'] kmplayer: [u'599972'] kobby: [u'67'] koffice-langpack: [u'599824'] libclaw: [u'631088'] libfakekey: [u'631218'] libgdata: [u'631405'] libtirpc: [u'582986'] linux_logo: [u'631125'] mingw32-gtkhtml3: [u'599778'] monafont: [u'631326'] mrpt: [u'599853'] nfs-utils: [u'599960'] ocaml-lablgtk: [u'631112'] openhpi: [u'631191'] pacemaker: [u'631330'] perl-Config-Augeas: [u'631130'] perl-DBD-Multi: [u'631224'] perl-Gtk2-Notify: [u'631323'] perl-Log-Log4perl: [u'631192'] perl-Test-Email: [u'631280'] perl-Test-WWW-Selenium: [u'599931'] plee-the-bear: [u'631040'] publican-ovirt: [u'631460'] python-beaker: [u'599947'] python-lxml: [u'600036'] python-telepathy: [u'631458'] readahead: [u'631299'] ricci: [u'599840'] roxterm: [u'631243'] rpcbind: [u'599837'] R-RScaLAPACK: [u'631063'] ruby-augeas: [u'631233'] rubygem-ferret: [u'599792'] rubygem-hoe: [u'631310'] rubygem-json: [u'599827'] scantailor: [u'631389'] scribes: [u'631127'] sdcc: [u'631450'] spring: [u'599958'] starplot: [u'599772'] system-config-bind: [u'631373'] system-config-display: [u'599852'] tanukiwrapper: [u'599954'] tasque: [u'631376'] themonospot-gui-qt: [u'599921'] thunderbird: [u'631228'] tla: [u'631311'] vdr-streamdev: [u'631427'] wpa_supplicant: [u'631416'] xar: [u'599943'] xesam-glib: [u'599812'] Total packages: 10014 Number failed to build: 507 Number expected to fail due to ExclusiveArch or ExcludeArch: 15 Leaving: 492 Of those expected to have worked... Without a bug filed: 381 -- LabPlot-1.6.0.2-8.fc12 (build/make) chitlesh,chitlesh,tnorth NetworkManager-pptp-0.8.1-1.fc14 (build/make) dcbw,dcbw OpenSceneGraph-2.8.3-5.fc15 (build/make) corsepiu PerceptualDiff-1.1.1-7.fc13 (build/make) kwizart PyKDE-3.16.6-5.fc15 (build/make) rdieter,jamatos PyMca-4.4.0-2.fc14 (build/make) jussilehtola R-Biostrings-2.16.9-1.fc15 (build/make) pingou R-GenomicRanges-1.0.9-2.fc15 (build/make) pingou WindowMaker-0.92.0-20.fc12 (missing_DSO_to_linker__http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking) awjb adaptx-0.9.13-9.fc14 (build/make) pcheung aether-1.7-2.fc15 (build/make) sochotni anjuta-2.31.90.0-4.fc15 (build/make) rishi,rakesh apache-commons-jexl-2.0.1-2.fc15 (build/make) orion,java-sig apache-commons-launcher-1.1-5.20100521svn936225.fc14 (build/make) mbooth,java-sig ardour-2.8.11-5.fc15 (build/make) green,jwrdegoede,oget autodir-0.99.9-9.fc12 (build/make) thias automake-1.11.1-5.fc14 (build/make) karsten avr-libc-1.7.0-1.fc14 (build/make) tnorth,trondd azureus-4.5.1.0-1.fc15 (build/make) djuran,langel b43-tools-0-0.5.git20090125.fc14 (build/make) peter,linville bitmap-1.0.3-8.fc15 (missing_DSO_to_linker__http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking) kasal,pertusus blackbox-0.70.1-14 (build/make) thias boo-0.9.2.3383-3.fc13 (build/make) pfj,palango bsd-games-2.17-30.fc14 (build/make) wart buildbot-0.7.12-4.fc15 (build/make) giallu,dmalcolm,smilner castor-0.9.5-5.fc12.1 (build/make) pcheung cdcollect-0.6.0-10.fc13 (build/make) sharkcz checkpolicy-2.0.22-1.fc14 (build/make) dwalsh,mgrepl chronojump-0.8.14-1.fc12 (build/make) olea,salimma cluttermm-0.9.6-1.fc15 (build/make) rishi collectd-4.10.1-1.fc15 (unpackaged_files/python-egg-info?) rjones,apevec,virtmaint compiz-0.8.6-3.fc15 (build/make) drago01 conglomerate-0.9.1-7.fc12 (build/make) jamatos contacts-0.12-1.fc15 (build/make) jkeating,pbrobinson cssparser-0.9.5-1.fc14 (build/make) akurtakov,jlaska ctapi-cyberjack-3.3.0-8.fc14 (build/make) frankb cuetools-1.4.0-0.5.svn305.fc14 (build/make) stingray curry-0.9.11-7.fc12 (build/make) orphan dates-0.4.11-7.fc15 (build/make) pbrobinson dbh-1.0.24-9.fc12 (build/make) subhodip dejavu-fonts-2.32-1.fc15 (build/make) nim,fonts-sig detox-1.2.0-2.fc14 (build/make) slankes dev86-0.16.17-16.fc14 (build/make) jnovy devilspie-0.22-5.fc14 (build/make) svahl dfu-util-0.1-0.11.fc14 (build/make)
Firewall
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: old_testing_critpath notifications
On Sun, 2010-12-05 at 09:41 -0600, Bruno Wolff III wrote: On Thu, Dec 02, 2010 at 11:48:13 -0800, Adam Williamson awill...@redhat.com wrote: I think it'd probably fit better in the preamble before step 1. Perhaps after the paragraph 'As a Contributor, you should...' we add a paragraph explaining that as a packager you will automatically be given proventester privileges, a short explanation of the proventester concept, and a link out to the proventester page requesting that you read those instructions. If we go down this route I'd rather see packagers have a way they can get proven tester status without needing mentor approval, but not just get it. I'd rather have a place where you read up on the expectations for proven testers and then click a button that says I'll do that. practically speaking that would change very little, because we're not blocked on getting moderator approval at present. Thankfully a lot of people are taking up the moderator duties, so anyone who actually applies to be a proventester usually gets a reply from a moderator almost immediately. The idea is to remove the active 'apply for the status' step from developers. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 6 Dec 2010 06:34:45 +0100 Michał Piotrowski mkkp...@gmail.com wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? Perhaps we can ask this even more differently: What are you trying to do? Whats your high level goal here? Boot speed? Number of packages installed? IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. Do we really need to install iptables/ip6tables by default (it's in core group)? Yes, I think so. Either firewall by default, or we need to make sure nothing is running that listens externally to reduce security footprint, IMHO. kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Kevin Fenzi (ke...@scrye.com) said: IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 06:34:45 +0100 Michał Piotrowski mkkp...@gmail.com wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? Perhaps we can ask this even more differently: What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) Whats your high level goal here? Boot speed? Number of packages installed? I know it will not be possible to convert all sysvinit scripts for F15, but at least we can try to provide full systemd experience for most common configurations. -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Kevin Fenzi (ke...@scrye.com) said: IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
[perl-Class-InsideOut] - Remove BR: perl. - Add BR: perl(Class::ISA) (Fix FTBS).
commit 6baa11d39bd5bd51d72c783464bd64df0fe8ae2d
Author: Ralf Corsépius corse...@fedoraproject.org
Date: Mon Dec 6 18:24:04 2010 +0100
- Remove BR: perl.
- Add BR: perl(Class::ISA) (Fix FTBS).
perl-Class-InsideOut.spec |9 +++--
1 files changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/perl-Class-InsideOut.spec b/perl-Class-InsideOut.spec
index 193f7c9..0945d67 100644
--- a/perl-Class-InsideOut.spec
+++ b/perl-Class-InsideOut.spec
@@ -1,6 +1,6 @@
Name: perl-Class-InsideOut
Version:1.10
-Release:2%{?dist}
+Release:3%{?dist}
Summary:A safe, simple inside-out object construction kit
Group: Development/Libraries
@@ -10,9 +10,10 @@ Source0:
http://search.cpan.org/CPAN/authors/id/D/DA/DAGOLDEN/Class-InsideOut-%{
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
-BuildRequires: perl, dos2unix
+BuildRequires: dos2unix
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Test::More)
+BuildRequires: perl(Class::ISA)
Requires: perl(:MODULE_COMPAT_%(eval `%{__perl} -V:version`; echo $version))
%description
@@ -83,6 +84,10 @@ rm -rf %{buildroot}
%changelog
+* Mon Dec 06 2010 Ralf Corsépius corse...@fedora.org - 1.10-3
+- Remove BR: perl.
+- Add BR: perl(Class::ISA) (Fix FTBS).
+
* Fri Apr 30 2010 Marcela Maslanova mmasl...@redhat.com - 1.10-2
- Mass rebuild with perl-5.12.0
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? kevin -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: old_testing_critpath notifications
On Mon, Dec 06, 2010 at 08:57:42 -0800, Adam Williamson awill...@redhat.com wrote: practically speaking that would change very little, because we're not blocked on getting moderator approval at present. Thankfully a lot of people are taking up the moderator duties, so anyone who actually applies to be a proventester usually gets a reply from a moderator almost immediately. The idea is to remove the active 'apply for the status' step from developers. I am concerned about that. If my karma is going to be treated differently because I become a proventester, I'd want to know what I am supposed to be doing differently and not mark something +1 by mistake. I think this concern goes away in the unicorn filled world where bodhi has descriptive feedback instead of numerical feedback. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. It would be nice if the firewall automatically followed services that I have enabled and disabled. eg. If I explicitly enable the webserver, it should open the corresponding port(s). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +: On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. It would be nice if the firewall automatically followed services that I have enabled and disabled. eg. If I explicitly enable the webserver, it should open the corresponding port(s). Just disable the firewall and you'll get pretty much equivalent functionality. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
[perl-Package-Stash-XS] Created tag perl-Package-Stash-XS-0.17-2.fc14
The lightweight tag 'perl-Package-Stash-XS-0.17-2.fc14' was created pointing to: 4f3db6b... Initial import of perl-Package-Stash-XS-0.17-2 -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-Package-Stash-XS/f13/master] Initial import of perl-Package-Stash-XS-0.17-2
Summary of changes: 4f3db6b... Initial import of perl-Package-Stash-XS-0.17-2 (*) (*) This commit already existed in another branch; no separate mail sent -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-Package-Stash-XS/el5/master] Initial import of perl-Package-Stash-XS-0.17-2
Summary of changes: 4f3db6b... Initial import of perl-Package-Stash-XS-0.17-2 (*) (*) This commit already existed in another branch; no separate mail sent -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-Package-Stash-XS/el4/master] Initial import of perl-Package-Stash-XS-0.17-2
Summary of changes: 4f3db6b... Initial import of perl-Package-Stash-XS-0.17-2 (*) (*) This commit already existed in another branch; no separate mail sent -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-Package-Stash-XS] Created tag perl-Package-Stash-XS-0.17-2.el4
The lightweight tag 'perl-Package-Stash-XS-0.17-2.el4' was created pointing to: 4f3db6b... Initial import of perl-Package-Stash-XS-0.17-2 -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski (mkkp...@gmail.com) said: If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Yes. However, I'm leery of adding too many drastic changes that don't have upstream buy-in yet. What's upstream openssh's opinion on socket activation? Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 10:07 AM, Miloslav Trmač wrote: Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +: On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. It would be nice if the firewall automatically followed services that I have enabled and disabled. eg. If I explicitly enable the webserver, it should open the corresponding port(s). Just disable the firewall and you'll get pretty much equivalent functionality. Mirek Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the ZOMG WE NEED A FIREWALL I can somewhat see a firewall trying to protect a system from a user process that got launched without the user being aware and binding to a high port for nefarious reasons, but how do you balance that with the legitimate applications that bind to high ports? -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 11:00:53AM -0800, Jesse Keating wrote: On 12/06/2010 10:07 AM, Miloslav Trmač wrote: Richard W.M. Jones píše v Po 06. 12. 2010 v 18:04 +: On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. It would be nice if the firewall automatically followed services that I have enabled and disabled. eg. If I explicitly enable the webserver, it should open the corresponding port(s). Just disable the firewall and you'll get pretty much equivalent functionality. Mirek Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the ZOMG WE NEED A FIREWALL I can somewhat see a firewall trying to protect a system from a user process that got launched without the user being aware and binding to a high port for nefarious reasons, but how do you balance that with the legitimate applications that bind to high ports? The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. Daniel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:09 AM, Miloslav Trmač wrote: Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800: Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the ZOMG WE NEED A FIREWALL I can see the following primary reasons to have a firewall: * Enforcing a sysadmin-set (system-wide or site-wide) policy. No, you will not run any bittorrent client on the company's computer. That's an excellent reason for being able to deploy a firewall. Not really sure this is a good reason for having a firewall configured by default on personal installs. * A speed bump that requires an independent action to prevent unintentionally opening up a service. You have started $server, and it accepts connections from the whole internet. Here's your chance to think about this again. Do you want to open the port? Yet we don't have that kind of UI present. So instead now we have people trying to turn on services, having it not work, and spending time / energy fiddling with config files before they finally realize it was the firewall. Then they just turn it off and grumble. At least the other OS gives you a pop up to let some service through, although there are problems with that too. * ZOMG WE NEED A FIREWALL I can't use this Linux thing, my bank requires me to run an antivirus and a firewall. Fair enough, again reasons for being capable of having one, but not convinced it's needed by default. (I realize I wasn't making a default or not argument in my first email) Are there other reasons? Mirek -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 08:09:29PM +0100, Miloslav Trmač wrote: I can see the following primary reasons to have a firewall: * Enforcing a sysadmin-set (system-wide or site-wide) policy. No, you will not run any bittorrent client on the company's computer. * A speed bump that requires an independent action to prevent unintentionally opening up a service. You have started $server, and it accepts connections from the whole internet. Here's your chance to think about this again. Do you want to open the port? The question implies some sort of GUI pop-up. More likely is the incidental installation of something. Does Gnome still pull in Apache for peer-to-peer filesharing? Or some other package misconfigured to listen when it shouldn't. Installing a firewall by default contributes to defense in depth at relatively little cost. * ZOMG WE NEED A FIREWALL I can't use this Linux thing, my bank requires me to run an antivirus and a firewall. And don't underestimate that need -- more places than banks have similar requirements. Are there other reasons? Programs like fail2ban use the packet filter to block aggressive brute-force attempts. But I don't think any of them require an existing configuration of some sort -- they just do their own thing on top of whatever is there. -- Matthew Miller mat...@mattdm.org Senior Systems Architect -- Instructional Research Computing Services Harvard School of Engineering Applied Sciences -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Michał Piotrowski (mkkp...@gmail.com) said: If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Yes. However, I'm leery of adding too many drastic changes that don't have upstream buy-in yet. I understand your POV. What's upstream openssh's opinion on socket activation? Does openssh stands out something special between other demons? Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:20 AM, Matthew Miller wrote: Installing a firewall by default contributes to defense in depth at relatively little cost. I think that's discounting the user cost, of having something actively getting in your way of accomplishing tasks, and we have no real good way of helping the user get it out of their way. The argument of default firewall or not would probably quiet down quite a bit if we had any sort of decent UI to help users get the firewall out of their way when they're really trying to do something. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:15 PM, Jesse Keating wrote: On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. Thomas Woerner (iptables maintainer) is currently working on a prototype for basically the next generation of firewalling. He'll put up the code later this week with docu and all that shizzle as he just finished the first prototype of it a week ago. It's by far not complete yet, but it'll show enough of what you can do with it with some nice features and useful stuff. Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. A bit more initial info can already be found here: https://fedoraproject.org/wiki/SystemConfig/firewall but he'll send out a much more detailed description of what the new firewalld will be able to do and what problems we can solve with it. One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. Thanks regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch pknir...@redhat.com Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:27 AM, Phil Knirsch wrote: On 12/06/2010 08:15 PM, Jesse Keating wrote: On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. Thomas Woerner (iptables maintainer) is currently working on a prototype for basically the next generation of firewalling. He'll put up the code later this week with docu and all that shizzle as he just finished the first prototype of it a week ago. It's by far not complete yet, but it'll show enough of what you can do with it with some nice features and useful stuff. Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. A bit more initial info can already be found here: https://fedoraproject.org/wiki/SystemConfig/firewall but he'll send out a much more detailed description of what the new firewalld will be able to do and what problems we can solve with it. One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. Thanks regards, Phil Sounds interesting, thanks Phil! -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
2010/12/6 Jesse Keating jkeat...@redhat.com: On 12/06/2010 11:20 AM, Matthew Miller wrote: Installing a firewall by default contributes to defense in depth at relatively little cost. I think that's discounting the user cost, of having something actively getting in your way of accomplishing tasks, and we have no real good way of helping the user get it out of their way. The argument of default firewall or not would probably quiet down quite a bit if we had any sort of decent UI to help users get the firewall out of their way when they're really trying to do something. I tried several times to use system-config-firewall-tui - usability disaster. I prefer to edit sysconfig/iptables ;) -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski píše v Po 06. 12. 2010 v 20:22 +0100: 2010/12/6 Bill Nottingham nott...@redhat.com: Does openssh stands out something special between other demons? Actually, it does - for remote installations (sometimes the only option) ssh needs to be running after installation so that the system administrator can connect to it and start configuring it. Other services are not necessary like this. (Yes, the system administrator can write a kickstart script that enables the service after installation. I'm not sure that something we can ask a novice sysadmin to do, however.) Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800: On 12/06/2010 11:09 AM, Miloslav Trmač wrote: Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800: Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the ZOMG WE NEED A FIREWALL I can see the following primary reasons to have a firewall: * Enforcing a sysadmin-set (system-wide or site-wide) policy. No, you will not run any bittorrent client on the company's computer. That's an excellent reason for being able to deploy a firewall. Not really sure this is a good reason for having a firewall configured by default on personal installs. It's not, but we don't really have personal installs; any system can be a desktop, a server, or both at the same time. * A speed bump that requires an independent action to prevent unintentionally opening up a service. You have started $server, and it accepts connections from the whole internet. Here's your chance to think about this again. Do you want to open the port? Yet we don't have that kind of UI present. So instead now we have people trying to turn on services, having it not work, and spending time / energy fiddling with config files before they finally realize it was the firewall. For server applications, I don't think this is a big problem: If the user has been able to find and edit httpd.conf, they can also learn about the firewall. For desktop users, what kind of services are we talking about? gnome-user-share? Will a desktop user know about this concept, or just send the data over e-mail or IM? SIP? Desktop sharing? An incoming connection won't be able to come through the ADSL modem's NAT anyway, so some kind of tunneling or an external service broker (which turns the connection from incoming into outgoing, enabled by default) is needed. It may be just me, but really can't remember a single example when the firewall has broken something for me, at least in the last 10 years. Then they just turn it off and grumble. At least the other OS gives you a pop up to let some service through, although there are problems with that too. My experience with the Windows prompts is absolutely horrible - I started an application and I was asked do you want this to bypass the firewall - I know that if I deny the request, the application will probably not work, but I'm never told why does the application need such access when most other applications on the system do not. Is it legitimate, or is the application spying on me, is this for some kind of remote software disable functionality? All that the prompt does is make me worry. (This is probably more of an indication of the low level of trust Windows software downloaded form the internet than of the quality of the firewall, but this shows that the firewall interface does not match the problem space well.) Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 20:34 +0100, Miloslav Trmač wrote: It's not, but we don't really have personal installs; any system can be a desktop, a server, or both at the same time. Agreed - I think the case being described by Jesse, though, is the livecd case. That's what the 'personal install' seems to be to me. In that case the livecd kickstart can turn off the iptables, if it so chooses. I'd recommend against it. SIP? Desktop sharing? An incoming connection won't be able to come through the ADSL modem's NAT anyway, so some kind of tunneling or an external service broker (which turns the connection from incoming into outgoing, enabled by default) is needed. It may be just me, but really can't remember a single example when the firewall has broken something for me, at least in the last 10 years. I'll add a +1 to this, too. The only client having trouble I can think of in forever is bittorrent and that wasn't my firewall it was my wireless router. Having iptables on just keeps out the port probes when you're on a public network - the way ours is configured in fedora makes it pretty easy for most client apps. -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/03/2010 09:33 PM, Garrett Holmstrom wrote: On 12/3/2010 18:34, Jesse Keating wrote: The original thought was to have top level branches that are named after distribution releases, eg f14, f15, el5. Then we would force branches of those branches use a naming structure of f14/topic. The reason was so that our tooling could look at the name of the branch and easily work back to the f14 part. This would work even if it was f14/user/fred/topic/mybranch or other such craziness. When I went to test this, I realized that git won't allow you to have both f14 and f14/topic as branches, because of the way the git metadata works on the filesystem. When I encountered this, I made f14/master become the top level branch, and then f14/somethingelse could coexist. Unfortunately I also wanted to keep things easy for users and tried to maintain tooling that would allow you to just say f14. This didn't get enough real world testing and in hindsight was a bad idea. Things go wrong quickly in git if your local branch name doesn't match the remote branch name. When thinking about the above, and the two bugs I'm working on, I realized that we don't have any real strong need to be using / as a delineator. It makes some code easier, but makes other things more complex and difficult. So what if we changed it? What I'm thinking about now is switching from / to - as a delineator. This would improve a couple things. First, we could achieve upstream top level branch names that are short and simple: f14, f15, master. We can have branches that build upon those names: f14-rebase, f15-cve223, f15-user-jkeating-private. We could keep the simple fedpkg tooling that allows users to just type f14 and the like to reference a branch, and now the local branch will match the name of the remote branch. Yes, please! Getting rid of the '/' strangeness ought to make things a little easier to understand and use across the board. I suspect that few enough packages use shared feature or bugfix branches that a transition won't trip up very many people. Perhaps a hook on Fedora's repositories that prints transition instructions when one attempts to push to old-style branches in conjunction with a fedpkg command that attempts to migrate existing local branches and remotes would help somewhat. That's certainly something to look into. I'm not sure a hook would fire off soon enough, or the client would notice that the upstream branch doesn't exist anymore and balk before any upstream hooks could run. Certainly worth looking into. As for the first two bugs I mentioned, it doesn't directly help them. However I would feel better about telling people that their local branches must follow a naming scheme ofrelease-something and then we could easily guess what release the local branch is for if it isn't tracking a remote branch. However the bug about what to do if there are no remote branches is really not touched by any of this, it just got me thinking about branches :) Why tie branch names down to specific releases? While that scheme makes it easy for fedpkg to guess what release to attempt to build against when one only cares about one release, it makes little sense to call a branch f14-rh123456 when in reality that branch will merge into f13 as well as f14. Couple reasons. First, the naming structure gives us the ability to easily determine what Fedora your work is targeting. The vast majority of Fedora packages have some macro or another that depends on dist value, and they need to be defined any time the spec is parsed. I prefer a scenario where this data is determined automatically, but allowed to be overridden. Also I don't envision a lot of these branches existing on the upstream side. Downstream you can call the branch whatever you want, so if you want to clone then branch for a bug to do test work, eventually merging the work onto master, f14, f13 that's just fine. Only the shared upstream branches would need a naming scheme. Lastly by putting some soft of naming scheme in place it can help with the ACL system, to provide ACLs for allowing non-ff changes in certain branch types, or allowing all users to create branches of a package or whatever. Although on that last point I think we need something like github to easily allow users to 'fork' a repo when they don't have commit rights to it, perhaps off to fedorapeople.org somewhere. Rambling now. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote: On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. Yes, enabling logging of packets really helps to track down firewall misconfiguration. What we really lack is good visibility for n00bs. Sure you can do 'netstat -anp' to show open ports and (if you're more of an expert than me) look at iptables to see what's wrong, but having nice GUI tools to display this information would be better. (No, I'm not volunteering to write them ...) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones New in Fedora 11: Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 70 libraries supprt'd http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:40 PM, Richard W.M. Jones wrote: On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote: On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. Yes, enabling logging of packets really helps to track down firewall misconfiguration. What we really lack is good visibility for n00bs. Sure you can do 'netstat -anp' to show open ports and (if you're more of an expert than me) look at iptables to see what's wrong, but having nice GUI tools to display this information would be better. (No, I'm not volunteering to write them ...) Rich. Thats actually a really nice idea we could tackle with the firewall stuff Thomas is working on in the future. added_to_feature_list++ :) Thanks regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch pknir...@redhat.com Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Richard W.M. Jones wrote: What we really lack is good visibility for n00bs. Sure you can do 'netstat -anp' to show open ports and (if you're more of an expert than me) look at iptables to see what's wrong, but having nice GUI tools to display this information would be better. Like... iptstate? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:34 AM, Miloslav Trmač wrote: Jesse Keating píše v Po 06. 12. 2010 v 11:14 -0800: On 12/06/2010 11:09 AM, Miloslav Trmač wrote: Jesse Keating píše v Po 06. 12. 2010 v 11:00 -0800: Right, I always struggle with this. If you allow services that bind to a port once enabled to have the port open, then what good does it do to have the port closed? I really wonder what real purpose a firewall serves on these machines. Once you get past the ZOMG WE NEED A FIREWALL I can see the following primary reasons to have a firewall: * Enforcing a sysadmin-set (system-wide or site-wide) policy. No, you will not run any bittorrent client on the company's computer. That's an excellent reason for being able to deploy a firewall. Not really sure this is a good reason for having a firewall configured by default on personal installs. It's not, but we don't really have personal installs; any system can be a desktop, a server, or both at the same time. I generally think of somebody going through the graphical installer as being a personal install. Kickstarts are different. And if the person is a sysadmin installing a server manually via the graphical installer, I'm sure they can turn on / configure the firewall as needed. * A speed bump that requires an independent action to prevent unintentionally opening up a service. You have started $server, and it accepts connections from the whole internet. Here's your chance to think about this again. Do you want to open the port? Yet we don't have that kind of UI present. So instead now we have people trying to turn on services, having it not work, and spending time / energy fiddling with config files before they finally realize it was the firewall. For server applications, I don't think this is a big problem: If the user has been able to find and edit httpd.conf, they can also learn about the firewall. For desktop users, what kind of services are we talking about? gnome-user-share? Will a desktop user know about this concept, or just send the data over e-mail or IM? SIP? Desktop sharing? An incoming connection won't be able to come through the ADSL modem's NAT anyway, so some kind of tunneling or an external service broker (which turns the connection from incoming into outgoing, enabled by default) is needed. It may be just me, but really can't remember a single example when the firewall has broken something for me, at least in the last 10 years. Bittorrent, network games, zero conf come to mind. Then they just turn it off and grumble. At least the other OS gives you a pop up to let some service through, although there are problems with that too. My experience with the Windows prompts is absolutely horrible - I started an application and I was asked do you want this to bypass the firewall - I know that if I deny the request, the application will probably not work, but I'm never told why does the application need such access when most other applications on the system do not. Is it legitimate, or is the application spying on me, is this for some kind of remote software disable functionality? All that the prompt does is make me worry. (This is probably more of an indication of the low level of trust Windows software downloaded form the internet than of the quality of the firewall, but this shows that the firewall interface does not match the problem space well.) Mirek At least Windows gives you a popup. On our side not only do we not know why apps are trying to bind to network ports, we don't even know which ones are trying! We seem to not trust /anything/ even though we installed it! -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/04/2010 02:19 AM, Matej Cepl wrote:
Dne 4.12.2010 06:33, Garrett Holmstrom napsal(a):
Why tie branch names down to specific releases? While that scheme makes
it easy for fedpkg to guess what release to attempt to build against
when one only cares about one release, it makes little sense to call a
branch f14-rh123456 when in reality that branch will merge into f13
as well as f14.
+1 Why not just get out of all this silly business and leave branches to
be whatever we want them to be as God^H^H^HLinus intended them to be?
Really, branch rhbz1234567 doesn't have to have any relation to any
particular distribution (we usually don't clone Fedora bugs to all
distros where they happen, and that's The Right Thing).
Without some sort of naming scheme, it'd be quite hard for the fedpkg
client to fill in proper data for %{?dist} and other such macros when
parsing the spec file. It'd require manual action on the user to either
define it with a fedpkg option, or to set it in some sort of git config
(which doesn't traverse upstream/downstream so every cloner would have
to do that).
Related issue I have with the Fedora git repositories is that one cannot
remove any branch once it is created. After I have created in bitlbee
repo two topic branches, only to find out that I cannot remove them
after the merge. I can understand need for documenting development of
the distribution, but cannot we lock just SOME branches (probably master
+ f* ones)? In this situation, I have moved my topical branches to
gitorious, where I can do whatever I want to do with them.
That's another reason to have naming schemes so that we can design the
ACL system accordingly. However I'm reluctant to enable non-ff changes
in shared repos. Lots of ways for things to go wrong there,
particularly when official builds can come from anywhere within the
repo, no current restriction on builds for dist-f14* must come from a
f14 branch type thing. I honestly think we need to enable forking of
repos over to a fedorapeople place where you can do whatever you want
with them.
--
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
I wonder why my server rejected my previous email? -- Wiadomość przekazana dalej -- Od: Michał Piotrowski mkkp...@gmail.com Data: 6 grudnia 2010 20:46 Temat: Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services) Do: Development discussions related to Fedora devel@lists.fedoraproject.org 2010/12/6 Miloslav Trmač m...@volny.cz: Michał Piotrowski píše v Po 06. 12. 2010 v 20:22 +0100: 2010/12/6 Bill Nottingham nott...@redhat.com: Does openssh stands out something special between other demons? Actually, it does - for remote installations (sometimes the only option) ssh needs to be running after installation so that the system administrator can connect to it and start configuring it. Other services are not necessary like this. (Yes, the system administrator can write a kickstart script that enables the service after installation. I'm not sure that something we can ask a novice sysadmin to do, however.) We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 11:48 -0800, Jesse Keating wrote: Bittorrent, network games, zero conf come to mind. Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Phil Knirsch (pknir...@redhat.com) said: Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. Sounds good One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. ... but this seems absolutely wrong. The last thing we want is to be pestering the user with information they may not understand, and are not fully capable of acting on. Take the constant complaints about SETroubleshoot, or the constant mocking of Windows Vista's security popups, for example. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote: seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. ah, printing. Is there anything that's not last century? -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski (mkkp...@gmail.com) said: We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:53 PM, Bill Nottingham wrote: Phil Knirsch (pknir...@redhat.com) said: Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. Sounds good One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. ... but this seems absolutely wrong. The last thing we want is to be pestering the user with information they may not understand, and are not fully capable of acting on. Take the constant complaints about SETroubleshoot, or the constant mocking of Windows Vista's security popups, for example. I agree that this is a problem but it would be nice if firewalld could still keep track of this information and make it available on demand (basically a log). Maybe the notification could be based on that and only pop up if configured to do so by the users who care. Regards, Dennis -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:43 PM, Phil Knirsch wrote: On 12/06/2010 08:40 PM, Richard W.M. Jones wrote: On Mon, Dec 06, 2010 at 11:15:37AM -0800, Jesse Keating wrote: On 12/06/2010 11:05 AM, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I could buy this if we actually alerted users to this, when in fact we /disable/ logging in the default firewall set, so your packets just magically disappear leaving the user scratching their head as to why the hell things aren't working. Yes, enabling logging of packets really helps to track down firewall misconfiguration. What we really lack is good visibility for n00bs. Sure you can do 'netstat -anp' to show open ports and (if you're more of an expert than me) look at iptables to see what's wrong, but having nice GUI tools to display this information would be better. (No, I'm not volunteering to write them ...) Rich. Thats actually a really nice idea we could tackle with the firewall stuff Thomas is working on in the future. added_to_feature_list++ :) Add accounting too. Assuming that the Zones are implemented as chains it would be nice to be able to review how much traffic a Zone and/or the services are seeing. Regards, Dennis -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote: On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote: seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. ah, printing. Is there anything that's not last century? Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). -- Tomasz TorczFuneral in the morning, IDE hacking xmpp: zdzich...@chrome.plin the afternoon and evening. - Alan Cox -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:53 PM, Bill Nottingham wrote: Phil Knirsch (pknir...@redhat.com) said: Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. Sounds good One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. ... but this seems absolutely wrong. The last thing we want is to be pestering the user with information they may not understand, and are not fully capable of acting on. Take the constant complaints about SETroubleshoot, or the constant mocking of Windows Vista's security popups, for example. Bill Ah, don't worry, this is just an example what you could do with it. What and how we use it later on, especially in a GUI environment is a matter of obviously sane defaults. It's just right now one of the easiest examples to demonstrate the event based system the firewalld is using where you can basically hook into dbus and listen for firewall changes. It's all about providing the necessary framework at this point to later on sanely be able to do what we need to do in all kinds of environments with firewalls. And specifically for the Desktop case you, me and the desktop team very opposed to those kinds of popups with cryptic firewall info or questions (and rightly so as it unnecessarily confuses the average user and doesn't offer and value == bad user experience). So that's definitely something that will be disabled by default and is only in there now for demonstration purposes. Thanks regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch pknir...@redhat.com Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 08:59 PM, Dennis Jacobfeuerborn wrote: On 12/06/2010 08:53 PM, Bill Nottingham wrote: Phil Knirsch (pknir...@redhat.com) said: Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically missing in our old way of doing firewalls (aka static crap) and basically impossible to do there. One example is libvirt and how it has to change firewall rules dynamically depending on whether a guest is started or shut down, and those rules should survive a restart of the firewall (which currently they don't and can't). Roughly speaking it's a bit similar with the switch from our static initscripts for network configuration to NetworkManager and how it deals with network interfaces nowadays. Sounds good One thing is e.g notifications to users when some service/app requests to open a port. First version won't have network zones yet, but he and Dan Williams are working on that for the next generation which will then basically allow it to let the user decide once for each interface/connection what should happen with it and never be bothered with it afterwards. ... but this seems absolutely wrong. The last thing we want is to be pestering the user with information they may not understand, and are not fully capable of acting on. Take the constant complaints about SETroubleshoot, or the constant mocking of Windows Vista's security popups, for example. I agree that this is a problem but it would be nice if firewalld could still keep track of this information and make it available on demand (basically a log). Maybe the notification could be based on that and only pop up if configured to do so by the users who care. Regards, Dennis Aye, thats a good idea. And easily doable. Thanks regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch pknir...@redhat.com Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Michał Piotrowski (mkkp...@gmail.com) said: We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. I wasn't aware that they don't support it. I saw Lennart's http://0pointer.de/public/systemd-units/sshd.socket and I thought that it just works (I didn't tested it yet) Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote: On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote: On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote: seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. ah, printing. Is there anything that's not last century? Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). I'm confused - are any of the above intended to be used/available by anyone who is NOT experienced enough to know what iptables are and how to manage them? B/c I think it's a bit unlikely. -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 08:27:00PM +0100, Phil Knirsch wrote: Basically it's a statefull firewall daemon now that allows us to support and implement a lot of those features which have been so critically Does this *really* need to be implemented as yet another constantly-running daemon? Because by its nature, iptables already maintains its state, and it seems unnecessary to have another program running in userspace to do the same thing. -- Matthew Miller mat...@mattdm.org Senior Systems Architect -- Instructional Research Computing Services Harvard School of Engineering Applied Sciences -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/04/2010 02:31 AM, Kalev Lember wrote: On 12/04/2010 12:19 PM, Matej Cepl wrote: Related issue I have with the Fedora git repositories is that one cannot remove any branch once it is created. After I have created in bitlbee repo two topic branches, only to find out that I cannot remove them after the merge. I can understand need for documenting development of the distribution, but cannot we lock just SOME branches (probably master + f* ones)? In this situation, I have moved my topical branches to gitorious, where I can do whatever I want to do with them. I think it makes sense to disallow removing official branches (f13, f14, master) to make sure people don't change the history of branches which are used for release builds. There is no current restrictions on where released builds come from in dist-git, particularly when there is a need from the likes of kernel and KDE folks to do official builds from a user created branch (kernel and KDE rebases can take a while and in the mean time they may need to issue important updates of the current version of stuff) On the other hand, for topic branches and personal branches I would very much like to be able to do non fast-forward pushes and to be able to delete them. With git it's common to create branches for preparing a feature and merge them into the official branch once the feature is ready. Allowing non fast-forward pushes in unofficial branches would make it much easier to prepare a perfect history before merging it into the official branches. I think it's best to do that kind of work in a separate repo, and not as a in-repo branch of the main upstream repo. That's largely how the kernel works, which is kinda the big example of git usage. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Jesse Keating jkeat...@redhat.com writes: The argument of default firewall or not would probably quiet down quite a bit if we had any sort of decent UI to help users get the firewall out of their way when they're really trying to do something. +1. In today's environment, not having a firewall by default is an incredibly stupid idea. What we need to do is fix the UI problems, not bypass them by dramatically reducing security. regards, tom lane -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 06/12/10 21:06, seth vidal wrote: On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote: On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote: On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote: seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. ah, printing. Is there anything that's not last century? Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). I'm confused - are any of the above intended to be used/available by anyone who is NOT experienced enough to know what iptables are and how to manage them? B/c I think it's a bit unlikely. -sv +10 -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/04/2010 07:24 AM, Severin Gehwolf wrote: Also we would need to get a new fedpkg into the hands of all the developers that handles the new branchnames. We could do a build that handles both the oldnames and the new and have it out and available for a reasonable period of time before we make the switch. Would it make sense to add functionality to fedpkg which checks if there exists configuration for remote branch tracking (i.e. local f14 tracks remote f14/master), and if that's the case, print a warning (e.g. that it's recommended to delete the local branch and recreate/check it out again)? This won't help much for the git pull problem, but it may prevent some users from running into that problem in the first place, because they saw the warning earlier when switching branch or doing some other fedpkg operation. It's possible. The trick would be when to turn that warning on, because we'd have to get the new fedpkg out and available for a reasonable amount of time before we make the change to the repos, so it could wind up warning people a week or more before any repo changes are made. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Tomasz Torcz píše v Po 06. 12. 2010 v 21:01 +0100: Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). These really sound like something that should be caught by the default enable related packets rule - if the kernel sees an outgoing mDNS request, it temporarily enables replies to the same port. If the kernel doesn't do this already, teaching this to the kernel soulds like the cleanest solution. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
q
Le lundi 06 décembre 2010 à 20:09 +0100, Miloslav Trmač a écrit : Are there other reasons? App writers are busy reinventing the wheel, changing the configuration files syntax, and believing they can't do wrong; make sure their mess is blocked at the outbound port before we get rooted. -- Nicolas Mailhot -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
[perl-Finance-Quote] fix rawhide build.
commit 34e0fd76674a96d37e4fc0ea14ee994806cdb53b
Author: Bill Nottingham nott...@redhat.com
Date: Mon Dec 6 15:41:13 2010 -0500
fix rawhide build.
perl-Finance-Quote.spec |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
---
diff --git a/perl-Finance-Quote.spec b/perl-Finance-Quote.spec
index 88d691e..259c7a9 100644
--- a/perl-Finance-Quote.spec
+++ b/perl-Finance-Quote.spec
@@ -1,6 +1,6 @@
Name: perl-Finance-Quote
Version:1.17
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary:A Perl module that retrieves stock and mutual fund quotes
Group: Development/Libraries
License:GPLv2+
@@ -14,6 +14,7 @@ BuildRequires:perl(LWP::UserAgent)
BuildRequires: perl(Crypt::SSLeay) perl(HTTP::Request::Common)
BuildRequires: perl(HTML::TableExtract) perl(HTML::TreeBuilder)
BuildRequires: perl(Test::More)
+BuildRequires: perl(CGI)
%description
This module retrieves stock and mutual fund quotes from various exchanges
@@ -48,6 +49,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*.3*
%changelog
+* Mon Dec 06 2010 Bill Nottingham nott...@redhat.com - 1.17-4
+- fix buildrequires for F-15
+
* Sat May 01 2010 Marcela Maslanova mmasl...@redhat.com - 1.17-3
- Mass rebuild with perl-5.12.0
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: Request for comment: Potential change to dist-git branch structure
On Mon, Dec 06, 2010 at 12:33:40 -0800, Jesse Keating jkeat...@redhat.com wrote: On 12/04/2010 09:52 AM, Bruno Wolff III wrote: Is this going to break things for people that having set up origin tracking for multiple releases in the same repo? Can you explain this a bit more please? I currently run: git branch -t f12 origin/f12/master git branch -t f13 origin/f13/master git branch -t f14 origin/f14/master Am I going to need to do anything when the origin branch names change? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Unretired package impressive blocked in buildsys
Hi there, I took over a retired package (rereview APPROVED, took over package, reassigned bugs, SCM update request processed) but can't seem to fedpkg build it: I get package impressive is blocked for tag dist-f15 (see below). Everything in pkgdb looks OK: https://admin.fedoraproject.org/pkgdb/acls/name/impressive I can (and did) fedpkg push to all pertinent branches (master, f14, f13, el6), so that SCM access is OK, but can't fedpkg build. The wiki at https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers suggests filing an infrastructure ticket, contacting toshio through irc or one of the infratstructure and devel lists in case of a wrong package status. But the status is fine (approved), the blockage seems to be somewhere in buildsys (?). Who can help, where should I report this or file a ticket? Thanks for any pointers, Michael Building impressive-0.10.3-3.fc15 for dist-rawhide Created task: 2648225 Task info: http://koji.fedoraproject.org/koji/taskinfo?taskID=2648225 Watching tasks (this may be safely interrupted)... 2648225 build (dist-rawhide, /impressive:3209089b8a5eec9ff3720599e9353223d5312348): free 2648225 build (dist-rawhide, /impressive:3209089b8a5eec9ff3720599e9353223d5312348): free - open (x86-01.phx2.fedoraproject.org) 2648226 buildSRPMFromSCM (/impressive:3209089b8a5eec9ff3720599e9353223d5312348): open (x86-19.phx2.fedoraproject.org) 2648226 buildSRPMFromSCM (/impressive:3209089b8a5eec9ff3720599e9353223d5312348): open (x86-19.phx2.fedoraproject.org) - closed 0 free 1 open 1 done 0 failed 2648225 build (dist-rawhide, /impressive:3209089b8a5eec9ff3720599e9353223d5312348): open (x86-01.phx2.fedoraproject.org) - FAILED: BuildError: package impressive is blocked for tag dist-f15 0 free 0 open 1 done 1 failed 2648225 build (dist-rawhide, /impressive:3209089b8a5eec9ff3720599e9353223d5312348) failed -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
[Test-Announce] Please Help Test 389 Directory Server 1.2.7.2
389-ds-base-1.2.7.2 is now in Testing. This release has some key fixes for bugs in 1.2.7 and 1.2.7.1. Please help us test. The sooner we can get this release tested, the sooner we can push it to Stable and make it generally available. There is also a new 389-admin-1.1.13 package. Installation yum install 389-ds --enablerepo=updates-testing # or for EPEL yum install 389-ds --enablerepo=epel-testing setup-ds-admin.pl Upgrade yum upgrade --enablerepo=updates-testing 389-ds-base 389-admin # or for EPEL yum upgrade --enablerepo=epel-testing 389-ds-base 389-admin setup-ds-admin.pl -u How to Give Feedback The best way to provide feedback is via the Fedora Update system. Each update is broken down by package and platform. For example, if you are using Fedora 13, and you have successfully installed or upgraded all of the packages, and the console and etc. works, then go to the links below for Fedora 13 and provide feedback. * 389-ds-base-1.2.7.2 ** EL-5 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.2-1.el5 ** Fedora 13 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.2-1.fc13 ** Fedora 14 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.2-1.fc14 scroll down to the bottom of the page, and click on the Add a comment link * select one of the Works for me or Does not work radio buttons, add text, and click on the Add Comment button If you are using a build on another platform, just send us an email to 389-us...@lists.fedoraproject.org Reporting Bugs If you find a bug, or would like to see a new feature, you can enter it here - https://bugzilla.redhat.com/enter_bug.cgi?product=389 More Information * Release Notes - http://port389.org/wiki/Release_Notes * Install_Guide - http://port389.org/wiki/Install_Guide * Download - http://port389.org/wiki/Download ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Tue, Dec 7, 2010 at 5:04 AM, Richard W.M. Jones rjo...@redhat.comwrote: On Mon, Dec 06, 2010 at 11:04:39AM -0500, Matt McCutchen wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. I believe the default is to block incoming connections except for a few services. This is good if you are running a sloppily written single-user server that binds to the wildcard address. The Haskell Scion server fell in this category as of August 2009; I didn't look to see what a remote user might be able to do to me by connecting to it. Yes, the proper way to avoid problems is to bind to localhost, but the firewall can be nice. It would be nice if the firewall automatically followed services that I have enabled and disabled. eg. If I explicitly enable the webserver, it should open the corresponding port(s). Actually, just be a service is running doesn't mean you want it exposed to the world. I work as a web developer, so I have httpd running on my system, but this doesn't me that I want everyone to be able to access this. My httpd session is just for personal development and doesn't need to be exposed just because it's running. R. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unretired package impressive blocked in buildsys
On Mon, 06 Dec 2010 22:04:27 +0100 Michael J Gruber m...@fedoraproject.org wrote: Hi there, I took over a retired package (rereview APPROVED, took over package, reassigned bugs, SCM update request processed) but can't seem to fedpkg build it: I get package impressive is blocked for tag dist-f15 (see below). Everything in pkgdb looks OK: https://admin.fedoraproject.org/pkgdb/acls/name/impressive I can (and did) fedpkg push to all pertinent branches (master, f14, f13, el6), so that SCM access is OK, but can't fedpkg build. The wiki at https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers suggests filing an infrastructure ticket, contacting toshio through irc or one of the infratstructure and devel lists in case of a wrong package status. But the status is fine (approved), the blockage seems to be somewhere in buildsys (?). Who can help, where should I report this or file a ticket? File a rel-eng ticket: https://fedorahosted.org/rel-eng/newticket Pointing to the re-review and asking that it be unblocked. kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 06, 2010 at 03:06:24PM -0500, seth vidal wrote: On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote: On Mon, Dec 06, 2010 at 02:56:19PM -0500, seth vidal wrote: On Mon, 2010-12-06 at 14:55 -0500, Bill Nottingham wrote: seth vidal (skvi...@fedoraproject.org) said: Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. what network games? Heck, what network games do we HAVE? what are the use cases of zeroconf-enabled apps that we're targetting? Zeroconf and IPP browse packets are both means of making priting less of a giant pain to set up. ah, printing. Is there anything that's not last century? Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). I'm confused - are any of the above intended to be used/available by anyone who is NOT experienced enough to know what iptables are and how to manage them? B/c I think it's a bit unlikely. Our tooling around avahi sucks (even the command line tools), but the idea itself is quite wonderful. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Dne 6.12.2010 20:53, seth vidal napsal(a): what are the use cases of zeroconf-enabled apps that we're targetting? * XMPP-over-Zeroconf (Bonjour) * gtkvnc searches for VNC servers * ekiga looks for other clients on LAN * you can go to local ssh servers in .local domain * etc. etc. ... partial list is on http://avahi.org/wiki/Avah4users#SoftwareMakinguseofAvahi Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
Dne 6.12.2010 21:06, seth vidal napsal(a): I'm confused - are any of the above intended to be used/available by anyone who is NOT experienced enough to know what iptables are and how to manage them? B/c I think it's a bit unlikely. OK, so let's add (just what gets packaged in Fedora): * Empathy/Pidgin/gajim ... XMPP over Zeroconf for LAN * Gobby ... for connecting with collaborators over LAN (not sure whether AbiWord and gedit-collaboration with similar functionality are using Zeroconf or just plain XMPP over central server) * Pulseaudio sinks and servers ... most artists are poor in network administration * DAAP servers (there is rhythmbox and mt-daapd already packaged, and I plan to package forked-daapd) for sharing music over local network * seahorse (sharing web-of-trust over local network) * totem ... streaming for local network Should I continue? Really, Seth, Bonjour was created by Apple as means to make networking easy for normal people (http://www.youtube.com/watch?v=kgMVjEJiHDM), so it should really work for normal people without fiddling with firewall. I have to admit, I am not completely happy with having no firewall per default, but we should really do something about Zeroconf to really make it work for normal people as much as bread toaster works for them. Best, Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
2010/12/6 Matej Cepl mc...@redhat.com: Dne 6.12.2010 21:06, seth vidal napsal(a): [..] I have to admit, I am not completely happy with having no firewall per default, It looks like you do not have to worry about removing iptables from @core :) I think that further discussion on removal it from core is pointless, so we have to start thinking how to convert ip*tables to systemd services. I afraid it will end on something like that ExecStart=/etc/init.d/iptables start ExecStop=/etc/init.d/iptables stop but we should really do something about Zeroconf to really make it work for normal people as much as bread toaster works for them. Best, Matěj -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 15:06 -0500, seth vidal wrote: On Mon, 2010-12-06 at 21:01 +0100, Tomasz Torcz wrote: Yeah, general discovery. From the top of my head: - Pulseaudio sinks and sources - libvirt instances for virt-manager - VNC desktops for Vinagre - local web pages (think SOHO router config page) for zeroconf enabled Webbrowsers like Epiphany - remote disk management (udisks) - local FTP sites and WebDAV shares shown in nautilus places And this is all blocked by default Fedora firewall settings (5353/udp). I'm confused - are any of the above intended to be used/available by anyone who is NOT experienced enough to know what iptables are and how to manage them? B/c I think it's a bit unlikely. Yes, in fact. This is how ad-hoc service discovery works on every other OS and with a stunning number of consumer devices. Interop with that is an entirely reasonable thing to expect. I've been using linux for, what, fourteen years now? I've migrated firewall configs from ipfwadm through ipchains through iptables. I've done network administration for a day job. I know what a firewall is, and if you force me to I can remember how to manage one long enough to make file sharing work. And every time I do, I think there's no reason it needs to be this hard. All I want to do is make movies on my hard drive visible to my PS3. Why is this harder than clicking share? All I want to do is plug the NAS drive I just bought from Best Buy into the ethernet cable and put files on it. Why do I have to play mother-may-I with the firewall config tool before I can see that it's offering a UPNP service? - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote: And every time I do, I think there's no reason it needs to be this hard. All I want to do is make movies on my hard drive visible to my PS3. Why is this harder than clicking share? All I want to do is plug the NAS drive I just bought from Best Buy into the ethernet cable and put files on it. Why do I have to play mother-may-I with the firewall config tool before I can see that it's offering a UPNP service? No reason - but why do I have to have the default on my OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do something like the above? I shouldn't. If you want to do that on the livecd - have at it. if you want to make it the default system-wide then we have a problem. -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/06/2010 01:10 AM, Andreas Schwab wrote: Jesse Keating jkeat...@redhat.com writes: However, if a user had a local branch of f14 or f14/master they will be left with mismatched .git/config entries. In this case it's easiest to delete the local branch (git branch -d f14) and check it out again. Or git branch --set-upstream. Andreas. Yes, there are a couple ways of fixing this. I noted the easiest :) -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote: W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? Feedback appreciated -- what do you think should be on? What do you think should be off? Right now I think we'd make an exception for ssh (a really big exception since it's a network facing service, even). Dbus and default syslog variant also spring to mind which might be. Those might be able to start defining a category of things needed to run a desktop session or something. iptables, auditd, restorecond sound like keepers -- maybe a category here would be things that add to system security in a default install. For this category we'd want to be careful, do we also want to allow fail2ban or denyhosts to run by default if they're installed? Other categories or specific examples would be good. -Toshio pgpGQ3BnNVXbE.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 04:04 PM, seth vidal wrote: On Mon, 2010-12-06 at 17:54 -0500, Adam Jackson wrote: And every time I do, I think there's no reason it needs to be this hard. All I want to do is make movies on my hard drive visible to my PS3. Why is this harder than clicking share? All I want to do is plug the NAS drive I just bought from Best Buy into the ethernet cable and put files on it. Why do I have to play mother-may-I with the firewall config tool before I can see that it's offering a UPNP service? No reason - but why do I have to have the default on my OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS be less secure b/c you want to do something like the above? I shouldn't. If you want to do that on the livecd - have at it. if you want to make it the default system-wide then we have a problem. -sv But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS, aren't we also talking about kickstart and other automated management tools with which configuring things away from their default values is a standard and fairly straightforward thing to do? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA DivisionFAX: 303-415-9702 3380 Mitchell Lane or...@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Request for comment: Potential change to dist-git branch structure
On 12/06/2010 12:44 PM, Bruno Wolff III wrote: On Mon, Dec 06, 2010 at 12:33:40 -0800, Jesse Keating jkeat...@redhat.com wrote: On 12/04/2010 09:52 AM, Bruno Wolff III wrote: Is this going to break things for people that having set up origin tracking for multiple releases in the same repo? Can you explain this a bit more please? I currently run: git branch -t f12 origin/f12/master git branch -t f13 origin/f13/master git branch -t f14 origin/f14/master Am I going to need to do anything when the origin branch names change? Yes, you'd need to reset their merge points or delete/recreate the local branches. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 11:53 AM, seth vidal wrote: On Mon, 2010-12-06 at 11:48 -0800, Jesse Keating wrote: Bittorrent, network games, zero conf come to mind. Bittorrent won't work through many/most wireless routers unless they are not natted and/or not explicitly configured. Actually bittorrents that have upnp work. Routers I've seen come pre-configured to allow upnp, so an app on a computer, or a game console, sends out a upnp request to open up/forward a port and the router complies. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 12:18 PM, Tom Lane wrote: Jesse Keating jkeat...@redhat.com writes: The argument of default firewall or not would probably quiet down quite a bit if we had any sort of decent UI to help users get the firewall out of their way when they're really trying to do something. +1. In today's environment, not having a firewall by default is an incredibly stupid idea. What we need to do is fix the UI problems, not bypass them by dramatically reducing security. regards, tom lane I keep seeing claims of incredibly stupid, and at the same time saying we need to make it easier to open up ports when they need them. What is the default firewall protecting me from, if I'm allowed and hand held through opening up ports on demand? -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Toshio Kuratomi a.bad...@gmail.com: On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote: W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? Feedback appreciated -- what do you think should be on? What do you think should be off? Right now I think we'd make an exception for ssh (a really big exception since it's a network facing service, even). Ok Dbus and default syslog variant also spring to mind which might be. Ok Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I guess ip6tables too? auditd, restorecond sound like keepers -- maybe a category here would be things that add to system security in a default install. These are things related to core system security, so should be enabled. For this category we'd want to be careful, do we also want to allow fail2ban or denyhosts to run by default if they're installed? No, other things not related with SELinux (or something that we could call core security subsystem) should be IMHO off by default. Other categories or specific examples would be good. Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. - udev-post ? - is it needed for F15? - mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's? - network/Networkmanager ? Everything else that is not essential for Fedora security, basic desktop functionality should be IMO off by default. -Toshio -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 16:10 -0700, Orion Poplawski wrote: But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS, aren't we also talking about kickstart and other automated management tools with which configuring things away from their default values is a standard and fairly straightforward thing to do? I am mostly concerned with surprising folks who have expected it to be on. But you know -what - you have a fair point. if we make this change, as long as we make it a feature and publicize the heck out of it, I'm fine w/that. -sv -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, Dec 6, 2010 at 16:25, Jesse Keating jkeat...@redhat.com wrote: On 12/06/2010 12:18 PM, Tom Lane wrote: Jesse Keating jkeat...@redhat.com writes: The argument of default firewall or not would probably quiet down quite a bit if we had any sort of decent UI to help users get the firewall out of their way when they're really trying to do something. +1. In today's environment, not having a firewall by default is an incredibly stupid idea. What we need to do is fix the UI problems, not bypass them by dramatically reducing security. regards, tom lane I keep seeing claims of incredibly stupid, and at the same time saying we need to make it easier to open up ports when they need them. What is the default firewall protecting me from, if I'm allowed and hand held through opening up ports on demand? Ports that you don't know are open to the network but are somehow available. Let us put this conversation slightly different... how many of us remember password-less package install? It all sounded like a good idea with people who are going to be on the system already being able to do what they want so why ask for a password. However how did it get seen in the end? Fedora comes RootKit enabled and other fluff. I am trying to think how this one will play out: Ten years ago, Linux distros were cutting edge by coming with a firewall enabled. Now Fedora is going to cut the edge in a new way... no firewall wanted. Yes there are a lot of good ideas and reasons.. I think that first though a tool to deal with firewalls and THEN we can talk about what firewalls need to be removed. [And no I am not trying for 2 weeks of LWN quotes as tempting it will be. (alright alright I am .. it is just so addicting)] -- Stephen J Smoogen. The core skill of innovators is error recovery, not failure avoidance. Randy Nelson, President of Pixar University. Let us be kind, one to another, for most of us are fighting a hard battle. -- Ian MacLaren -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On 12/06/2010 03:42 PM, Stephen John Smoogen wrote: Ports that you don't know are open to the network but are somehow available. Let us put this conversation slightly different... how many of us remember password-less package install? It all sounded like a good idea with people who are going to be on the system already being able to do what they want so why ask for a password. However how did it get seen in the end? Fedora comes RootKit enabled and other fluff. I am trying to think how this one will play out: Ten years ago, Linux distros were cutting edge by coming with a firewall enabled. Now Fedora is going to cut the edge in a new way... no firewall wanted. Yes there are a lot of good ideas and reasons.. I think that first though a tool to deal with firewalls and THEN we can talk about what firewalls need to be removed. [And no I am not trying for 2 weeks of LWN quotes as tempting it will be. (alright alright I am .. it is just so addicting)] Clearly we just need to word it differently. Linux has a firewall built in, that nothing will come in until you bind to a port. We're just removing the redundant extra firewall by default :) (I'm not actually serious) (I also don't really care if we have a firewall by default vs not, so long as we're very clear in what the benefits are one way or another (more than just ZOMG NEED FIREWALL), and we make it easy for expected things to work and unexpected things to not work) -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. A desktop user may never ssh to his/her own machine. (Whether to enable ssh by default is a different question.) -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Matt McCutchen m...@mattmccutchen.net: On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. It's required for all systems without display device A desktop user may never ssh to his/her own machine. That's why it should be socket activated as soon as possible (Whether to enable ssh by default is a different question.) -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote: 2010/12/7 Toshio Kuratomi a.bad...@gmail.com: Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I'd be more inclined to ask what benefit we have to turning the firewall off vs having a more permissive set of firewall rules by default. AFAIK, turning the firewall on doesn't currently turn on any additional daemon -- it just sets up the defined rules. I guess ip6tables too? Yep. Would you be willing to write up a Packaging Draft and add it to the FPC tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday morning. -Toshio pgp9wWT45IXEf.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services
MP == Michał Piotrowski mkkp...@gmail.com writes: MP Dear FPC people, could you provide this list in the near future? We haven't even met since it was decided that we were to do this. I imagine it would take a couple of meetings to bang out a list. - J -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, 2010-12-07 at 01:07 +0100, Michał Piotrowski wrote: 2010/12/7 Matt McCutchen m...@mattmccutchen.net: On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. It's required for all systems without display device That is, some servers. It needs to be easy to enable sshd when installing a server, but I don't see a reason to have it enabled by default on desktops. -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora as semantic desktop (nautilus and tracker integration) ?
On Sun, 2010-12-05 at 17:04 +0100, valent.turko...@gmail.com wrote: On Sat, Dec 4, 2010 at 11:44 PM, valent.turko...@gmail.com valent.turko...@gmail.com wrote: https://bugzilla.redhat.com/show_bug.cgi?id=501227 I'm writing to devel list just if anybody can say will there be any chance to get nautilus and tracker integration working? Is this on anybody's radar? Thanks, Valent. Is this feature abandoned because of GNOME 3? Will GNOME 3 have some similar integration with tracker? It's more likely to be integrated with Zeitgeist: http://seilo.geekyogre.com/2010/12/gnome-shell-zeitgeist/ -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Adam Williamson píše v Po 06. 12. 2010 v 17:57 -0800: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... It's not quite as clear as that. Yes, the networks are dangerous. But what specifically is the firewall protecting, and what specifically does it prevent? Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Firewall
On Mon, 2010-12-06 at 19:05 +, Daniel P. Berrange wrote: The other benefit would be if the user only intended the service to be accessible to localhost, or a UNIX domain socket but for some reason screwed up their service's config opened it to the world. I use it as a safety net for much this reason. I am not comfortable with 100% guaranteeing that 'helpful' services we install by default like Avahi are not doing things I really wouldn't want them to do when I connect to some open wifi network. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On 12/06/2010 05:57 PM, Adam Williamson wrote: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... Please explain why. What actual service is the firewall rendering in this case? -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
