Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Carlos Rodriguez-Fernandez 

Adam,

Is there a way already to achieve test isolation during the rpm build?

Beside doing something ad-hoc with git init or some file system feature, 
I was wondering if there is something already available and standardized.


Regards,
Carlos R.F.

On 3/31/24 20:27, Adam Williamson wrote:

On Sun, 2024-03-31 at 20:12 +0200, Kevin Kofler via devel wrote:

Adam Williamson wrote:

I would argue there's a danger of getting too tied up in very specific
technical details of this attack.


But the fact is:

What WOULD have stopped this attack: (one or more of:)
* Deleting ALL unit tests in %prep (and then of course not trying to run
them later).


This comes with the huge cost that we no longer have any idea if many
things actually work in Fedora. There are much better options here,
such as ensuring the package build process *isolates* the test data
from the compile process without just *removing* it. but again, this is
getting far too tied up in the details of this *one* attack. it's the
"everyone has to take their shoes off at the airport forever" mistake:
just because the *last* attack involved a binary test file, does not
mean the *next* one will. This is also known as preparing for the last
war, in military strategy.


* Deleting ALL files automatically generated or imported by autotools in
%prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it would
NOT have done the right thing here. Delete the files, THEN run autoreconf.)


No. This would not have avoided the attack, because it would not have
regenerated the malicious file. We have already established that.


* NOT patching OpenSSH downstream to link it against libsystemd against
upstream's recommendation.


Again, this is far too tied to the specific attack. I'm not interested,
as I said, in Monday morning quarterbacking this specific attack. I'm
interested in the question of what are the most immediate and effective
ways Fedora can lower its likelihood to be directly targeted in a
supply chain attack *in future*. Not the last one.


What WOULD have greatly reduced the impact of this attack:
* NOT enabling updates-testing by default for Branched releases.


This would only have helped by coincidence - the coincidence that the
compromise was discovered so quickly. Otherwise, we were busy trying to
get this update pushed stable as fast as possible, because rwmj wanted
that. If the compromise had happened to be caught a few days later, the
update would have been pushed stable anyway. Our gating and manual
testing processes are not designed to catch security issues, and
certainly do not reliably do that job. They did not in this case. So it
seems wrong, to me, to suggest we should rely on them to do it in
future. Thus I disagree that any possible security benefit gained by
doing this would outweigh the substantial disadvantage that we wouldn't
get testing of stuff promptly any more.


What WOULD NOT have stopped this attack: (any or all of:)
* 2FA. GitHub already enforces 2FA. It did NOT stop this attack.


Again. I'm not interested in what, with hindsight, might have stopped
the attack that already happened. We know for sure that weak
authentication processes absolutely are a giant flashing ATTACK HERE
neon sign for *future* attackers.


* Any stricter vetting of Fedora contributions. The attack was performed
upstream, NOT in Fedora.


See above.


* More distrust of new Fedora contributors. The offending upgrade was
imported by a TRUSTED Fedora contributor. The untrusted new person operated
upstream, NOT in Fedora.


See above again.


OpenPGP_signature.asc
Description: OpenPGP digital signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Christoph Karl via devel 

+1

Am 01.04.24 um 06:31 schrieb Scott Schmit:

One approach:
1. do the build
2. do the install
3. generate the RPMs
4. quarantine the RPMs so they're safe from modification
- I believe this could be done via SELinux policy
- there are probably other mechanisms
5. run the tests
- for SELinux, this might be via an `rpmbuild-test` binary that
  doesn't have rights to touch the output RPMs
6a. if the tests fail, destroy the RPMs and fail out, reproducing the
result today
6b. if the tests pass, move/copy the RPMs to the result location and
exit cleanly, reproducing the result today


Boils down to separate source and test code/phase

source code:
(hopefully not obfuscated to the point where no review is possible)
no binaries allowed, best possible review
needed to build
build phase: source to binary

test code:
binaries allowed
only needed to test
test phase: binary unmodified

Allowing a test file to modify the binary makes it a source file. ?

Christoph
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Scott Schmit 
On Mon, Apr 01, 2024 at 09:06:16AM +0900, Dominique Martinet wrote:
> Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400:
> > Deleting the tests makes no sense to me either, but it seems like a
> > mechanism that ensures the test code can't change the build outputs (or
> > a mechanism to detect that it's happened and abort the build) would
> > allow upstream tests to be run without compromising the integrity of the
> > build itself.
> 
> Just to be clear here that wouldn't have been enough: it's not the test
> step that's modifying the binaries, the actual build step is modified in
> the right conditions to use data that looks like it belongs to a test
> (I've read the actual files aren't actually used in any test and just
> look like test data, I didn't check, it wouldn't be hard to make a test
> that uses them anyway)
> 
> So short of deleting all blobs e.g. all test data this wouldn't have
> been prevented, just not running tests isn't enough.

Ugh!  I'd missed that detail.

> In theory it'd be possible to build twice:
> - one normal build with test data, and run tests at the end
> - a second build without test data (and confirm we've got an identical
> binary, builds are reproducible right?!)

FWIW, I don't think you'd need to build twice:

One approach:
1. do the build
2. do the install
3. generate the RPMs
4. quarantine the RPMs so they're safe from modification
   - I believe this could be done via SELinux policy
   - there are probably other mechanisms
5. run the tests
   - for SELinux, this might be via an `rpmbuild-test` binary that
 doesn't have rights to touch the output RPMs
6a. if the tests fail, destroy the RPMs and fail out, reproducing the
   result today
6b. if the tests pass, move/copy the RPMs to the result location and
   exit cleanly, reproducing the result today

A variation of this would order things as normal but capture hashes of
all the files before the tests start and check the hashes after they're
done.  As long as the hashes can't be changed in between, you can trust
that.

Another approach (perhaps more doable in mock, not so easy otherwise):
1. do the build as user1
2. do the tests as user2
3. if the tests pass, resume as user1 as today

Given that the build pollution came from loading data out of the tests,
the above might still be useful, but it's not sufficient to prevent a
recurrence. (Though if you can identify the test files, you could still
segregate them via similar means -- make them unreadable until you're
ready to run the tests.)

> But while we might be able to afford the computing cost, I'm not sure
> it's worth it -- this attack vector happened to use test data, but there
> are plenty of other ways of doing this, and even just identifying /
> removing test data in the first place is hard work for packagers (I
> guess we could try to detect binary files but there is no end to that
> either, and many builds would just break if we were to automatically
> remove tests...)

Another idea I've seen floated
 is to modify the
build tools (compilers, etc) to generate SBOM files that log every input
file used to produce a given output.  Then you have a record to audit to
see if stuff is pulled from weird places.  That said, that wouldn't help
either, because all the machinations were via shell commands that
aren't, strictly speaking, build tools.  (Except if the linker shows a
file as input that was never generated by a compiler…)

But we could adapt that idea -- couldn't we use strace(1)/ptrace(2) to
detect open calls to determine the inputs and outputs?  And we could
protect the resulting records from build/test tampering similarly to the
above.

And if the upstream makes it difficult to tell what's test vs not…I
think at this point we have this incident as precedent to help explain
why we'd prefer less convoluted builds, or at least some explanations.

I dunno how workable that is in practice, though.  Though a part of me
says that it all boils down to making the build process more transparent
than we've previously put up with.

Anyway, just putting that out there in case anyone thinks these are good
ideas (or brainstorming toward better ones).

> (Anyway, I also think tests bring more benefits than risks in our case)

And it also occurs to me that test failures could just as easily help
find a malicious change if some new feature we're adding to Fedora
breaks the tests unexpectedly and exposes it (or just something unique
about how we've configured things).

-- 
Scott Schmit


smime.p7s
Description: S/MIME cryptographic signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:

2024-04-01 @ 16:00 UTC - Fedora 40 Blocker Review Meeting

2024-03-31 Thread Adam Williamson 
# F40 Blocker Review meeting
# Date: 2024-04-01
# Time: 16:00 UTC
# Location:
https://matrix.to/#/#blocker-review:fedoraproject.org?web-instance[element.io]=chat.fedoraproject.org

Hi folks! It's time for another blocker review meeting. We have 3
proposed blockers for Final.

Here is a handy link which should show you the meeting time
in your local time:
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Fedora+40+Blocker+review+meeting=20240401T16=1440=2

The meeting will be on Matrix. Click the link above to join in a web
client - you can authenticate with your FAS account - or use a
dedicated client of your choosing.

If you have time today, you can take a look at the proposed or
accepted blockers before the meeting -  the full lists can be found
here: https://qa.fedoraproject.org/blockerbugs/ .

Remember, you can also now vote on bugs outside of review meetings! If
you look at the bug list in the blockerbugs app, you'll see links
labeled "Vote!" next to all proposed blockers and freeze exceptions.
Those links take you to tickets where you can vote.
https://pagure.io/fedora-qa/blocker-review has instructions on how
exactly you do it. We usually go through the tickets shortly before the
meeting and apply any clear votes, so the meeting will just cover bugs
where there wasn't a clear outcome in the ticket voting yet. **THIS
MEANS IF YOU VOTE NOW, THE MEETING WILL BE SHORTER!**

We'll be evaluating these bugs to see if they violate any of the 
Release Criteria and warrant the blocking of a release if they're not 
fixed. Information on the release criteria for F40 can be found on the 
wiki [0].

For more information about the Blocker and Freeze exception process, 
check out these links:
 - https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
 - https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process

And for those of you who are curious how a Blocker Review Meeting 
works - or how it's supposed to go and you want to run one - check out 
the SOP on the wiki:
 - https://fedoraproject.org/wiki/QA:SOP_Blocker_Bug_Meeting

Have a good day and see you tomorrow!

[0] https://fedoraproject.org/wiki/Fedora_Release_Criteria
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Test-Announce] 2024-04-01 @ 15:00 UTC - Fedora Quality Meeting

2024-03-31 Thread Adam Williamson 
# Fedora Quality Assurance Meeting
# Date: 2024-04-01
# Time: 15:00 UTC
(https://fedoraproject.org/wiki/Infrastructure/UTCHowto)
# Location:
https://matrix.to/#/#meeting:fedoraproject.org?web-instance[element.io]=chat.fedoraproject.org

Greetings testers! It's meeting time again, and once again we'll
be on Matrix.

Here is a handy link which should show you the meeting time
in your local time:
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Fedora+quality+meeting=20240401T15=1440=1

If anyone has any other items for the agenda, please reply to this
email and suggest them! Thanks.

== Proposed Agenda Topics ==

1. Previous meeting follow-up
2. Fedora 40 status and Final planning
3. xz compromise discussion
4. Test Day / community event status
5. Open floor
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
test-announce mailing list -- test-annou...@lists.fedoraproject.org
To unsubscribe send an email to test-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/test-annou...@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sun, 2024-03-31 at 20:12 +0200, Kevin Kofler via devel wrote:
> Adam Williamson wrote:
> > I would argue there's a danger of getting too tied up in very specific
> > technical details of this attack.
> 
> But the fact is:
> 
> What WOULD have stopped this attack: (one or more of:)
> * Deleting ALL unit tests in %prep (and then of course not trying to run 
> them later).

This comes with the huge cost that we no longer have any idea if many
things actually work in Fedora. There are much better options here,
such as ensuring the package build process *isolates* the test data
from the compile process without just *removing* it. but again, this is
getting far too tied up in the details of this *one* attack. it's the
"everyone has to take their shoes off at the airport forever" mistake:
just because the *last* attack involved a binary test file, does not
mean the *next* one will. This is also known as preparing for the last
war, in military strategy.

> * Deleting ALL files automatically generated or imported by autotools in 
> %prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it would 
> NOT have done the right thing here. Delete the files, THEN run autoreconf.)

No. This would not have avoided the attack, because it would not have
regenerated the malicious file. We have already established that.

> * NOT patching OpenSSH downstream to link it against libsystemd against 
> upstream's recommendation.

Again, this is far too tied to the specific attack. I'm not interested,
as I said, in Monday morning quarterbacking this specific attack. I'm
interested in the question of what are the most immediate and effective
ways Fedora can lower its likelihood to be directly targeted in a
supply chain attack *in future*. Not the last one.

> What WOULD have greatly reduced the impact of this attack:
> * NOT enabling updates-testing by default for Branched releases.

This would only have helped by coincidence - the coincidence that the
compromise was discovered so quickly. Otherwise, we were busy trying to
get this update pushed stable as fast as possible, because rwmj wanted
that. If the compromise had happened to be caught a few days later, the
update would have been pushed stable anyway. Our gating and manual
testing processes are not designed to catch security issues, and
certainly do not reliably do that job. They did not in this case. So it
seems wrong, to me, to suggest we should rely on them to do it in
future. Thus I disagree that any possible security benefit gained by
doing this would outweigh the substantial disadvantage that we wouldn't
get testing of stuff promptly any more.
> 
> What WOULD NOT have stopped this attack: (any or all of:)
> * 2FA. GitHub already enforces 2FA. It did NOT stop this attack.

Again. I'm not interested in what, with hindsight, might have stopped
the attack that already happened. We know for sure that weak
authentication processes absolutely are a giant flashing ATTACK HERE
neon sign for *future* attackers.

> * Any stricter vetting of Fedora contributions. The attack was performed 
> upstream, NOT in Fedora.

See above.

> * More distrust of new Fedora contributors. The offending upgrade was 
> imported by a TRUSTED Fedora contributor. The untrusted new person operated 
> upstream, NOT in Fedora.

See above again.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #10 from Fedora Update System  ---
FEDORA-EPEL-2024-aa863b2777 has been pushed to the Fedora EPEL 7 testing
repository.

You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-aa863b2777

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c10
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Fedora EPEL 7 updates-testing report

2024-03-31 Thread updates 
The following Fedora EPEL 7 Security updates need testing:
 Age  URL
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-15cde9f00b   
chromium-123.0.6312.58-1.el7
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-07e8f5f1f0   
libopenmpt-0.7.6-1.el7


The following builds have been pushed to Fedora EPEL 7 updates-testing

bitlbee-facebook-1.2.2-9.el7
perl-Spreadsheet-XLSX-0.18-1.el7

Details about builds:



 bitlbee-facebook-1.2.2-9.el7 (FEDORA-EPEL-2024-e4954e087d)
 Facebook protocol plugin for BitlBee

Update Information:

Test whether BitlBee can load plugin during startup (#2272092)

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  1.2.2-9
- Test whether BitlBee can load plugin during startup (#2272092)
* Tue Jan 23 2024 Fedora Release Engineering  - 
1.2.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering  - 
1.2.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering  - 
1.2.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering  - 
1.2.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jul 20 2022 Fedora Release Engineering  - 
1.2.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 19 2022 Fedora Release Engineering  - 
1.2.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering  - 
1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

References:

  [ 1 ] Bug #2272092 - facebook.so plugin fails to load: undefined symbol: 
SET_INVALID
https://bugzilla.redhat.com/show_bug.cgi?id=2272092




 perl-Spreadsheet-XLSX-0.18-1.el7 (FEDORA-EPEL-2024-aa863b2777)
 Perl extension for reading Microsoft Excel 2007 files

Update Information:

Spreadsheet::XLSX 0.18
Fix RT #117166: unformatted date values can no longer be retrieved

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  0.18-1
- Upgrade to 0.18 (#2268717)
* Thu Jan 25 2024 Fedora Release Engineering  - 0.17-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering  - 0.17-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jul 21 2023 Fedora Release Engineering  - 0.17-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering  - 0.17-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jul 22 2022 Fedora Release Engineering  - 0.17-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun  1 2022 Jitka Plesnikova  - 0.17-3
- Perl 5.36 rebuild
* Fri Jan 21 2022 Fedora Release Engineering  - 0.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

References:

  [ 1 ] Bug #2268717 - perl-Spreadsheet-XLSX-0.18 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2268717


--
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Carlos Rodriguez-Fernandez 


Regarding downstream defense, prohibiting blobs or differences between 
tars and git repos may be overkill or difficult at this moment, but a 
tool to assist maintainers in the identification and analysis of these 
situations where attacks may be hidden into can be very helpful.


Regarding the latter, where you want to find diff between tars and git 
repo content, someone may say "let's just use the github API to pull the 
tar", but not all projects use github, or have that feature. So, I still 
think there is value in these tools.


I started working on a PoC personal minitool named rpmseclint that 
utilizes the "VCS" tag to pull the git repo, and the tar, and compares 
and flags things for further review. Right now, I'm just focused on 
blobs, and files/directories differences. The intention is to use it at 
least right before a rebase. I'm just planning to personally use it to 
get a "feel" for it (and help myself), but open to anyone wanting to 
explore this idea.


In general, I think the idea of codifying security practices expertise 
in tools to assist maintainers with detection and analysis has great 
value; even if it is not enforcing anything at the moment. The 
maintainer could then explicitly add found problems to an "ignore" list 
after the analysis, and explain the "why" in the git commit body 
message, and perpetuate the reasoning in the git history of the 
downstream project. There is already a lot of best practices codified in 
the gating pipelines, and I have found them extremely useful myself.


Regards,
Carlos R.F.

On 3/30/24 02:37, Richard W.M. Jones wrote:

I'm not pretending these will solve everything, but they should make
attacks a little harder in future.


(1) We should routinely delete autoconf-generated cruft from upstream
projects and regenerate it in %prep.  It is easier to study the real
source rather than dig through the convoluted, generated shell script
in an upstream './configure' looking for back doors.

For most projects, just running "autoreconf -fiv" is enough.

Yes, there are some projects that depend on a specific or old version
of autoconf.  We should fix those.  But that doesn't need to delay us
from using autoreconf on many projects today.

In the xz case this wouldn't have been enough, it turns out we would
also have to delete m4/build-to-host.m4, which then autoreconf
regenerates.  I don't fully understand why that is.


(2) We should discourage gnulib as much as possible.

In libvirt we took the decision a few years ago to remove gnulib.
It's extremely convoluted and almost no one understands how it really
works.  It's written in obscure m4 macros and shell script.

It's also not necessary for Linux since gnulib is mainly about
porting to non-Linux platforms.  There are better ways to do this.

In the xz case it was a gnulib-derived script which was modified to do
the initial injection (original:
https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD).


(3) We should have a "security path", like "critical path".

sshd is linked to a lot of libraries:

/lib64/libaudit.so.1audit-libs
/lib64/libc.so.6glibc
/lib64/libcap-ng.so.0   libcap-ng
/lib64/libcap.so.2  libcap
/lib64/libcom_err.so.2  libcom_err
/lib64/libcrypt.so.2libxcrypt
/lib64/libcrypto.so.3   openssl-libs
/lib64/libeconf.so.0libeconf
/lib64/libgcc_s.so.1libgcc
/lib64/libgssapi_krb5.so.2  krb5-libs
/lib64/libk5crypto.so.3 krb5-libs
/lib64/libkeyutils.so.1 keyutils-libs
/lib64/libkrb5.so.3 krb5-libs
/lib64/libkrb5support.so.0  krb5-libs
/lib64/liblz4.so.1  lz4-libs
/lib64/liblzma.so.5 xz-libs
/lib64/libm.so.6glibc
/lib64/libpam.so.0  pam-libs
/lib64/libpcre2-8.so.0  pcre2
/lib64/libresolv.so.2   glibc
/lib64/libselinux.so.1  libselinux
/lib64/libsystemd.so.0  systemd-libs
/lib64/libz.so.1zlib / zlib-ng
/lib64/libzstd.so.1 zstd

Should we have a higher level of attention to these packages?  We
already have "critical path", but that's a broad category now.  These
seem like they are "security path" packages, an intentionally small
subset associated with very secure services which are enabled by
default.


These are just my thoughts on a Saturday morning.  Feedback welcome of
course.

Rich.



OpenPGP_signature.asc
Description: OpenPGP digital signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #9 from Fedora Update System  ---
FEDORA-EPEL-2024-3b841f3e4c has been pushed to the Fedora EPEL 9 testing
repository.

You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-3b841f3e4c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c9
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Fedora EPEL 9 updates-testing report

2024-03-31 Thread updates 
The following Fedora EPEL 9 Security updates need testing:
 Age  URL
   5  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-5e764f8789   
opensmtpd-7.4.0p1-1.el9
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-24aceec24b   
chromium-123.0.6312.58-1.el9
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-e2cad98fb0   
tinyxml-2.6.2-28.el9
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-8526776b15   
libopenmpt-0.7.6-1.el9


The following builds have been pushed to Fedora EPEL 9 updates-testing

bitlbee-facebook-1.2.2-9.el9
perl-Spreadsheet-XLSX-0.18-1.el9
proftpd-1.3.8b-3.el9

Details about builds:



 bitlbee-facebook-1.2.2-9.el9 (FEDORA-EPEL-2024-4de1ad4f9f)
 Facebook protocol plugin for BitlBee

Update Information:

Test whether BitlBee can load plugin during startup (#2272092)

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  1.2.2-9
- Test whether BitlBee can load plugin during startup (#2272092)
* Tue Jan 23 2024 Fedora Release Engineering  - 
1.2.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering  - 
1.2.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering  - 
1.2.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

References:

  [ 1 ] Bug #2272092 - facebook.so plugin fails to load: undefined symbol: 
SET_INVALID
https://bugzilla.redhat.com/show_bug.cgi?id=2272092




 perl-Spreadsheet-XLSX-0.18-1.el9 (FEDORA-EPEL-2024-3b841f3e4c)
 Perl extension for reading Microsoft Excel 2007 files

Update Information:

Spreadsheet::XLSX 0.18
Fix RT #117166: unformatted date values can no longer be retrieved

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  0.18-1
- Upgrade to 0.18 (#2268717)
* Thu Jan 25 2024 Fedora Release Engineering  - 0.17-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering  - 0.17-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jul 21 2023 Fedora Release Engineering  - 0.17-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering  - 0.17-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jul 22 2022 Fedora Release Engineering  - 0.17-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun  1 2022 Jitka Plesnikova  - 0.17-3
- Perl 5.36 rebuild

References:

  [ 1 ] Bug #2268717 - perl-Spreadsheet-XLSX-0.18 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2268717




 proftpd-1.3.8b-3.el9 (FEDORA-EPEL-2024-2141e40509)
 Flexible, stable and highly-configurable FTP server

Update Information:

This updates adds mod_proxy in its own sub-package, proftpd-proxy.

ChangeLog:

* Sun Mar 31 2024 Paul Howarth  - 1.3.8b-3
- Add 'proxy' sub-package with unbundled mod_proxy (rhbz#2272051)
- Update fsio.c: if mkdir fails with EEXIST, also clear the cache (GH#1677)

References:

  [ 1 ] Bug #2272051 - please include proftpd-mod_proxy (and a small bugfix)
https://bugzilla.redhat.com/show_bug.cgi?id=2272051


--
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #8 from Fedora Update System  ---
FEDORA-EPEL-2024-6794536e9f has been pushed to the Fedora EPEL 8 testing
repository.

You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-6794536e9f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c8
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[EPEL-devel] Fedora EPEL 8 updates-testing report

2024-03-31 Thread updates 
The following Fedora EPEL 8 Security updates need testing:
 Age  URL
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-fc233c6d2e   
chromium-123.0.6312.58-1.el8
   3  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-0ced8d6066   
tinyxml-2.6.2-28.el8
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-acb47e6aea   
libopenmpt-0.7.6-1.el8


The following builds have been pushed to Fedora EPEL 8 updates-testing

bitlbee-facebook-1.2.2-9.el8
perl-Spreadsheet-XLSX-0.18-1.el8

Details about builds:



 bitlbee-facebook-1.2.2-9.el8 (FEDORA-EPEL-2024-451c3e8714)
 Facebook protocol plugin for BitlBee

Update Information:

Test whether BitlBee can load plugin during startup (#2272092)

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  1.2.2-9
- Test whether BitlBee can load plugin during startup (#2272092)
* Tue Jan 23 2024 Fedora Release Engineering  - 
1.2.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering  - 
1.2.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering  - 
1.2.2-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering  - 
1.2.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jul 20 2022 Fedora Release Engineering  - 
1.2.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 19 2022 Fedora Release Engineering  - 
1.2.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering  - 
1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

References:

  [ 1 ] Bug #2272092 - facebook.so plugin fails to load: undefined symbol: 
SET_INVALID
https://bugzilla.redhat.com/show_bug.cgi?id=2272092




 perl-Spreadsheet-XLSX-0.18-1.el8 (FEDORA-EPEL-2024-6794536e9f)
 Perl extension for reading Microsoft Excel 2007 files

Update Information:

Spreadsheet::XLSX 0.18
Fix RT #117166: unformatted date values can no longer be retrieved

ChangeLog:

* Sun Mar 31 2024 Robert Scheck  0.18-1
- Upgrade to 0.18 (#2268717)
* Thu Jan 25 2024 Fedora Release Engineering  - 0.17-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering  - 0.17-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jul 21 2023 Fedora Release Engineering  - 0.17-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jan 20 2023 Fedora Release Engineering  - 0.17-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jul 22 2022 Fedora Release Engineering  - 0.17-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun  1 2022 Jitka Plesnikova  - 0.17-3
- Perl 5.36 rebuild
* Fri Jan 21 2022 Fedora Release Engineering  - 0.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

References:

  [ 1 ] Bug #2268717 - perl-Spreadsheet-XLSX-0.18 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2268717


--
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #7 from Fedora Update System  ---
FEDORA-2024-217b7b1eb8 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh
--advisory=FEDORA-2024-217b7b1eb8`
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-217b7b1eb8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c7
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2259535] perl-DBD-Firebird-1.34-8.fc40 FTBFS: Firebird.xs:1277:13: error: passing argument 1 of ‘isc_event_block’ from incompatible pointer type

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2259535

Fedora Update System  changed:

   What|Removed |Added

 Status|MODIFIED|ON_QA



--- Comment #3 from Fedora Update System  ---
FEDORA-2024-63c25e6f16 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh
--advisory=FEDORA-2024-63c25e6f16`
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-63c25e6f16

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2259535

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202259535%23c3
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #6 from Fedora Update System  ---
FEDORA-2024-d7e72afdf7 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh
--advisory=FEDORA-2024-d7e72afdf7`
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-d7e72afdf7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c6
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Fedora Update System  changed:

   What|Removed |Added

 Status|MODIFIED|ON_QA



--- Comment #5 from Fedora Update System  ---
FEDORA-2024-a63af372e9 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh
--advisory=FEDORA-2024-a63af372e9`
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-a63af372e9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c5
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kilian Hanich via devel 

Am 31.03.24 um 23:02 schrieb Scott Schmit:

On Sun, Mar 31, 2024 at 04:09:36PM -0400, Ben Beasley wrote:

On 3/31/24 2:12 PM, Kevin Kofler via devel wrote:

But the fact is:

What WOULD have stopped this attack: (one or more of:)
* Deleting ALL unit tests in %prep (and then of course not trying to run
them later).

While it’s technically correct that deleting tests would have disrupted this
specific attack, a policy of deleting and and never running upstream test
code would have prevented me from finding and helping upstreams fix dozens
and dozens of bugs due to accidentally faulty assumptions that turned out to
be violated on different architectures, in different system environments, or
with various allegedly-compatible dependency versions. There are even GCC
bugs (miscompilations, not only failures to compile) that were discovered
and fixed only because packages I maintain were running upstream unit and
integration tests. Frankly, “testing the packages we ship, as built in our
distribution, is actually bad” seems like a pretty strange and extreme
conclusion to draw from all of this.


Deleting the tests makes no sense to me either, but it seems like a
mechanism that ensures the test code can't change the build outputs (or
a mechanism to detect that it's happened and abort the build) would
allow upstream tests to be run without compromising the integrity of the
build itself.


It would prevent the attack from being hidden in the tests, but not in
any other part of the build.

Also, I have seen build setups which encode the status of tests in the
eventual binary and as such info page or integrated bug report
generators. Often because some distros sometimes turned them off or
ships software even with failed tests and thus pushing that headache to
upstream.


Regards

Kilian Hanich
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kilian Hanich via devel 

Am 31.03.24 um 21:19 schrieb Simon de Vlieger:

I don't quite agree with you. Two factor authentication whether an actual second
factor device or not does prevent credential stuffing which is a common attack
method that is easy to perform. It is when people take databases of previously 
leaked
passwords and try them on other accounts that belong to the same person. Since 
two
factors are generally unique per login situation they can't be stuffed in the 
same way.

Of course there are many things two factor does not protect against.



2FA in a lot of cases is just access to a different account (e.g. email
or even SMS) and these normally aren't unique. Sure, there are other
ways like FIDO2, but these are not necessarily used (or liked, quite
frankly I know a lot of people who would loose them on a monthly basis,
but still are quite smart about other stuff).

This can also lead to a pretty interesting "circle" of 2FA where for
example email a is the 2FA address for email b and email b is the 2FA
address for email a. If it's the only option it can also lead to a
chicken and egg problem for young people who want to create e.g. their
first email account. But this paragraph is besides the point.

So, sure, 2FA would prevent people from just trying out leaked
passwords. But an attack like this would not be a "spray and pray"
attack, but it would be a targeted one. This means that the acceptable
effort from the attacker would be quite a bit higher.

2FA would prevent script kiddies and "spray and pray"-style attacks from
being successful. But more? Doubtful.


Regards

Kilian Hanich
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Dominique Martinet 
Scott Schmit wrote on Sun, Mar 31, 2024 at 05:02:44PM -0400:
> Deleting the tests makes no sense to me either, but it seems like a
> mechanism that ensures the test code can't change the build outputs (or
> a mechanism to detect that it's happened and abort the build) would
> allow upstream tests to be run without compromising the integrity of the
> build itself.

Just to be clear here that wouldn't have been enough: it's not the test
step that's modifying the binaries, the actual build step is modified in
the right conditions to use data that looks like it belongs to a test
(I've read the actual files aren't actually used in any test and just
look like test data, I didn't check, it wouldn't be hard to make a test
that uses them anyway)

So short of deleting all blobs e.g. all test data this wouldn't have
been prevented, just not running tests isn't enough.

In theory it'd be possible to build twice:
- one normal build with test data, and run tests at the end
- a second build without test data (and confirm we've got an identical
binary, builds are reproducible right?!)

But while we might be able to afford the computing cost, I'm not sure
it's worth it -- this attack vector happened to use test data, but there
are plenty of other ways of doing this, and even just identifying /
removing test data in the first place is hard work for packagers (I
guess we could try to detect binary files but there is no end to that
either, and many builds would just break if we were to automatically
remove tests...)


(Anyway, I also think tests bring more benefits than risks in our case)
-- 
Dominique Martinet | Asmadeus
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2259535] perl-DBD-Firebird-1.34-8.fc40 FTBFS: Firebird.xs:1277:13: error: passing argument 1 of ‘isc_event_block’ from incompatible pointer type

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2259535

Fedora Update System  changed:

   What|Removed |Added

 Status|ASSIGNED|MODIFIED



--- Comment #2 from Fedora Update System  ---
FEDORA-2024-63c25e6f16 (perl-DBD-Firebird-1.34-10.fc40) has been submitted as
an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-63c25e6f16


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2259535

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202259535%23c2
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 

On 31/03/2024 23.11, Kevin Fenzi wrote:

On Sun, Mar 31, 2024 at 08:55:37PM +, Christopher Klooz wrote:

The repo files should be the same on Fedora containers, so if the container is 
F40 and the testing repo is enabled, it might have installed the malicious 
build.

Right, if it was dnf updated during the time that the bad update was in
updates-testing.

Folks should pull the latest and restart.


Preemptively, I added yesterday to the Fedora Discussion topic that people 
shall also update their toolbox containers. I am not sure if a container can 
end up in a condition that is vulnerable (especially since it has no dedicated 
systemd), but I assume we do not know for sure at this time, and the package 
was available to toolbox if the testing was enabled on a F40 container (I 
assume there are already F40 containers available? Didn't verify).

Yeah, best to be safe and pull the latest that doesn't have the affected
build and rerun.

Yes, there are f40 containers available.

kevin

Great point. I adjusted the Fedora Discussion topic.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Kevin Fenzi 
On Sun, Mar 31, 2024 at 08:55:37PM +, Christopher Klooz wrote:
> The repo files should be the same on Fedora containers, so if the container 
> is F40 and the testing repo is enabled, it might have installed the malicious 
> build.

Right, if it was dnf updated during the time that the bad update was in
updates-testing.

Folks should pull the latest and restart.

> Preemptively, I added yesterday to the Fedora Discussion topic that people 
> shall also update their toolbox containers. I am not sure if a container can 
> end up in a condition that is vulnerable (especially since it has no 
> dedicated systemd), but I assume we do not know for sure at this time, and 
> the package was available to toolbox if the testing was enabled on a F40 
> container (I assume there are already F40 containers available? Didn't 
> verify).

Yeah, best to be safe and pull the latest that doesn't have the affected
build and rerun.

Yes, there are f40 containers available.

kevin


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Kevin Fenzi 
On Sun, Mar 31, 2024 at 10:30:23PM +0200, Leon Fauster via devel wrote:
> 
> Not sure, if it was already mentioned -> containers. I had here a toolbox
> environment with F40. That I had not in my first actions
> on the screen. The last state had 5.6.0-3 installed but not sure
> if the previous release was also installed ...

You should pull the latest version and restart any containers you were
running. 

kevin


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Kevin Fenzi 
On Sun, Mar 31, 2024 at 03:52:12PM -0500, Alex Thomas wrote:
> Just to be clear, as I was getting ready to put 40 Beta on a test
> machine, this has been fixed. I do the install and run updates and the
> compromised version of xz is never installed?

Correct.

kevin


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Scott Schmit 
On Sun, Mar 31, 2024 at 04:09:36PM -0400, Ben Beasley wrote:
> On 3/31/24 2:12 PM, Kevin Kofler via devel wrote:
> > But the fact is:
> > 
> > What WOULD have stopped this attack: (one or more of:)
> > * Deleting ALL unit tests in %prep (and then of course not trying to run
> > them later).
> While it’s technically correct that deleting tests would have disrupted this
> specific attack, a policy of deleting and and never running upstream test
> code would have prevented me from finding and helping upstreams fix dozens
> and dozens of bugs due to accidentally faulty assumptions that turned out to
> be violated on different architectures, in different system environments, or
> with various allegedly-compatible dependency versions. There are even GCC
> bugs (miscompilations, not only failures to compile) that were discovered
> and fixed only because packages I maintain were running upstream unit and
> integration tests. Frankly, “testing the packages we ship, as built in our
> distribution, is actually bad” seems like a pretty strange and extreme
> conclusion to draw from all of this.

Deleting the tests makes no sense to me either, but it seems like a
mechanism that ensures the test code can't change the build outputs (or
a mechanism to detect that it's happened and abort the build) would
allow upstream tests to be run without compromising the integrity of the
build itself.


smime.p7s
Description: S/MIME cryptographic signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 

On 31/03/2024 22.30, Leon Fauster via devel wrote:

Am 31.03.24 um 21:33 schrieb Sandro:

On 31-03-2024 20:54, Christopher Klooz wrote:

On 31/03/2024 20.52, Christopher Klooz wrote:


On 31/03/2024 20.21, Michael Catanzaro wrote:

On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:

I'm really frustrated with our communication regarding this issue. Does anybody 
know who can fix this?


The Fedora Magazine article has been fixed (thanks!).


"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially 
vulnerable /5.6.0-2.fc40/ build 
 if the system updated 
between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable repositories are 
NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."

 -> only pre-beta, not beta, affected
 -> F40 beta using stable NOT impacted (without challenging the previously 
distributed assumption that testing is disabled by default)

That's still the same false information, isn't it?

Justin just has shown up in discourse. I suggested to get in touch with you, 
Adam or Kevin since he seemed to be convinced the article is fine as it is. 
When I refresh the article, it still seems to be unchanged. Is the update you 
mean already online Michael?


I clarified what's wrong with Justin in a DM on Matrix. He was on the same garden path as I was 
regarding "Beta release" vs. "Final release".

There will be another update to the article.




Not sure, if it was already mentioned -> containers. I had here a toolbox 
environment with F40. That I had not in my first actions
on the screen. The last state had 5.6.0-3 installed but not sure
if the previous release was also installed ...


The repo files should be the same on Fedora containers, so if the container is 
F40 and the testing repo is enabled, it might have installed the malicious 
build.

Preemptively, I added yesterday to the Fedora Discussion topic that people 
shall also update their toolbox containers. I am not sure if a container can 
end up in a condition that is vulnerable (especially since it has no dedicated 
systemd), but I assume we do not know for sure at this time, and the package 
was available to toolbox if the testing was enabled on a F40 container (I 
assume there are already F40 containers available? Didn't verify).

So I suggest to preemptively act with F40 toolboxes in the same way as with F40 if 
testing was enabled. -> 
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-beta-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Alex Thomas 
Just to be clear, as I was getting ready to put 40 Beta on a test
machine, this has been fixed. I do the install and run updates and the
compromised version of xz is never installed?
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Leon Fauster via devel 

Am 31.03.24 um 21:33 schrieb Sandro:

On 31-03-2024 20:54, Christopher Klooz wrote:

On 31/03/2024 20.52, Christopher Klooz wrote:


On 31/03/2024 20.21, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:
I'm really frustrated with our communication regarding this issue. 
Does anybody know who can fix this?


The Fedora Magazine article has been fixed (thanks!).

"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the 
potentially vulnerable /5.6.0-2.fc40/ build 
 if 
the system updated between March 2nd and March 6th*. Fedora Linux 40 
Beta users only using stable repositories are NOT impacted. Fedora 
Linux 39 and 38 users are also NOT impacted."


 -> only pre-beta, not beta, affected
 -> F40 beta using stable NOT impacted (without challenging the 
previously distributed assumption that testing is disabled by default)


That's still the same false information, isn't it?
Justin just has shown up in discourse. I suggested to get in touch 
with you, Adam or Kevin since he seemed to be convinced the article is 
fine as it is. When I refresh the article, it still seems to be 
unchanged. Is the update you mean already online Michael?


I clarified what's wrong with Justin in a DM on Matrix. He was on the 
same garden path as I was regarding "Beta release" vs. "Final release".


There will be another update to the article.




Not sure, if it was already mentioned -> containers. I had here a 
toolbox environment with F40. That I had not in my first actions

on the screen. The last state had 5.6.0-3 installed but not sure
if the previous release was also installed ...

--
Leon

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Gary Buhrmaster 
On Sun, Mar 31, 2024 at 5:35 PM Kevin Kofler via devel
 wrote:
>
> Adam Williamson wrote:
> > Do we require 2FA for provenpackager yet?
>
> No. I am a provenpackager and do not have 2FA enabled (nor do I want it to
> be).

Whenever 2FA comes up, the requirement
for provenpackages to have it enabled has
always come out very high on the list of
first steps.

I still recommend that.  PP is a privilege,
not a right.  With privileges often comes
additional responsibilities, and 2FA should
absolutely be one of them.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Ben Beasley 

On 3/31/24 2:12 PM, Kevin Kofler via devel wrote:

But the fact is:

What WOULD have stopped this attack: (one or more of:)
* Deleting ALL unit tests in %prep (and then of course not trying to run
them later).
While it’s technically correct that deleting tests would have disrupted 
this specific attack, a policy of deleting and and never running 
upstream test code would have prevented me from finding and helping 
upstreams fix dozens and dozens of bugs due to accidentally faulty 
assumptions that turned out to be violated on different architectures, 
in different system environments, or with various allegedly-compatible 
dependency versions. There are even GCC bugs (miscompilations, not only 
failures to compile) that were discovered and fixed only because 
packages I maintain were running upstream unit and integration tests. 
Frankly, “testing the packages we ship, as built in our distribution, is 
actually bad” seems like a pretty strange and extreme conclusion to draw 
from all of this.

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272408] New: perl-PDL-2.086 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2272408

Bug ID: 2272408
   Summary: perl-PDL-2.086 is available
   Product: Fedora
   Version: rawhide
Status: NEW
 Component: perl-PDL
  Keywords: FutureFeature, Triaged
  Assignee: jples...@redhat.com
  Reporter: upstream-release-monitor...@fedoraproject.org
QA Contact: extras...@fedoraproject.org
CC: jples...@redhat.com, ka...@ucw.cz, lkund...@v3.sk,
perl-devel@lists.fedoraproject.org,
rhug...@redhat.com, rstr...@redhat.com
  Target Milestone: ---
Classification: Fedora



Releases retrieved: 2.086
Upstream release that is considered latest: 2.086
Current version/release in rawhide: 2.85.0-2.fc40
URL: https://metacpan.org/dist/PDL/

Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at:
https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.


Based on the information from Anitya:
https://release-monitoring.org/project/3205/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/perl-PDL


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272408

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272408%23c0
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Sandro 

On 31-03-2024 20:54, Christopher Klooz wrote:

On 31/03/2024 20.52, Christopher Klooz wrote:


On 31/03/2024 20.21, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:
I'm really frustrated with our communication regarding this issue. 
Does anybody know who can fix this?


The Fedora Magazine article has been fixed (thanks!).

"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the 
potentially vulnerable /5.6.0-2.fc40/ build 
 if 
the system updated between March 2nd and March 6th*. Fedora Linux 40 
Beta users only using stable repositories are NOT impacted. Fedora 
Linux 39 and 38 users are also NOT impacted."


 -> only pre-beta, not beta, affected
 -> F40 beta using stable NOT impacted (without challenging the 
previously distributed assumption that testing is disabled by default)


That's still the same false information, isn't it?
Justin just has shown up in discourse. I suggested to get in touch with 
you, Adam or Kevin since he seemed to be convinced the article is fine 
as it is. When I refresh the article, it still seems to be unchanged. Is 
the update you mean already online Michael?


I clarified what's wrong with Justin in a DM on Matrix. He was on the 
same garden path as I was regarding "Beta release" vs. "Final release".


There will be another update to the article.

-- Sandro
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Simon de Vlieger 
Hi Kevin,

On Sun, Mar 31, 2024, at 7:31 PM, Kevin Kofler via devel wrote:
> Adam Williamson wrote:
>> Do we require 2FA for provenpackager yet?
>
> No. I am a provenpackager and do not have 2FA enabled (nor do I want it to 
> be).
>
>> People would say, justifiably so, that it was absolutely unacceptable for
>> us to be allowing single-factor authentication for contributors to a
>> general-purpose operating system in 2024. It is.
>
> This is nonsense propaganda. Most 2FA implementations cannot even guarantee 
> that the second factor is not stored right next to the first factor. Open 
> standards that do not depend on commercial hardware or telecommunication 
> operators, such as TOTP, cannot guarantee it by design. Any 2FA app that 
> works on my PinePhone is also going to work directly on my computer, so you 
> have no way to enforce that I use a different device for the second factor.
>
> 2FA is pointless security theater that just makes it a pain to contribute, 
> when we are all this time talking about lowering, not rising, the barrier to 
> entry.

I don't quite agree with you. Two factor authentication whether an actual second
factor device or not does prevent credential stuffing which is a common attack
method that is easy to perform. It is when people take databases of previously 
leaked
passwords and try them on other accounts that belong to the same person. Since 
two
factors are generally unique per login situation they can't be stuffed in the 
same way.

Of course there are many things two factor does not protect against.

Regards,

Simon
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 

On 31/03/2024 20.52, Christopher Klooz wrote:


On 31/03/2024 20.21, Michael Catanzaro wrote:

On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:

I'm really frustrated with our communication regarding this issue. Does anybody 
know who can fix this?


The Fedora Magazine article has been fixed (thanks!).


"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially 
vulnerable /5.6.0-2.fc40/ build 
 if the system updated 
between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable repositories are 
NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."

 -> only pre-beta, not beta, affected
 -> F40 beta using stable NOT impacted (without challenging the previously 
distributed assumption that testing is disabled by default)

That's still the same false information, isn't it?

Justin just has shown up in discourse. I suggested to get in touch with you, 
Adam or Kevin since he seemed to be convinced the article is fine as it is. 
When I refresh the article, it still seems to be unchanged. Is the update you 
mean already online Michael?
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 


On 31/03/2024 20.21, Michael Catanzaro wrote:

On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:

I'm really frustrated with our communication regarding this issue. Does anybody 
know who can fix this?


The Fedora Magazine article has been fixed (thanks!).


"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially 
vulnerable /5.6.0-2.fc40/ build 
 if the system updated 
between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable repositories are 
NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."

 -> only pre-beta, not beta, affected
 -> F40 beta using stable NOT impacted (without challenging the previously 
distributed assumption that testing is disabled by default)

That's still the same false information, isn't it?
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Michael Catanzaro 
On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro 
 wrote:
I'm really frustrated with our communication regarding this issue. 
Does anybody know who can fix this?


The Fedora Magazine article has been fixed (thanks!).

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Kofler via devel 
Adam Williamson wrote:
> I would argue there's a danger of getting too tied up in very specific
> technical details of this attack.

But the fact is:

What WOULD have stopped this attack: (one or more of:)
* Deleting ALL unit tests in %prep (and then of course not trying to run 
them later).
* Deleting ALL files automatically generated or imported by autotools in 
%prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it would 
NOT have done the right thing here. Delete the files, THEN run autoreconf.)
* NOT patching OpenSSH downstream to link it against libsystemd against 
upstream's recommendation.

What WOULD have greatly reduced the impact of this attack:
* NOT enabling updates-testing by default for Branched releases.

What WOULD NOT have stopped this attack: (any or all of:)
* 2FA. GitHub already enforces 2FA. It did NOT stop this attack.
* Any stricter vetting of Fedora contributions. The attack was performed 
upstream, NOT in Fedora.
* More distrust of new Fedora contributors. The offending upgrade was 
imported by a TRUSTED Fedora contributor. The untrusted new person operated 
upstream, NOT in Fedora.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Kofler via devel 
Adam Williamson wrote:
> Maybe this needs to go on the growing pile of reasons why the
> traditional Linux model *does* need to go away. Maybe Fedora, with its
> foundation of First, should be kind of at the forefront of making that
> happen.

Switching to a container-based model is just going to introduce more 
different library versions (in the worst case, one per container) with a 
higher probability that one of them is compromised.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Alexander Bokovoy 

On Sun, 31 Mar 2024, Neal Gompa wrote:

On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols  wrote:


On 31/03/2024 13:03, Kevin Kofler via devel wrote:

This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
contributors for a while, starting with "important" projects, then getting
stricter and stricter. It has done absolutely nothing to stop this attack.
How could it, when the backdoor was apparently introduced by the authorized
maintainer? (Or if not, the attacker must have had access to their 2FA
secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
US! And especially DO NOT abuse this incident as an excuse to force 2FA down
our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!


2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's 
point. What Adam is saying is that we're in danger of focusing too much on a 
specific issue while we should spent our time and energy on the general 
security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a 
lot. A compromised (proven)packager account can do a lot of harm and can take a 
while to be noticed. If this would happen to us, Fedora's reputation would tank 
immediately. Mint is still regarded as a insecure distro (in my circles) for 
things that happened before I even entered the linux scene...

Like it or not, this is 2024 and passwords are not as secure as they used to 
be. Yelling about it isn't going to solve anything. Meanwhile, enabling 2FA 
helps A LOT even if used incorrectly (e.g. storing it in the same keepassxc 
database).



At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.

If MFA is turned on:

1. The Fedora account integration in GNOME breaks
2. You need to concatenate password and OTP for getting a krb5 session ticket
3. The recovery mechanism involves GPG signed emails

The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.


We need to fix these problems anyway. For the first two I am working on
a potential solution as a part of FreeIPA passwordless authentication
support. As you know, FreeIPA supports more than just OTP method that
Fedora Project is currently using. The way how that support is
implemented through Kerberos makes it uniform for OTP, RADIUS, passkeys,
and external IdP pre-authentication methods. Since internal bits of SSSD
already implement support for all these methods in a proper way, we
might reuse those to improve Fedora user experience.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Kofler via devel 
Adam Williamson wrote:
> Do we require 2FA for provenpackager yet?

No. I am a provenpackager and do not have 2FA enabled (nor do I want it to 
be).

> People would say, justifiably so, that it was absolutely unacceptable for
> us to be allowing single-factor authentication for contributors to a
> general-purpose operating system in 2024. It is.

This is nonsense propaganda. Most 2FA implementations cannot even guarantee 
that the second factor is not stored right next to the first factor. Open 
standards that do not depend on commercial hardware or telecommunication 
operators, such as TOTP, cannot guarantee it by design. Any 2FA app that 
works on my PinePhone is also going to work directly on my computer, so you 
have no way to enforce that I use a different device for the second factor.

2FA is pointless security theater that just makes it a pain to contribute, 
when we are all this time talking about lowering, not rising, the barrier to 
entry.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Kevin Kofler via devel 
Neal Gompa wrote:
> Well, an easy solution is to make it so "dnf update" is coerced to
> "dnf distro-sync" for development releases.

That would not have helped containing this vulnerability. Keeping updates-
testing disabled by default would have.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Richard W.M. Jones 
On Sun, Mar 31, 2024 at 09:39:43AM -0700, Kevin Fenzi wrote:
> On Sun, Mar 31, 2024 at 09:12:30AM -0700, Adam Williamson wrote:
> > Thanks Arthur, yes, that was *exactly* the point.
> > 
> > I would argue there's a danger of getting too tied up in very specific
> > technical details of this attack. Yes, it's reasonable to think of ways
> > to mitigate those specific mechanisms, at least at the appropriate
> > levels (arguably, most of this is really directly an issue upstream of
> > us). But it has been - for me - persuasively argued that the specific
> > technical details were decided based on the wider goals of the attack.
> > 
> > I buy the scenario where the starting point was "how can we poison the
> > major distributions?" and everything from there derived from that
> > starting point. xz was picked as the target because of all the specific
> > technical stuff about systemd and ssh links which people are keen to
> > dive deep into the details of, but *if that vector hadn't existed the
> > attacker would just have chosen the next best one*. The specific form
> > of the attack was then customized to the specific properties of xz,
> > very cunningly - the whole thing about hiding the payload in binary
> > test files. But if the attacker had chosen to attack a different
> > project with different properties, they would have customized their
> > attack to *that* environment with equal cunning, and it would probably
> > look quite different.
> 
> I think even stepping further back from the technical details is worth
> considering. I think xz was picked because it had one maintainer who had
> personal issues and low time/desire to continue work, and they were a
> good target to be bullied into adding another maintainer. Are there
> other critical packages we ship in similar situations? 

I can imagine the attacker had some sort of scoring system for projects:

 - No upstream patch review process (+10)
 - Complicated codebase (+20)
 - Small group of maintainers (+5)
 - Single, vulnerable maintainer (+50)
 - Linked to sshd (+1000)

There's something to be said for us doing a similar sort of analysis.

> > Worrying *only* about binary blobs in source repos or the specific
> > details of how systemd opens compression libraries feels a bit narrow,
> > to me - and especially so when we do it down at the distribution level
> > where it's not necessarily primarily our responsibility, and I would
> > argue is definitely not the *lowest* hanging fruit if we take a broader
> > view of "what should we as a project be doing to raise the difficulty
> > of supply chain attacks?"
> 
> Agreed. I think theres lots of places we should improve, and focusing on
> our own backyard first might be wise. But we can also work on the other
> parts too!
> 
> There are lots of things we _could_ do... we should discuss and consider
> what ones make sense in what order. We should just do something because
> we can. ;)
> 
> Also, a reminder... nothing is ever 'secure'. security is a process. We
> consider likelt threats, we try and mitigate them, and we keep doing it.
> Things change and we should too.
> 
> kevin

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2272395] New: perl-IO-Compress-2.208 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2272395

Bug ID: 2272395
   Summary: perl-IO-Compress-2.208 is available
   Product: Fedora
   Version: rawhide
Status: NEW
 Component: perl-IO-Compress
  Keywords: FutureFeature, Triaged
  Assignee: jples...@redhat.com
  Reporter: upstream-release-monitor...@fedoraproject.org
QA Contact: extras...@fedoraproject.org
CC: jples...@redhat.com, mmasl...@redhat.com,
mspa...@redhat.com, p...@city-fan.org,
perl-devel@lists.fedoraproject.org
  Target Milestone: ---
Classification: Fedora



Releases retrieved: 2.208
Upstream release that is considered latest: 2.208
Current version/release in rawhide: 2.207-1.fc41
URL: https://metacpan.org/dist/IO-Compress/

Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at:
https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.


Based on the information from Anitya:
https://release-monitoring.org/project/2990/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/perl-IO-Compress


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2272395

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202272395%23c0
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Fenzi 
On Sun, Mar 31, 2024 at 09:12:30AM -0700, Adam Williamson wrote:
> Thanks Arthur, yes, that was *exactly* the point.
> 
> I would argue there's a danger of getting too tied up in very specific
> technical details of this attack. Yes, it's reasonable to think of ways
> to mitigate those specific mechanisms, at least at the appropriate
> levels (arguably, most of this is really directly an issue upstream of
> us). But it has been - for me - persuasively argued that the specific
> technical details were decided based on the wider goals of the attack.
> 
> I buy the scenario where the starting point was "how can we poison the
> major distributions?" and everything from there derived from that
> starting point. xz was picked as the target because of all the specific
> technical stuff about systemd and ssh links which people are keen to
> dive deep into the details of, but *if that vector hadn't existed the
> attacker would just have chosen the next best one*. The specific form
> of the attack was then customized to the specific properties of xz,
> very cunningly - the whole thing about hiding the payload in binary
> test files. But if the attacker had chosen to attack a different
> project with different properties, they would have customized their
> attack to *that* environment with equal cunning, and it would probably
> look quite different.

I think even stepping further back from the technical details is worth
considering. I think xz was picked because it had one maintainer who had
personal issues and low time/desire to continue work, and they were a
good target to be bullied into adding another maintainer. Are there
other critical packages we ship in similar situations? 

> Worrying *only* about binary blobs in source repos or the specific
> details of how systemd opens compression libraries feels a bit narrow,
> to me - and especially so when we do it down at the distribution level
> where it's not necessarily primarily our responsibility, and I would
> argue is definitely not the *lowest* hanging fruit if we take a broader
> view of "what should we as a project be doing to raise the difficulty
> of supply chain attacks?"

Agreed. I think theres lots of places we should improve, and focusing on
our own backyard first might be wise. But we can also work on the other
parts too!

There are lots of things we _could_ do... we should discuss and consider
what ones make sense in what order. We should just do something because
we can. ;)

Also, a reminder... nothing is ever 'secure'. security is a process. We
consider likelt threats, we try and mitigate them, and we keep doing it.
Things change and we should too.

kevin


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sun, 2024-03-31 at 07:42 -0400, Neal Gompa wrote:
> On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols  wrote:
> > 
> > On 31/03/2024 13:03, Kevin Kofler via devel wrote:
> > 
> > This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
> > contributors for a while, starting with "important" projects, then getting
> > stricter and stricter. It has done absolutely nothing to stop this attack.
> > How could it, when the backdoor was apparently introduced by the authorized
> > maintainer? (Or if not, the attacker must have had access to their 2FA
> > secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
> > US! And especially DO NOT abuse this incident as an excuse to force 2FA down
> > our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
> > repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!
> > 
> > 
> > 2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's 
> > point. What Adam is saying is that we're in danger of focusing too much on 
> > a specific issue while we should spent our time and energy on the general 
> > security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a 
> > lot. A compromised (proven)packager account can do a lot of harm and can 
> > take a while to be noticed. If this would happen to us, Fedora's reputation 
> > would tank immediately. Mint is still regarded as a insecure distro (in my 
> > circles) for things that happened before I even entered the linux scene...
> > 
> > Like it or not, this is 2024 and passwords are not as secure as they used 
> > to be. Yelling about it isn't going to solve anything. Meanwhile, enabling 
> > 2FA helps A LOT even if used incorrectly (e.g. storing it in the same 
> > keepassxc database).
> > 
> 
> At this point, I'm used to MFA for stuff (and I use a password manager
> that handles 2FA OTPs too), but the Fedora implementation of MFA is
> uniquely bad because we have to do a lot in the terminal, and our MFA
> implementation sucks for terminal usage.
> 
> If MFA is turned on:
> 
> 1. The Fedora account integration in GNOME breaks
> 2. You need to concatenate password and OTP for getting a krb5 session ticket
> 3. The recovery mechanism involves GPG signed emails
> 
> The experience using 2FA for Fedora accounts is sufficiently
> unpleasant that I really don't want to use it.

Copying this comment here from the FESCo ticket at Kevin's request -
please follow up here, not there:

I think the points above and others made later about areas where the
2FA experience on Fedora are bad are absolutely correct and justified.
I also think there is a solid argument that we should do this anyway.

I think the vulnerability associated with having packager (and
provenpackager? Do we require 2FA for provenpackager yet? I wasn't
actually sure, when I wrote my list post) accounts without 2FA is
sufficiently horrendous that we just cannot accept it. Yes, our
implementation of 2FA is suboptimal and would frustrate people. Is that
worse than the consequences of letting ourselves be compromised?
Imagine how brutal the response would be if it came to light that
Fedora had been compromised through exploitation of single-factor
authentication. It would not be kind. It would be a huge and lasting
stain on our reputation. People would say, justifiably so, that it was
absolutely unacceptable for us to be allowing single-factor
authentication for contributors to a general-purpose operating system
in 2024. It is.

We now have incontrovertible evidence that extremely sophisticated
attackers are willing to mount extremely sophisticated attacks on the
supply chain of which we are a significant component. We are busy
Monday morning quarterbacking about extremely complex ways to try and
counteract an attack of that sophistication. Meanwhile we are still
leaving this huge vulnerability to much less sophisticated attacks,
which has been known to be one for literal decades at this point, open.
We know that much less sophisticated attackers exploit single-factor
authentication for purposes as trivial as stealing cryptocurrency, and
it happens frequently. I don't think we can pretend we can't connect
the dots here.

On a practical level, if we just made 2FA compulsory, it would provide
people with a much stronger motivation to contribute and make the
experience of it better. So long as we let people not use it, that
motivation does not exist. I suspect if we just did it, we'd get a more
sophisticated experience with Kerberos and recovery tokens and all the
rest of it much faster than we will if we don't.

-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sun, 2024-03-31 at 13:28 +0100, Daniel P. Berrangé wrote:
> > 
> > 3. We have no mechanism to flag when J. Random Packager adds
> > "Supplements: glibc" to their random leaf node package. As a reminder,
> > *we are a project that allows 1,601 minimally-vetted people to deliver
> > arbitrary code executed as root on hundreds of thousands of systems*,
> > and this mechanism allows any one of those people to cause the package
> > they have complete control over to be automatically pulled in as a
> > dependency on virtually every single one of those systems.
> 
> This is as much a distro design problem, as a Fedora process
> problem. The typical Linux distro model is that everything is
> installed in the same namespace, and we only avoid interference
> (whether accidental or intentional) by careful packaging design
> and review.
> 
> This is somewhere where the image based Linux distro model has
> a potential benefit, with a comparatively slim distro base, and
> then applications as self contained separated entities, whether
> server apps in podman containers, or GUI apps in flatpaks.
> 
> No easy anwere here though, as the traditional Linux model isn't
> going away any time in the forseeable future.

Well, definitely no easy answers, but I would argue this is the kind of
thing we as a distributor *should* be worrying about and addressing,
maybe with more urgency than things that are not primarily the
responsibility of the distributor, in the supply chain.

Maybe this needs to go on the growing pile of reasons why the
traditional Linux model *does* need to go away. Maybe Fedora, with its
foundation of First, should be kind of at the forefront of making that
happen.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sun, 2024-03-31 at 13:35 +0200, Arthur Bols wrote:
> On 31/03/2024 13:03, Kevin Kofler via devel wrote:
> > This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
> > contributors for a while, starting with "important" projects, then getting
> > stricter and stricter. It has done absolutely nothing to stop this attack.
> > How could it, when the backdoor was apparently introduced by the authorized
> > maintainer? (Or if not, the attacker must have had access to their 2FA
> > secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
> > US! And especially DO NOT abuse this incident as an excuse to force 2FA down
> > our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
> > repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!
> 
> 2FA for Fedora packagers doesn't solve *this* issue, but that wasn't 
> Adam's point. What Adam is saying is that we're in danger of focusing 
> too much on a specific issue while we should spent our time and energy 
> on the general security aspect of Fedora. 2FA isn't nonsense, it 
> strengthens security by a lot.

Thanks Arthur, yes, that was *exactly* the point.

I would argue there's a danger of getting too tied up in very specific
technical details of this attack. Yes, it's reasonable to think of ways
to mitigate those specific mechanisms, at least at the appropriate
levels (arguably, most of this is really directly an issue upstream of
us). But it has been - for me - persuasively argued that the specific
technical details were decided based on the wider goals of the attack.

I buy the scenario where the starting point was "how can we poison the
major distributions?" and everything from there derived from that
starting point. xz was picked as the target because of all the specific
technical stuff about systemd and ssh links which people are keen to
dive deep into the details of, but *if that vector hadn't existed the
attacker would just have chosen the next best one*. The specific form
of the attack was then customized to the specific properties of xz,
very cunningly - the whole thing about hiding the payload in binary
test files. But if the attacker had chosen to attack a different
project with different properties, they would have customized their
attack to *that* environment with equal cunning, and it would probably
look quite different.

Worrying *only* about binary blobs in source repos or the specific
details of how systemd opens compression libraries feels a bit narrow,
to me - and especially so when we do it down at the distribution level
where it's not necessarily primarily our responsibility, and I would
argue is definitely not the *lowest* hanging fruit if we take a broader
view of "what should we as a project be doing to raise the difficulty
of supply chain attacks?"
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 

On 31/03/2024 16.56, Michael Catanzaro wrote:

On Sun, Mar 31 2024 at 12:55:23 PM +00:00:00, Christopher Klooz 
 wrote:

In case someone from the Fedora Magazine is in the devel mailing list and reads 
this:


I'm really frustrated with our communication regarding this issue. Does anybody 
know who can fix this?

If we don't know who can fix Fedora Magazine on a Sunday, maybe we should just 
take down the entire domain until tomorrow. Fedora Magazine is an authoritative 
source and a lot of people are trusting the wrong information that we're 
providing.

Thanks for complaining about this, Christopher.

Michael


I don't feel good to implement such means without consensus with other 
moderators, but given that this article keeps telling affected users that they 
are not affected while it spreads confusing/misleading information, I have 
changed the Fedora Discussion topic [1] to make clear about the issue with the 
Fedora Magazine article in the very beginning, and indirectly warn about it. 
For average users, Fedora Discussion is the major source next to the magazine 
afaik. I tried to formulate it accommodating, but it has to be clear that the 
article's information was not correct and now the update added another 
incorrect information (Kevin made clear that beta has testing enabled) while 
the previous incorrect information is not devaluated either.

I think the Fedora Discussion topic's content shall do it for now and satisfy 
the majority of users. I keep following here, but if there is any change/add I 
need to do on that page, feel free to send/CC me an email directly, or a 
message on discourse. I keep available at least until Thursday to update it 
regularly if necessary.

[1] 
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683

Chris
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sun, 2024-03-31 at 13:03 +0200, Kevin Kofler via devel wrote:
> 
> > 2. Our process for vetting packagers is, let's face it, from a security
> > perspective almost *comically* patchy. There are 140 sponsors in the
> > packager FAS group. Any one of those people - or someone who
> > compromises any one of those 140 accounts - can grant any other person
> > on earth Fedora packager status. Our policy on how they should do this
> > is
> > https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
> > . The words "trust" and "identity" do not appear in it. There is,
> > AFAIK, no policy or procedure by which inactive sponsors have this
> > power removed. There is no mandatory 2FA policy for sponsors.
> 
> We already have a manpower problem, how is removing sponsors going to 
> improve the situation?

Removing inactive sponsors makes it harder for an attacker to
compromise an inactive sponsor's account and use it for evil.

However, looking into it it looks like I made a mistake here: we do
have an inactive *packager* policy, as well as an inactive *proven
packager* policy. I had misremembered that we did not have the former,
only the latter. So at *least* a sponsor who becomes completely
inactive in the project will eventually get removed as a packager
entirely (and hence also as a sponsor). I don't think that's entirely
sufficient, but it's better than I thought.

> > 3. We have no mechanism to flag when J. Random Packager adds
> > "Supplements: glibc" to their random leaf node package. As a reminder,
> > *we are a project that allows 1,601 minimally-vetted people to deliver
> > arbitrary code executed as root on hundreds of thousands of systems*,
> > and this mechanism allows any one of those people to cause the package
> > they have complete control over to be automatically pulled in as a
> > dependency on virtually every single one of those systems.
> 
> This would get noticed pretty quickly, when that package comes up in update 
> transactions for no reason. I believe this has never happened so far. It is 
> just too obvious.

"Would get noticed pretty quickly" is not really acceptable. It should
not be possible to do it at all.

This was just an example really, too. I am not a very good red teamer.
I'm not imaginative enough. There are probably all sorts of more subtle
ways a malicious person with packager privileges could leverage them to
attack more people than they could attack just through 'normal'
maintenance of a leaf package. Just for another example, we have had
two significant cases recently of "package X incorrectly provides
capability Y".

1. sdubby was providing grubby with a higher version than the real
grubby package, which seems to have caused it to get installed in
preference to grubby on fresh installs and upgrades when it should not
have been.

2. some relatively obscure package somehow started including bundled
copies of dozens of core system libraries, which made the auto-provides
generator generate provides for those libraries. dnf then started
preferring it over the 'real' providers of some of those libraries, I
think because it had a shorter dep chain.

Neither of these was, AFAICT, flagged as a potential security issue by
anyone, but it seems reasonable to me that they should have been. I
know about them because we happened to catch them as quality issues,
but it is not hard to imagine that a malicious packager may be
interested in using the same effect intentionally for evil, and they
would obviously be careful to try and set things up such that this
would *not* cause anything easily noticeable as a quality defect.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Fenzi 
On Sun, Mar 31, 2024 at 07:42:24AM -0400, Neal Gompa wrote:
> 
> At this point, I'm used to MFA for stuff (and I use a password manager
> that handles 2FA OTPs too), but the Fedora implementation of MFA is
> uniquely bad because we have to do a lot in the terminal, and our MFA
> implementation sucks for terminal usage.
> 
> If MFA is turned on:
> 
> 1. The Fedora account integration in GNOME breaks

To clarify, goa cannot get a new token for you, but once you have gotten
one with your otp, it will renew it for you until it's renewal time is
over. 

> 2. You need to concatenate password and OTP for getting a krb5 session ticket

Yep. I think this is being worked on...

> 3. The recovery mechanism involves GPG signed emails

Yep. Or... you can enroll multiple otps. You only need one to be
working. You can enroll more and keep backup ones. 

> The experience using 2FA for Fedora accounts is sufficiently
> unpleasant that I really don't want to use it.

:( 

kevin


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Carlos Rodriguez-Fernandez 
BTW, adding comments to myself, the signed commits and their 
verification takes care of problems 2FA doesn't. First, ensure 
authorship information (2FA doesn't leave a mark in the commit), and 
protects the integrity of the downstream source: the build can ensure 
that the checked out downstream project doesn't get "dirty" during and 
after the build, and/or commits are not modified during and after the build.


But this doesn't solve the specific xz problem. That one requires 
different kinds of defense techniques.


On 3/31/24 08:10, Carlos Rodriguez-Fernandez wrote:
Going in that same route, if 2FA becomes mandatory, then we have a 
stronger defense of the GPG public key in the user profile. The attacker 
would need not only the credentials, but the 2FA device to change the 
public GPG.


That then makes one step further possible: enforce commit signing on the 
downstream project. That makes authorship of changes non repudiateable 
(that is, important changes like `sources`, all patches, specs, etc...), 
  and also allows the build to check that all commits between the last 
release and the current build are signed by the committers of the 
project. This can be done by having the build importing the public GPGs 
of the committers of the downstream project from pagure/FAS and 
checking, again, the commits since the last release. The downstream 
project *source code* would be effectively signed, so the signed rpm 
then would carry even a higher assurance: "this artifact was built by 
Fedora Infrastructure", but also "all the downstream sources used to 
make it are assuredly coming from the maintainers."


It is definitely an additional hassle for the maintainers, but there is 
value in it, especially in this day and age.


On 3/31/24 01:58, Adam Williamson wrote:

On Sat, 2024-03-30 at 09:37 +, Richard W.M. Jones wrote:

I'm not pretending these will solve everything, but they should make
attacks a little harder in future.


I don't disagree with Richard's list. However...more in regards to some
of the grandiose ideas in later posts than Richard's list...I think
we're in danger of building castles in the sky while not cleaning up
the poop in our backyard, here.

Before we start in on the grand fantasies about converting the world
off autotools or banning binaries in repos or centralized source depots
authenticated by a committee of Top People, can we remember:

1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
COMPULSORY 2FA FOR FEDORA PACKAGERS*.

2. Our process for vetting packagers is, let's face it, from a security
perspective almost *comically* patchy. There are 140 sponsors in the
packager FAS group. Any one of those people - or someone who
compromises any one of those 140 accounts - can grant any other person
on earth Fedora packager status. Our policy on how they should do this
is
https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
. The words "trust" and "identity" do not appear in it. There is,
AFAIK, no policy or procedure by which inactive sponsors have this
power removed. There is no mandatory 2FA policy for sponsors.

3. We have no mechanism to flag when J. Random Packager adds
"Supplements: glibc" to their random leaf node package. As a reminder,
*we are a project that allows 1,601 minimally-vetted people to deliver
arbitrary code executed as root on hundreds of thousands of systems*,
and this mechanism allows any one of those people to cause the package
they have complete control over to be automatically pulled in as a
dependency on virtually every single one of those systems.

4. Our main auth system was written years ago by someone who no longer
contributes and nobody is really actively maintaining it[0].

These are just the ones that leap to my tired mind at this moment. I'm
sure we can think of many more things we should probably look at before
we start pontificating (or, worse, lecturing) about how things should
be done upstream of us.

[0]: https://pagure.io/ipsilon/commits/master


OpenPGP_signature.asc
Description: OpenPGP digital signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Carlos Rodriguez-Fernandez 
Going in that same route, if 2FA becomes mandatory, then we have a 
stronger defense of the GPG public key in the user profile. The attacker 
would need not only the credentials, but the 2FA device to change the 
public GPG.


That then makes one step further possible: enforce commit signing on the 
downstream project. That makes authorship of changes non repudiateable 
(that is, important changes like `sources`, all patches, specs, etc...), 
 and also allows the build to check that all commits between the last 
release and the current build are signed by the committers of the 
project. This can be done by having the build importing the public GPGs 
of the committers of the downstream project from pagure/FAS and 
checking, again, the commits since the last release. The downstream 
project *source code* would be effectively signed, so the signed rpm 
then would carry even a higher assurance: "this artifact was built by 
Fedora Infrastructure", but also "all the downstream sources used to 
make it are assuredly coming from the maintainers."


It is definitely an additional hassle for the maintainers, but there is 
value in it, especially in this day and age.


On 3/31/24 01:58, Adam Williamson wrote:

On Sat, 2024-03-30 at 09:37 +, Richard W.M. Jones wrote:

I'm not pretending these will solve everything, but they should make
attacks a little harder in future.


I don't disagree with Richard's list. However...more in regards to some
of the grandiose ideas in later posts than Richard's list...I think
we're in danger of building castles in the sky while not cleaning up
the poop in our backyard, here.

Before we start in on the grand fantasies about converting the world
off autotools or banning binaries in repos or centralized source depots
authenticated by a committee of Top People, can we remember:

1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
COMPULSORY 2FA FOR FEDORA PACKAGERS*.

2. Our process for vetting packagers is, let's face it, from a security
perspective almost *comically* patchy. There are 140 sponsors in the
packager FAS group. Any one of those people - or someone who
compromises any one of those 140 accounts - can grant any other person
on earth Fedora packager status. Our policy on how they should do this
is
https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
. The words "trust" and "identity" do not appear in it. There is,
AFAIK, no policy or procedure by which inactive sponsors have this
power removed. There is no mandatory 2FA policy for sponsors.

3. We have no mechanism to flag when J. Random Packager adds
"Supplements: glibc" to their random leaf node package. As a reminder,
*we are a project that allows 1,601 minimally-vetted people to deliver
arbitrary code executed as root on hundreds of thousands of systems*,
and this mechanism allows any one of those people to cause the package
they have complete control over to be automatically pulled in as a
dependency on virtually every single one of those systems.

4. Our main auth system was written years ago by someone who no longer
contributes and nobody is really actively maintaining it[0].

These are just the ones that leap to my tired mind at this moment. I'm
sure we can think of many more things we should probably look at before
we start pontificating (or, worse, lecturing) about how things should
be done upstream of us.

[0]: https://pagure.io/ipsilon/commits/master


OpenPGP_signature.asc
Description: OpenPGP digital signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Michael Catanzaro 
On Sun, Mar 31 2024 at 07:15:42 AM -04:00:00, Neal Gompa 
 wrote:

Well, an easy solution is to make it so "dnf update" is coerced to
"dnf distro-sync" for development releases. Then it doesn't matter. We
could make that happen for Fedora 41 with the DNF 5 transition
(there's already code to make this possible with PackageKit with the
current DNF backend, it needs to be migrated into DNF 5).

Disabling updates-testing is a bad plan, because we want updates more
aggressively tested during the development cycle.


Agree, people testing beta Fedoras should surely be testing the test 
updates. But the test updates shouldn't remain installed after updating 
past the GA release. I don't have a strong opinion on whether 'dnf 
update' should automatically perform a 'dnf distro-sync', but 
PackageKit certainly ought to do this. It probably only needs to happen 
once, though, on or after the final release date.


Michael

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Michael Catanzaro 
On Sun, Mar 31 2024 at 12:55:23 PM +00:00:00, Christopher Klooz 
 wrote:
In case someone from the Fedora Magazine is in the devel mailing list 
and reads this:


I'm really frustrated with our communication regarding this issue. Does 
anybody know who can fix this?


If we don't know who can fix Fedora Magazine on a Sunday, maybe we 
should just take down the entire domain until tomorrow. Fedora Magazine 
is an authoritative source and a lot of people are trusting the wrong 
information that we're providing.


Thanks for complaining about this, Christopher.

Michael

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Fedora 40 compose report: 20240331.n.0 changes

2024-03-31 Thread Fedora Branched Report 
OLD: Fedora-40-20240330.n.0
NEW: Fedora-40-20240331.n.0

= SUMMARY =
Added images:1
Dropped images:  2
Added packages:  58
Dropped packages:0
Upgraded packages:   163
Downgraded packages: 0

Size of added packages:  6.80 MiB
Size of dropped packages:0 B
Size of upgraded packages:   2.68 GiB
Size of downgraded packages: 0 B

Size change of upgraded packages:   7.11 MiB
Size change of downgraded packages: 0 B

= ADDED IMAGES =
Image: Security live x86_64
Path: Labs/x86_64/iso/Fedora-Security-Live-x86_64-40-20240331.n.0.iso

= DROPPED IMAGES =
Image: Kinoite ociarchive ppc64le
Path: Kinoite/ppc64le/images/Fedora-Kinoite-40.20240330.n.0.ociarchive
Image: KDE live aarch64
Path: Spins/aarch64/iso/Fedora-KDE-Live-aarch64-40-20240330.n.0.iso

= ADDED PACKAGES =
Package: marknote-1.0.0-1.fc40
Summary: A simple markdown note management app for KDE
RPMs:marknote
Size:627.62 KiB

Package: rust-cairo-rs0.18-0.18.5-1.fc40
Summary: Rust bindings for the Cairo library
RPMs:rust-cairo-rs0.18+default-devel rust-cairo-rs0.18+freetype-devel 
rust-cairo-rs0.18+freetype-rs-devel rust-cairo-rs0.18+glib-devel 
rust-cairo-rs0.18+pdf-devel rust-cairo-rs0.18+png-devel 
rust-cairo-rs0.18+ps-devel rust-cairo-rs0.18+script-devel 
rust-cairo-rs0.18+svg-devel rust-cairo-rs0.18+use_glib-devel 
rust-cairo-rs0.18+v1_16-devel rust-cairo-rs0.18+v1_18-devel 
rust-cairo-rs0.18+xcb-devel rust-cairo-rs0.18+xlib-devel rust-cairo-rs0.18-devel
Size:165.98 KiB

Package: rust-cairo-sys-rs0.18-0.18.2-1.fc40
Summary: FFI bindings to libcairo
RPMs:rust-cairo-sys-rs0.18+default-devel 
rust-cairo-sys-rs0.18+freetype-devel rust-cairo-sys-rs0.18+glib-devel 
rust-cairo-sys-rs0.18+pdf-devel rust-cairo-sys-rs0.18+png-devel 
rust-cairo-sys-rs0.18+ps-devel rust-cairo-sys-rs0.18+script-devel 
rust-cairo-sys-rs0.18+svg-devel rust-cairo-sys-rs0.18+use_glib-devel 
rust-cairo-sys-rs0.18+v1_16-devel rust-cairo-sys-rs0.18+v1_18-devel 
rust-cairo-sys-rs0.18+x11-devel rust-cairo-sys-rs0.18+xcb-devel 
rust-cairo-sys-rs0.18+xlib-devel rust-cairo-sys-rs0.18-devel
Size:119.83 KiB

Package: rust-freetype-rs0.32-0.32.0-1.fc40
Summary: Bindings for FreeType font library
RPMs:rust-freetype-rs0.32+default-devel rust-freetype-rs0.32-devel
Size:113.39 KiB

Package: rust-freetype-sys0.17-0.17.0-1.fc40
Summary: Low level binding for FreeType font library
RPMs:rust-freetype-sys0.17+default-devel rust-freetype-sys0.17-devel
Size:29.99 KiB

Package: rust-gdk-pixbuf-sys0.18-0.18.0-1.fc40
Summary: FFI bindings to libgdk_pixbuf-2.0
RPMs:rust-gdk-pixbuf-sys0.18+default-devel 
rust-gdk-pixbuf-sys0.18+v2_40-devel rust-gdk-pixbuf-sys0.18+v2_42-devel 
rust-gdk-pixbuf-sys0.18-devel
Size:39.66 KiB

Package: rust-gdk-pixbuf0.18-0.18.5-1.fc40
Summary: Rust bindings for the GdkPixbuf library
RPMs:rust-gdk-pixbuf0.18+default-devel rust-gdk-pixbuf0.18+v2_40-devel 
rust-gdk-pixbuf0.18+v2_42-devel rust-gdk-pixbuf0.18-devel
Size:54.95 KiB

Package: rust-gdk4-sys0.7-0.7.2-1.fc40
Summary: FFI bindings of GDK 4
RPMs:rust-gdk4-sys0.7+default-devel rust-gdk4-sys0.7+v4_10-devel 
rust-gdk4-sys0.7+v4_12-devel rust-gdk4-sys0.7+v4_2-devel 
rust-gdk4-sys0.7+v4_4-devel rust-gdk4-sys0.7+v4_6-devel 
rust-gdk4-sys0.7+v4_8-devel rust-gdk4-sys0.7-devel
Size:111.00 KiB

Package: rust-gdk4-wayland-sys0.7-0.7.2-1.fc40
Summary: FFI bindings of GDK4 Wayland
RPMs:rust-gdk4-wayland-sys0.7+default-devel 
rust-gdk4-wayland-sys0.7+v4_10-devel rust-gdk4-wayland-sys0.7+v4_12-devel 
rust-gdk4-wayland-sys0.7+v4_4-devel rust-gdk4-wayland-sys0.7-devel
Size:40.68 KiB

Package: rust-gdk4-wayland0.7-0.7.2-1.fc40
Summary: Rust bindings of the GDK 4 Wayland library
RPMs:rust-gdk4-wayland0.7+default-devel rust-gdk4-wayland0.7+v4_10-devel 
rust-gdk4-wayland0.7+v4_12-devel rust-gdk4-wayland0.7+v4_4-devel 
rust-gdk4-wayland0.7-devel
Size:52.25 KiB

Package: rust-gdk4-x11-sys0.7-0.7.2-1.fc40
Summary: FFI bindings of GDK4 X11
RPMs:rust-gdk4-x11-sys0.7+default-devel rust-gdk4-x11-sys0.7+v4_10-devel 
rust-gdk4-x11-sys0.7+v4_4-devel rust-gdk4-x11-sys0.7-devel
Size:36.73 KiB

Package: rust-gdk4-x11_0.7-0.7.2-1.fc40
Summary: Rust bindings of the GDK4 X11 library
RPMs:rust-gdk4-x11_0.7+default-devel rust-gdk4-x11_0.7+v4_10-devel 
rust-gdk4-x11_0.7+v4_4-devel rust-gdk4-x11_0.7+x11-devel 
rust-gdk4-x11_0.7+xlib-devel rust-gdk4-x11_0.7-devel
Size:62.77 KiB

Package: rust-gdk4_0.7-0.7.3-1.fc40
Summary: Rust bindings of the GDK 4 library
RPMs:rust-gdk4_0.7+default-devel rust-gdk4_0.7+v4_10-devel 
rust-gdk4_0.7+v4_12-devel rust-gdk4_0.7+v4_2-devel rust-gdk4_0.7+v4_4-devel 
rust-gdk4_0.7+v4_6-devel rust-gdk4_0.7+v4_8-devel rust-gdk4_0.7-devel
Size:159.73 KiB

Package: rust-gio-sys0.18-0.18.1-1.fc40
Summary: FFI bindings to libgio-2.0
RPMs:rust-gio-sys0.18+default-devel rust-gio-sys0.18+v2_58-devel 
rust-gio-sys0.18+v2_60-devel rust-gio-sys0.18+v2_62-devel 
rust-gio-sys0.18+v2_64-devel rust-gio

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #2 from Fedora Update System  ---
FEDORA-2024-217b7b1eb8 (perl-Spreadsheet-XLSX-0.18-1.fc38) has been submitted
as an update to Fedora 38.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-217b7b1eb8


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c2
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Fedora Update System  changed:

   What|Removed |Added

 Status|NEW |MODIFIED



--- Comment #1 from Fedora Update System  ---
FEDORA-2024-a63af372e9 (perl-Spreadsheet-XLSX-0.18-1.fc39) has been submitted
as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-a63af372e9


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c1
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2268717] perl-Spreadsheet-XLSX-0.18 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2268717



--- Comment #4 from Fedora Update System  ---
FEDORA-EPEL-2024-aa863b2777 (perl-Spreadsheet-XLSX-0.18-1.el7) has been
submitted as an update to Fedora EPEL 7.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-aa863b2777


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2268717

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202268717%23c4
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Gary Buhrmaster 
On Sun, Mar 31, 2024 at 8:58 AM Adam Williamson
 wrote:

> 1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
> don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
> COMPULSORY 2FA FOR FEDORA PACKAGERS*.

What is the status of the FIDO2 implementation in the
authentication processes?  Whenever 2FA comes
up I agree with the principal, but ask for an update
on FIDO2.  Last I knew, it was still a under-resourced
WIP.
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Tomasz Kłoczko 
On Sun, 31 Mar 2024 at 13:55, Christopher Klooz  wrote:
[..]
BTW all that scandal with xz backdoor.
Looks like if fedora spec file would be using not

Source0:
https://github.com/tukaani-project/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz

but

Source0:
https://github.com/tukaani-project/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz

It would be no issue.

kloczek
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2257627] CVE-2024-22368 perl-Spreadsheet-XLSX: perl-Spreadsheet-ParseXLSX: out-of-memory condition during parsing of a crafted XLSX document [epel-all]

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2257627

Robert Scheck  changed:

   What|Removed |Added

 Resolution|--- |NOTABUG
 Status|NEW |CLOSED
Last Closed||2024-03-31 13:14:51



--- Comment #2 from Robert Scheck  ---
CVE-2024-22368 refers only to Spreadsheet::ParseXLSX, not to Spreadsheet::XLSX


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2257627

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202257627%23c2
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2257628] CVE-2024-22368 perl-Spreadsheet-XLSX: perl-Spreadsheet-ParseXLSX: out-of-memory condition during parsing of a crafted XLSX document [fedora-all]

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2257628

Robert Scheck  changed:

   What|Removed |Added

 Status|NEW |CLOSED
 CC||quantum.anal...@gmail.com
  Component|perl-Spreadsheet-XLSX   |perl-Spreadsheet-ParseXLSX
 Resolution|--- |NOTABUG
Last Closed||2024-03-31 13:14:20



--- Comment #2 from Robert Scheck  ---
CVE-2024-22368 refers only to Spreadsheet::ParseXLSX, not to Spreadsheet::XLSX


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2257628

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202257628%23c2
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Christopher Klooz 


On 30/03/2024 15.45, Michael Catanzaro wrote:

On Sat, Mar 30 2024 at 12:26:48 PM +00:00:00, Christopher Klooz 
 wrote:

 If I got Rich right, the malicious code is likely to be broken on F40,


No, that is not correct, as explained by [1] and [2]. We have already asked Red 
Hat to investigate and fix the blog post. This is still an evolving situation; 
apologies for the confusion as we sort this out.

[1] 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/BAO5S2VGTTWD6MHHCFHTAIAHZQFMOGAQ/
[2] 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/BAO5S2VGTTWD6MHHCFHTAIAHZQFMOGAQ/

Then we must have had some communication snafu regarding the Fedora Magazine 
article, because multiple people including myself flagged the incorrect 
statement there before the article was published. Hopefully we can get one this 
fixed, too.

Michael


In case someone from the Fedora Magazine is in the devel mailing list and reads 
this:

I am not sure if this is intended, but the article on the magazine already spread the false 
information that "testing" is disabled by default on F40 (this was also spread on 
LinkedIn - both have been already re-distributed into several channels), and now it says in the 
first section "Fedora Linux 40 Beta users only using stable repositories are NOT 
impacted".

I assume that users who already have the false information (which is already 
widely distributed) in mind do not feel corrected if they now read “Fedora 
Linux 40 Beta users only using stable repositories are NOT impacted”. They 
might simply come to the conclusion that they are not affected since they never 
enabled testing manually. The article does not correct the earlier information 
but leaves it as potentially valid.

I think you should make clear in the beginning that testing is enabled by 
default, and unless they changed it themselves, it has to be assumed to be 
enabled. With the false information spread already through many channels, I 
assume some people stop reading after the first section.

I just triggered Justin [1] but I am not sure if he is available at the moment. 
It would be cool if someone with privileges adjusts the article's first section.

[1] 
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683/41
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Daniel P . Berrangé 
On Sat, Mar 30, 2024 at 09:37:44AM +, Richard W.M. Jones wrote:
> I'm not pretending these will solve everything, but they should make
> attacks a little harder in future.
> 
> 
> (1) We should routinely delete autoconf-generated cruft from upstream
> projects and regenerate it in %prep.  It is easier to study the real
> source rather than dig through the convoluted, generated shell script
> in an upstream './configure' looking for back doors.

I've noted many times before how inconsistent it is that many
of us will happily mock a website saying "curl  | sh -",
and then with a straight face tell users to download a tarball
and run the 1 MB auto-generated 'configure' shell script that
is obfuscated to the point of unreadability by autotools. It
is the perfect place to hide malicious code in tarballs. 

> For most projects, just running "autoreconf -fiv" is enough.
> 
> Yes, there are some projects that depend on a specific or old version
> of autoconf.  We should fix those.  But that doesn't need to delay us
> from using autoreconf on many projects today.
> 
> In the xz case this wouldn't have been enough, it turns out we would
> also have to delete m4/build-to-host.m4, which then autoreconf
> regenerates.  I don't fully understand why that is.

This is challenging to address too, since often the 'm4/' directory
contains a mixture of application provided m4 files, and autotools
provided m4 files. You can't blindly purge the m4/ directory. They
could have provided a "m4/my-build-to-host.m4" file that interferes
or overides the main 'm4/build-to-host.m4'. So even if autoreconf
did regenerate that file as desired, you're still not entirely
safe.

Still, it would be good practice to have a way to purge any files
that are known to be autoconf provided, so at least you know which
remaining files to look at for threats / problems.

> (2) We should discourage gnulib as much as possible.
> 
> In libvirt we took the decision a few years ago to remove gnulib.
> It's extremely convoluted and almost no one understands how it really
> works.  It's written in obscure m4 macros and shell script.
> 
> It's also not necessary for Linux since gnulib is mainly about
> porting to non-Linux platforms.  There are better ways to do this.

Be honest about which platforms you genuinely need portability
too in the modern world. Cull obsolete / dead platforms.

While it is a fun intellectual challenge to write portable code
against POSIX, most projects are better off not reinventing the
wheel. Something like GLib takes out a large part of the portability
pain if you really must stick with developing C, and is easy to
adopt incrementally. This is what let libvirt cull its use of
gnulib, which in turn lets us cull the use of autotools

> In the xz case it was a gnulib-derived script which was modified to do
> the initial injection (original:
> https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob;f=m4/build-to-host.m4;h=f928e9ab403b3633e3d1d974abcf478e65d4b0aa;hb=HEAD).



> 
> 
> (3) We should have a "security path", like "critical path".
> 
> sshd is linked to a lot of libraries:
> 
> /lib64/libaudit.so.1audit-libs
> /lib64/libc.so.6glibc
> /lib64/libcap-ng.so.0   libcap-ng
> /lib64/libcap.so.2  libcap
> /lib64/libcom_err.so.2  libcom_err
> /lib64/libcrypt.so.2libxcrypt
> /lib64/libcrypto.so.3   openssl-libs
> /lib64/libeconf.so.0libeconf
> /lib64/libgcc_s.so.1libgcc
> /lib64/libgssapi_krb5.so.2  krb5-libs
> /lib64/libk5crypto.so.3 krb5-libs
> /lib64/libkeyutils.so.1 keyutils-libs
> /lib64/libkrb5.so.3 krb5-libs
> /lib64/libkrb5support.so.0  krb5-libs
> /lib64/liblz4.so.1  lz4-libs
> /lib64/liblzma.so.5 xz-libs
> /lib64/libm.so.6glibc
> /lib64/libpam.so.0  pam-libs
> /lib64/libpcre2-8.so.0  pcre2
> /lib64/libresolv.so.2   glibc
> /lib64/libselinux.so.1  libselinux
> /lib64/libsystemd.so.0  systemd-libs
> /lib64/libz.so.1zlib / zlib-ng
> /lib64/libzstd.so.1 zstd
> 
> Should we have a higher level of attention to these packages?  We
> already have "critical path", but that's a broad category now.  These
> seem like they are "security path" packages, an intentionally small
> subset associated with very secure services which are enabled by
> default.
> 
> 
> These are just my thoughts on a Saturday morning.  Feedback welcome of
> course.
> 
> Rich.
> 
> -- 
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> virt-top is 'top' for virtual machines.  Tiny program with many
> powerful monitoring features, net stats, disk stats, logging, etc.
> http://people.redhat.com/~rjones/virt-top
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Daniel P . Berrangé 
On Sun, Mar 31, 2024 at 01:58:21AM -0700, Adam Williamson wrote:
> On Sat, 2024-03-30 at 09:37 +, Richard W.M. Jones wrote:
> > I'm not pretending these will solve everything, but they should make
> > attacks a little harder in future.
> 
> I don't disagree with Richard's list. However...more in regards to some
> of the grandiose ideas in later posts than Richard's list...I think
> we're in danger of building castles in the sky while not cleaning up
> the poop in our backyard, here.
> 
> Before we start in on the grand fantasies about converting the world
> off autotools or banning binaries in repos or centralized source depots
> authenticated by a committee of Top People, can we remember:
> 
> 1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
> don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
> COMPULSORY 2FA FOR FEDORA PACKAGERS*.
> 
> 2. Our process for vetting packagers is, let's face it, from a security
> perspective almost *comically* patchy. There are 140 sponsors in the
> packager FAS group. Any one of those people - or someone who
> compromises any one of those 140 accounts - can grant any other person
> on earth Fedora packager status. Our policy on how they should do this
> is
> https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
> . The words "trust" and "identity" do not appear in it. There is,
> AFAIK, no policy or procedure by which inactive sponsors have this
> power removed. There is no mandatory 2FA policy for sponsors.
> 
> 3. We have no mechanism to flag when J. Random Packager adds
> "Supplements: glibc" to their random leaf node package. As a reminder,
> *we are a project that allows 1,601 minimally-vetted people to deliver
> arbitrary code executed as root on hundreds of thousands of systems*,
> and this mechanism allows any one of those people to cause the package
> they have complete control over to be automatically pulled in as a
> dependency on virtually every single one of those systems.

This is as much a distro design problem, as a Fedora process
problem. The typical Linux distro model is that everything is
installed in the same namespace, and we only avoid interference
(whether accidental or intentional) by careful packaging design
and review.

This is somewhere where the image based Linux distro model has
a potential benefit, with a comparatively slim distro base, and
then applications as self contained separated entities, whether
server apps in podman containers, or GUI apps in flatpaks.

No easy anwere here though, as the traditional Linux model isn't
going away any time in the forseeable future.

> 4. Our main auth system was written years ago by someone who no longer
> contributes and nobody is really actively maintaining it[0].


5. We review initial new packages in a moderate level of detail,
   but after that it is largely a free for all for every rebase.
   It is up to the maintainer's discretion what to do for new
   releases, and any oversight is patchy at best. The threat here
   was in relation to an update to an existing package, and where
   we have no formal process that was even /interested/ in addressing
   that threat, let alone capable of stopping it.

   Now, in this particular case, it would have been challenging
   to detect it the problem even with "new package" review process,
   so I'm sceptical we can easily build a "updated package" process
   that would have blocked it and yet remain practical for maintainers. 


With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Arthur Bols 

On 31/03/2024 13:42, Neal Gompa wrote:

At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.

If MFA is turned on:

1. The Fedora account integration in GNOME breaks
2. You need to concatenate password and OTP for getting a krb5 session ticket
3. The recovery mechanism involves GPG signed emails

The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.

Thank you, these are valid points that I was mostly unaware of.

1 and 2 (I use a mooltipass, so it's just one extra click) aren't a 
problem for me and hopefully I'll never need the 3rd, but I can see how 
this could have a big impact on other users.


--
Arthur Bols
fas/irc: principis
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Zbigniew Jędrzejewski-Szmek 
On Sun, Mar 31, 2024 at 09:07:21AM -, François Rigault wrote:
> hi Zbyszek,
> how did you review the corrupted journal files committed in systemd? Can you 
> know for certain that they do not contain any backdoor or anything illegal or 
> unlicensed?

The licensing and legal side is easy: those files are produced by a
program that we wrote (journald), so copyright and patents don't
apply. In principle there could be some privileged information in
those files, but it was disclosed by the person who submitted a pull
request with those files, so at this point distributing this
information wouldn't make further difference. And also the person
submitting them accept the license which allows redistribution.

If there's a backdoor: those files are read by a program which is
supposed to be resilient against broken input. We execute this program
under multiple sanitizers over this input file. So we're doing pretty
strong testing that the input is parsed correctly (or refused).

I wrote a bit more abou this in other part of the thread [1].
I think that while it's theoretically possible to do something
malicious with bad fuzzer samples, it'd be very very do pull off.

[1] 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/4DB56MMWUSBEY7YPD5ARIZGF4FFVRYHJ/,

Zbyszek
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Neal Gompa 
On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols  wrote:
>
> On 31/03/2024 13:03, Kevin Kofler via devel wrote:
>
> This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
> contributors for a while, starting with "important" projects, then getting
> stricter and stricter. It has done absolutely nothing to stop this attack.
> How could it, when the backdoor was apparently introduced by the authorized
> maintainer? (Or if not, the attacker must have had access to their 2FA
> secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
> US! And especially DO NOT abuse this incident as an excuse to force 2FA down
> our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
> repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!
>
>
> 2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's 
> point. What Adam is saying is that we're in danger of focusing too much on a 
> specific issue while we should spent our time and energy on the general 
> security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a 
> lot. A compromised (proven)packager account can do a lot of harm and can take 
> a while to be noticed. If this would happen to us, Fedora's reputation would 
> tank immediately. Mint is still regarded as a insecure distro (in my circles) 
> for things that happened before I even entered the linux scene...
>
> Like it or not, this is 2024 and passwords are not as secure as they used to 
> be. Yelling about it isn't going to solve anything. Meanwhile, enabling 2FA 
> helps A LOT even if used incorrectly (e.g. storing it in the same keepassxc 
> database).
>

At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.

If MFA is turned on:

1. The Fedora account integration in GNOME breaks
2. You need to concatenate password and OTP for getting a krb5 session ticket
3. The recovery mechanism involves GPG signed emails

The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.



-- 
真実はいつも一つ!/ Always, there's only one truth!
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Arthur Bols 

On 31/03/2024 13:03, Kevin Kofler via devel wrote:

This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
contributors for a while, starting with "important" projects, then getting
stricter and stricter. It has done absolutely nothing to stop this attack.
How could it, when the backdoor was apparently introduced by the authorized
maintainer? (Or if not, the attacker must have had access to their 2FA
secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
US! And especially DO NOT abuse this incident as an excuse to force 2FA down
our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!


2FA for Fedora packagers doesn't solve *this* issue, but that wasn't 
Adam's point. What Adam is saying is that we're in danger of focusing 
too much on a specific issue while we should spent our time and energy 
on the general security aspect of Fedora. 2FA isn't nonsense, it 
strengthens security by a lot. A compromised (proven)packager account 
can do a lot of harm and can take a while to be noticed. If this would 
happen to us, Fedora's reputation would tank immediately. Mint is still 
regarded as a insecure distro (in my circles) for things that happened 
before I even entered the linux scene...


Like it or not, this is 2024 and passwords are not as secure as they 
used to be. Yelling about it isn't going to solve anything. Meanwhile, 
enabling 2FA helps A LOT even if used incorrectly (e.g. storing it in 
the same keepassxc database).


--
Arthur Bols
fas/irc: principis
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Obsoleted packages in F40

2024-03-31 Thread Otto Liljalaakso 

Kevin Kofler via devel kirjoitti 31.3.2024 klo 14.14:

Otto Liljalaakso wrote:

So, I would actually much prefer if package retirement automatically
added the package to fedora-obsolete-packages. Perhaps there are special
cases where that would not be a good idea - if there are some, `fedpkg
retire` could have a flag to prevent that from happening.

We have had this discussion several times on this list. The compromise that
was agreed upon is that packages should be added to fedora-obsolete-packages
ONLY if having those packages installed BREAKS something, e.g., prevents
upgrading some other package due to broken dependencies, or causes a file
conflict with some other package. Being retired is by itself NOT a reason to
forcefully remove a package that users may depend on from their systems. So
that is what should be documented, not your personal wishes.
Even if I happen to spend my time documenting what rules the Fedora 
community agrees, I still reserve the right to voice my opinion on what 
the rule should be. I have not submitted any pull request to change any 
documentation to follow what I suggest above, just to clarify what the 
actual, existing rule is.

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Neal Gompa 
On Sun, Mar 31, 2024 at 6:50 AM Kevin Kofler via devel
 wrote:
>
> Kevin Fenzi wrote:
> > Branched enables updates-testing... so if you installed f40 anytime, you
> > will have it enabled and if you then applied updates it would be in them
>
> Yet another thing I always said was a bad idea, and this incident proves it.
> This would have been filtered before reaching most people if we made people
> only test what actually ends up in the composed Beta and Final images, i.e.,
> updates that made it out to stable.  In addition, having updates-testing
> enabled makes it unsafe to upgrade a Beta installation to Final because
> suddenly updates-testing gets disabled, but people still have packages from
> updates-testing (such as the backdoored xz, but also tons of untested
> packages or ones that explicitly failed testing) installed.
>

Well, an easy solution is to make it so "dnf update" is coerced to
"dnf distro-sync" for development releases. Then it doesn't matter. We
could make that happen for Fedora 41 with the DNF 5 transition
(there's already code to make this possible with PackageKit with the
current DNF backend, it needs to be migrated into DNF 5).

Disabling updates-testing is a bad plan, because we want updates more
aggressively tested during the development cycle.



-- 
真実はいつも一つ!/ Always, there's only one truth!
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Obsoleted packages in F40

2024-03-31 Thread Kevin Kofler via devel 
Otto Liljalaakso wrote:
> So, I would actually much prefer if package retirement automatically
> added the package to fedora-obsolete-packages. Perhaps there are special
> cases where that would not be a good idea - if there are some, `fedpkg
> retire` could have a flag to prevent that from happening.

We have had this discussion several times on this list. The compromise that 
was agreed upon is that packages should be added to fedora-obsolete-packages 
ONLY if having those packages installed BREAKS something, e.g., prevents 
upgrading some other package due to broken dependencies, or causes a file 
conflict with some other package. Being retired is by itself NOT a reason to 
forcefully remove a package that users may depend on from their systems. So 
that is what should be documented, not your personal wishes.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Kevin Kofler via devel 
Adam Williamson wrote:
> 1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
> don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
> COMPULSORY 2FA FOR FEDORA PACKAGERS*.

This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for 
contributors for a while, starting with "important" projects, then getting 
stricter and stricter. It has done absolutely nothing to stop this attack. 
How could it, when the backdoor was apparently introduced by the authorized 
maintainer? (Or if not, the attacker must have had access to their 2FA 
secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON 
US! And especially DO NOT abuse this incident as an excuse to force 2FA down 
our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being 
repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!

> 2. Our process for vetting packagers is, let's face it, from a security
> perspective almost *comically* patchy. There are 140 sponsors in the
> packager FAS group. Any one of those people - or someone who
> compromises any one of those 140 accounts - can grant any other person
> on earth Fedora packager status. Our policy on how they should do this
> is
> https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
> . The words "trust" and "identity" do not appear in it. There is,
> AFAIK, no policy or procedure by which inactive sponsors have this
> power removed. There is no mandatory 2FA policy for sponsors.

We already have a manpower problem, how is removing sponsors going to 
improve the situation?

> 3. We have no mechanism to flag when J. Random Packager adds
> "Supplements: glibc" to their random leaf node package. As a reminder,
> *we are a project that allows 1,601 minimally-vetted people to deliver
> arbitrary code executed as root on hundreds of thousands of systems*,
> and this mechanism allows any one of those people to cause the package
> they have complete control over to be automatically pulled in as a
> dependency on virtually every single one of those systems.

This would get noticed pretty quickly, when that package comes up in update 
transactions for no reason. I believe this has never happened so far. It is 
just too obvious.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Kevin Kofler via devel 
Kevin Fenzi wrote:
> Branched enables updates-testing... so if you installed f40 anytime, you
> will have it enabled and if you then applied updates it would be in them

Yet another thing I always said was a bad idea, and this incident proves it. 
This would have been filtered before reaching most people if we made people 
only test what actually ends up in the composed Beta and Final images, i.e., 
updates that made it out to stable.  In addition, having updates-testing 
enabled makes it unsafe to upgrade a Beta installation to Final because 
suddenly updates-testing gets disabled, but people still have packages from 
updates-testing (such as the backdoored xz, but also tons of untested 
packages or ones that explicitly failed testing) installed.

Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Fedora rawhide compose report: 20240331.n.0 changes

2024-03-31 Thread Fedora Rawhide Report 
OLD: Fedora-Rawhide-20240330.n.0
NEW: Fedora-Rawhide-20240331.n.0

= SUMMARY =
Added images:3
Dropped images:  4
Added packages:  2
Dropped packages:0
Upgraded packages:   30
Downgraded packages: 0

Size of added packages:  3.92 MiB
Size of dropped packages:0 B
Size of upgraded packages:   1.47 GiB
Size of downgraded packages: 0 B

Size change of upgraded packages:   -135.09 KiB
Size change of downgraded packages: 0 B

= ADDED IMAGES =
Image: Python_Classroom vagrant-virtualbox x86_64
Path: 
Labs/x86_64/images/Fedora-Python-Classroom-Vagrant-Rawhide-20240331.n.0.x86_64.vagrant-virtualbox.box
Image: Python_Classroom vagrant-libvirt x86_64
Path: 
Labs/x86_64/images/Fedora-Python-Classroom-Vagrant-Rawhide-20240331.n.0.x86_64.vagrant-libvirt.box
Image: KDE live aarch64
Path: Spins/aarch64/iso/Fedora-KDE-Live-aarch64-Rawhide-20240331.n.0.iso

= DROPPED IMAGES =
Image: Kinoite dvd-ostree ppc64le
Path: Kinoite/ppc64le/iso/Fedora-Kinoite-ostree-ppc64le-Rawhide-20240330.n.0.iso
Image: Server_KVM qcow2 ppc64le
Path: Server/ppc64le/images/Fedora-Server-KVM-Rawhide-20240330.n.0.ppc64le.qcow2
Image: i3 live aarch64
Path: Spins/aarch64/iso/Fedora-i3-Live-aarch64-Rawhide-20240330.n.0.iso
Image: Workstation live aarch64
Path: 
Workstation/aarch64/iso/Fedora-Workstation-Live-aarch64-Rawhide-20240330.n.0.iso

= ADDED PACKAGES =
Package: f3d-2.3.1-1.fc41
Summary: Fast and minimalist 3D viewer
RPMs:f3d f3d-devel f3d-java f3d-python3
Size:3.31 MiB

Package: marknote-1.0.0-1.fc41
Summary: A simple markdown note management app for KDE
RPMs:marknote
Size:627.04 KiB


= DROPPED PACKAGES =

= UPGRADED PACKAGES =
Package:  bitlbee-facebook-1.2.2-9.fc41
Old package:  bitlbee-facebook-1.2.2-8.fc40
Summary:  Facebook protocol plugin for BitlBee
RPMs: bitlbee-facebook
Size: 307.86 KiB
Size change:  -215 B
Changelog:
  * Sun Mar 31 2024 Robert Scheck  1.2.2-9
  - Test whether BitlBee can load plugin during startup (#2272092)


Package:  blueman-1:2.4-1.fc41
Old package:  blueman-1:2.3.5-10.fc40
Summary:  GTK+ Bluetooth Manager
RPMs: blueman blueman-caja blueman-nautilus blueman-nemo
Size: 5.93 MiB
Size change:  -340.58 KiB
Changelog:
  * Sat Mar 30 2024 Artur Frenszek-Iwicki  - 1:2.4-1
  - Update to v2.4
  - Drop backported patches


Package:  ccdciel-0.9.87-1.fc41
Old package:  ccdciel-0.9.86-3.fc40
Summary:  CCD capture software
RPMs: ccdciel ccdciel-doc
Size: 37.40 MiB
Size change:  3.32 MiB
Changelog:
  * Sat Mar 30 2024 Mattia Verga  - 0.9.87-1
  - Update to 0.9.87 (fedora#2270215)


Package:  cockpit-314-1.fc41
Old package:  cockpit-313-1.fc41
Summary:  Web Console for Linux servers
RPMs: cockpit cockpit-bridge cockpit-doc cockpit-kdump 
cockpit-networkmanager cockpit-packagekit cockpit-pcp cockpit-selinux 
cockpit-sosreport cockpit-storaged cockpit-system cockpit-tests cockpit-ws
Size: 16.07 MiB
Size change:  7.87 KiB
Changelog:
  * Thu Mar 28 2024 Packit  - 314-1
  - Diagnostic reports: Fix command injection vulnerability with crafted report 
names
  - Storage: Improvements to read-only encrypted filesystems


Package:  cowsql-1.15.6-1.fc41
Old package:  cowsql-1.15.4-1.fc40
Summary:  Embeddable, replicated and fault tolerant SQL engine
RPMs: cowsql cowsql-devel
Size: 517.31 KiB
Size change:  382 B
Changelog:
  * Sat Mar 30 2024 Packit  - 1.15.6-1
  - [packit] 1.15.6 upstream release
  - Resolves: rhbz#2272284


Package:  crosswords-0.3.12-5.fc41
Old package:  crosswords-0.3.12-4.fc40
Summary:  Solve crossword puzzles
RPMs: crossword-editor crosswords crosswords-doc 
crosswords-puzzle-sets-cats-and-dogs crosswords-puzzle-sets-internal 
ipuz-convertor
Size: 65.55 MiB
Size change:  -422.50 KiB
Changelog:
  * Sat Mar 30 2024 Davide Cavalca  - 0.3.12-5
  - Package the thumbnailer in preparation for the next release


Package:  gnome-shell-extension-bubblemail-23-1.fc41
Old package:  gnome-shell-extension-bubblemail-21.1-3.fc40
Summary:  GNOME Shell indicator for new and unread mail using Bubblemail
RPMs: gnome-shell-extension-bubblemail
Size: 48.22 KiB
Size change:  147 B
Changelog:
  * Sat Mar 30 2024 Alexander Ploumistos  - 23-1
  - Update to v23 - compatible with GNOME 46


Package:  kvantum-1.1.0-1.fc41
Old package:  kvantum-1.0.10-5.fc40
Summary:  SVG-based theme engine for Qt, KDE and LXQt
RPMs: kvantum kvantum-data kvantum-qt5
Added RPMs:   kvantum-qt5
Dropped RPMs: kvantum-qt6
Size: 6.47 MiB
Size change:  64.24 KiB
Changelog:
  * Thu Mar 28 2024 Arthur Bols  - 1.1.0-1
  - Update to 1.1.0 (fedora#2269918)


Package:  libfabric-1.21.0-1.fc41
Old package:  libfabric-1.20.1-1.fc40
Summary:  Open Fabric Interfaces
RPMs: libfabric libfabric-devel
Size: 5.53 MiB
Size change:  -259.36 KiB
Changelog:
  * Sat Mar 30 2024 Orion

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Arthur Bols 

On 31/03/2024 10:58, Adam Williamson wrote:

1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
COMPULSORY 2FA FOR FEDORA PACKAGERS*.


This finally motivated me to enable 2fa for my Fedora acount...

An important note, the docs [0] should probably mention `fkinit -u 
`. It's much easier than using kinit.


[0]: https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit

--
Arthur Bols
fas/irc: principis
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Sandro 

On 31-03-2024 00:41, Kevin Fenzi wrote:

On Sat, Mar 30, 2024 at 11:12:02PM +0100, Sandro wrote:


 From what I understood, F40 Beta, the official Beta release, available from
the website as of March 26, has updates-testing disabled by default. That


Nope.


was confirmed by several people in #devel yesterday when the Fedora Magazine
article was still being worked on.


I am pretty sure I said the opposite...

nirik: Branched enables updates-testing... so if you installed f40 anytime, you 
will have it enabled and if you then applied updates it would be in them
nirik: yes, we disable updates-testing by default right before release.

I guess that could have been read as right before beta release, but
thats not the case or what I meant. ;)

It's before _Final_ release that we disable updates-testing.
It's enabled by default from when we branch the release off until the
time right before release when we switch it (usually with a freeze
break/blocker bug)


Thanks for clarifying that. Context matters and there was a lot going on 
in the channel at the time. My wording was to the extend covering 
composes before Beta was released. I used the the term "pre-Beta".


Good to know that the switch is made "pre-Final".


It's the RC composes that are made after branching and before Beta is
declared GO, that have updates-testing enabled by default. I was one of the
persons raising that point. I'm less certain wrt upgrades in the period
between branching and Beta release.


I think the confusion here is "Beta Release" vs "Final release".


Yup! I was thinking "Beta Release".


We enable updates-testing at branching time all the way until right
before "Final release". :)


If that is incorrect and Beta shipped with updates-testing enabled,
deliberately or by accident, then I stand corrected.


Yes, it did/does. :)

The logic is that most people who install betas or pre-releases want to
help test updates. If for some reason they don't, they can disable it,
but the default option is on.


That makes sense. I thought along the same lines as to why it is enabled 
by default right after branching.


Thanks also to @adamwill and @pbrobinson for further 
clarification/confirmation later on.


The following sentence in the magazine article:

"Fedora Linux 40 Beta users may have received it from the testing 
repositories, which are enabled by default in branched versions (i.e. 
pre-Beta) to assist with testing."


should probably be amended in the light of above. Though, most people 
affected probably took measures already and new installations won't be 
affected.


-- Sandro
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Miroslav Suchý 

Dne 31. 03. 24 v 10:58 dop. Adam Williamson napsal(a):

1. Westill don't have compulsory 2FA for Fedora packagers. We *still
don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
COMPULSORY 2FA FOR FEDORA PACKAGERS*.


Fair enough.

Let's do something about it: https://pagure.io/fesco/issue/3186


--
Miroslav Suchy, RHCA
Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread François Rigault 
hi Zbyszek,
how did you review the corrupted journal files committed in systemd? Can you 
know for certain that they do not contain any backdoor or anything illegal or 
unlicensed?
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Three steps we could take to make supply chain attacks a bit harder

2024-03-31 Thread Adam Williamson 
On Sat, 2024-03-30 at 09:37 +, Richard W.M. Jones wrote:
> I'm not pretending these will solve everything, but they should make
> attacks a little harder in future.

I don't disagree with Richard's list. However...more in regards to some
of the grandiose ideas in later posts than Richard's list...I think
we're in danger of building castles in the sky while not cleaning up
the poop in our backyard, here.

Before we start in on the grand fantasies about converting the world
off autotools or banning binaries in repos or centralized source depots
authenticated by a committee of Top People, can we remember:

1. We *still don't have compulsory 2FA for Fedora packagers*. We *still
don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE
COMPULSORY 2FA FOR FEDORA PACKAGERS*.

2. Our process for vetting packagers is, let's face it, from a security
perspective almost *comically* patchy. There are 140 sponsors in the
packager FAS group. Any one of those people - or someone who
compromises any one of those 140 accounts - can grant any other person
on earth Fedora packager status. Our policy on how they should do this
is
https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection
. The words "trust" and "identity" do not appear in it. There is,
AFAIK, no policy or procedure by which inactive sponsors have this
power removed. There is no mandatory 2FA policy for sponsors.

3. We have no mechanism to flag when J. Random Packager adds
"Supplements: glibc" to their random leaf node package. As a reminder,
*we are a project that allows 1,601 minimally-vetted people to deliver
arbitrary code executed as root on hundreds of thousands of systems*,
and this mechanism allows any one of those people to cause the package
they have complete control over to be automatically pulled in as a
dependency on virtually every single one of those systems.

4. Our main auth system was written years ago by someone who no longer
contributes and nobody is really actively maintaining it[0].

These are just the ones that leap to my tired mind at this moment. I'm
sure we can think of many more things we should probably look at before
we start pontificating (or, worse, lecturing) about how things should
be done upstream of us.

[0]: https://pagure.io/ipsilon/commits/master
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2271131] perl-Catalyst-Manual-5.9013 is available

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2271131

Emmanuel Seyman  changed:

   What|Removed |Added

 Resolution|--- |RAWHIDE
 Status|NEW |CLOSED
   Doc Type|--- |If docs needed, set a value
   Fixed In Version||perl-Catalyst-Manual-5.9013
   ||-1.fc41
Last Closed||2024-03-31 08:42:09



--- Comment #1 from Emmanuel Seyman  ---
Built for rawhide:
https://koji.fedoraproject.org/koji/buildinfo?buildID=2429200


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2271131

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202271131%23c1
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Bug 2271882] Upgrade perl-HTTP-Tinyish to 0.19

2024-03-31 Thread bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=2271882

Emmanuel Seyman  changed:

   What|Removed |Added

 Resolution|--- |RAWHIDE
 Status|NEW |CLOSED
   Fixed In Version||perl-HTTP-Tinyish-0.19-1.fc
   ||41
Last Closed||2024-03-31 08:41:29



--- Comment #1 from Emmanuel Seyman  ---
Built for rawhide:
https://koji.fedoraproject.org/koji/buildinfo?buildID=2429199


-- 
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2271882

Report this comment as SPAM: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla=report-spam_desc=Report%20of%20Bug%202271882%23c1
--
___
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: xz backdoor

2024-03-31 Thread Adam Williamson 
On Sat, 2024-03-30 at 16:41 -0700, Kevin Fenzi wrote:
> On Sat, Mar 30, 2024 at 11:12:02PM +0100, Sandro wrote:
> > 
> > From what I understood, F40 Beta, the official Beta release, available from
> > the website as of March 26, has updates-testing disabled by default. That
> 
> Nope. 
> 
> > was confirmed by several people in #devel yesterday when the Fedora Magazine
> > article was still being worked on.
> 
> I am pretty sure I said the opposite... 
> 
> nirik: Branched enables updates-testing... so if you installed f40 anytime, 
> you will have it enabled and if you then applied updates it would be in them
> nirik: yes, we disable updates-testing by default right before release.
> 
> I guess that could have been read as right before beta release, but
> thats not the case or what I meant. ;) 
> 
> It's before _Final_ release that we disable updates-testing.
> It's enabled by default from when we branch the release off until the
> time right before release when we switch it (usually with a freeze
> break/blocker bug)

Yes.

https://dl.fedoraproject.org/pub/alt/stage/40_Beta-1.10/Everything/x86_64/os/Packages/f/
contains fedora-repos-40-0.4.noarch.rpm . That is from fedora-repos-40-
0.4 . The Koji build for that is
https://koji.fedoraproject.org/koji/buildinfo?buildID=2411685 . It
records that the dist-git commit was
b0be9579a9b45a44bc2e30fbd7d5ef4a268f05a2 . Here is the dist-git repo at
that commit:
https://src.fedoraproject.org/rpms/fedora-repos/tree/b0be9579a9b45a44bc2e30fbd7d5ef4a268f05a2
. Note this line:
https://src.fedoraproject.org/rpms/fedora-repos/blob/b0be9579a9b45a44bc2e30fbd7d5ef4a268f05a2/f/fedora-repos.spec#_2
. QED. updates-testing is enabled by default in Fedora 40 Beta. This is
normal, intended, and expected.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org
https://www.happyassassin.net



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue