On Wed, 2013-11-06 at 01:13 +0100, Kevin Kofler wrote:
> Simo Sorce wrote:
> > * and *ideally* I mean SELinux sanbdboxed with specific APIs that must
> > be used to interact with the rest of the system, so that the application
> > doesn't have free reign over users
whether you like what they are going to do with it or not.
Simo.
* and *ideally* I mean SELinux sanbdboxed with specific APIs that must
be used to interact with the rest of the system, so that the application
doesn't have free reign over users files.
--
Simo Sorce * Red Hat, Inc * New York
--
ssumption these days.
I use arduinos in my rare spare time, the are not modems, but they use
serial ports.
I think the majority of devices the use "serial" ports in the "makers"
era are definitely not modems. Probably worth not consider them as such
by default unless explicitly con
hould
involve glusterfs people and explain what they are doing wrong.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
more secure default can do so by setting the environment variable
> NSS_SSL_CBC_RANDOM_IV=0.
> ...
Packagers can also go and patch their software to opt out if they are
sure that's what's needed for all their users.
It is not solely in the hand of the users.
Simo
nsides are too big, perhaps *if* someone steps up and
fix all the bugs you pointed out in the bug you opened, then we should
reconsider.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/dev
On Tue, 2013-10-15 at 19:56 +0200, Jan Kratochvil wrote:
> On Tue, 15 Oct 2013 19:50:44 +0200, Simo Sorce wrote:
> > Many tools need to juggle the fact these binaries have been changed, and
> > make checkers more complex and prone to faults.
>
> So let's build the whole
and
given the only advantage seem to be performance and it is lost in noise,
I hardly see how the advantages are enough to justify using it these
days.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/l
On Wed, 2013-09-11 at 15:26 -0500, Jeffrey Ollie wrote:
> On Wed, Sep 11, 2013 at 3:07 PM, Simo Sorce wrote:
> >
> > Almost certainly you do not want a home directory backed by a cifs
> > filesystem, however if you really do I suggest you configure autofs and
> > cif
is a process name and path
> and it could be identified. It's also easy to maintain database of most
> commonly used binaries and ports that they'd like to open/close. If you
> don't trust binaries on your system it means it's already been
> compromised and firewall is t
Directory
attribute (and your windows admin properly populates it for each user).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Tue, 2013-09-10 at 00:35 +0200, Lennart Poettering wrote:
> On Mon, 09.09.13 18:30, Simo Sorce (s...@redhat.com) wrote:
>
> > Kerberos and x509 both require FQDNs.
> > It makes no sense to stick to short names for servers, and having a FQDN
> > on a laptop does not
using it, and you know it because you wrote a nss module that can
return automagically always 127.0.0.x for the machine hostname,
regardless of DNS or /etc/hosts, so we do not really have an issue with
resolving the machine own host name.
So can you please stop breaking servers just to show &#x
On Fri, 2013-08-30 at 13:43 -0400, Simo Sorce wrote:
> On Fri, 2013-08-30 at 11:39 +0200, Miroslav Suchý wrote:
> > Hi,
> > I would like to get your feedback about COPR [1]
> >
> > [1]
> > http://miroslav.suchy.cz/blog/archives/2013/08/29/what_is_copr/index.html
l, it already
improves life of people that need to build packages for testing.
About koji vs obs I have no real good opinion, whatever works best for
the job.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman
e release
announcement, but I do not know what that could be.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
h by default ( which we arguably should not be
> doing ) but the argument can be made in that regard that we leave the
> users anyway open to bruteforce attacks out of the box without them even
> knowing that it's happening so it comes as bit of security through
> obscurity not allowing this in the first place.
Sounds like a bad idea.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Tue, 2013-07-30 at 03:27 +0200, Lennart Poettering wrote:
> On Mon, 29.07.13 21:11, Simo Sorce (s...@redhat.com) wrote:
>
> > On Tue, 2013-07-30 at 02:08 +0200, Lennart Poettering wrote:
> > > On Mon, 29.07.13 23:56, David Woodhouse (dw...@infradead.org) wrote:
> >
er-user and not per-machine.
And how is this different than /run/kerberos in the end ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
hard limit misbehaving apps that think they are
at an all-you-can-it buffet.
Simo.
>
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Mon, 2013-07-29 at 22:50 +0200, Lennart Poettering wrote:
> On Fri, 26.07.13 10:48, Simo Sorce (s...@redhat.com) wrote:
>
> (Coming back to the original suggestion, now that the XDG_RUNTIME_DIR
> thing is ruled out.)
>
> > Recently a number of bugs [1-5] have come up rega
en spawn child process helper
which setuids to $UID and runs kerberos code which will
create /run/user/$UID/krb5cc as needed as $UID.
> If you create /run/user/$UID/krb5cc/ from privileged code then it is
> very easy for unprivileged code to exploit that unless you are extra
> careful.
We try to be careful, feel free to review SSSD code and communicate any
issue you may see in that area.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> XDG_RUNTIME_DIR and nothing else. For example, in the longer run this
> will also mean that the user may have user services running longer than
> just during the login.
I am not sure I understand what's the point here, but I do not think it
is relevant.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
if not we screwed only one
subsystem and the damage is smaller.
Simo.
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
>
>
--
Simo Sorce * Red Hat, Inc * New York
--
On Fri, 2013-07-26 at 11:01 -0400, Stephen Gallagher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 07/26/2013 10:48 AM, Simo Sorce wrote:
> > Recently a number of bugs [1-5] have come up regarding the new
> > default Kerberos Ccache location that we
beros/user
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
urnalctl whe have a inconsistent behavior
>
> in any case *truncate* outputs is a absolutely no-go
>
> the ordinary user does not look at all this things and the
> advanced which have a reson to look get stripped informations
alias journalctl='journalctl --no-pager'
an live happy
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
if ipv6 is enabled or not.
Open a bug against the kernel if you think this is really an issue (I do
not see what's the issue if ipv6 really is disabled those sockets are
just harmless and will never be used).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
and where creating
> dirs at login doesn't solve anything, because any unprivileged user
> could easily create dirs for all users and then make it impossible to
> log in for them.
All this makes me wonder, why are you using /dev/shm at all if it is so
bad ? There are many other w
On Fri, 2013-06-07 at 18:55 +0200, Lennart Poettering wrote:
> On Fri, 07.06.13 12:42, Simo Sorce (s...@redhat.com) wrote:
>
> > On Fri, 2013-06-07 at 18:21 +0200, Lennart Poettering wrote:
> > > On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> > &g
(Also what is this,
> anyway? of all people, you as a security guy should know what bad an
> idea that is...)
Sorry but what makes /dev/shm/pulse-shm-3756395503 more/less guessable
than /dev/shm//pulse-shm-3756395503 ?
> > There are ways to make this better if you are willing. :-)
>
> Well, or you could make audit better, if you are willing.
Or you could actually listen.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
> Shared memory on Linux is a mess. Not automatic clean up, no quota
> limits, it's a sad story. If you care about security and reliability, it
> would be great doing something about this, so that arbitrary users
> cannot DoS the system this easily anymore...
Any reason why the PID
On Wed, 2013-06-05 at 16:55 +0200, Stef Walter wrote:
> On 04.06.2013 15:34, Simo Sorce wrote:
> > On Tue, 2013-06-04 at 09:02 -0400, Stephen Gallagher wrote:
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA1
> >>
> >> On 06/03/2013 09:07 PM,
o create a
> local user at all. CCing the RealmD maintainer for comment.
Realmd is a good tool, but works only with Windows Ad or FreeIPA.
It is useless to configure against a classic directory and/or Kerberos
server or NIS or things like that.
Anaconda used to have authconfig integration, was it yanked on rewrite ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
I don't see it as a blocker issue.
There is absolutely no problem configuring Kerberos at any time, no
reboot required (I know very well, my team works with kerberos daily).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
rop to the console, login as
root and configure the machine, then go back to GDM and login with the
remote user. I prefer not to create a local user that may conflict (uid
wise) with remote users.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
s only for a very limited set of cases, and afaik it does not
configure the whole system.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Tue, 2013-05-21 at 19:14 -0400, Matthias Clasen wrote:
> On Tue, 2013-05-21 at 17:22 -0400, Simo Sorce wrote:
>
> > If someone wants to make user creation mandatory I think they should
> > first provide a working method to select external account providers in
> > an
On Tue, 2013-05-21 at 14:09 -0700, Adam Williamson wrote:
> On Tue, 2013-05-21 at 16:56 -0400, Simo Sorce wrote:
>
> > > The other 'mandate user creation' option would be simply to do it in
> > > (interactive) anaconda, and tell people who want to do installs wit
hould that be mandated ?
> It's very likely that the behaviour will differ somewhat between GNOME
> and all the other desktops for F19. This kind of inconsistency could be
> viewed as a bit of a pity, but I don't think it's a huge practical
> problem, and it may be that we can't get GNOME and the distro as a whole
> to agree on whether user creation should be mandatory.
It's unclear to me why Gnome should mandate user creation at all, since
when Gnome is the OS Identity Management system/enforcer ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
ill be a peak workload
> a few days before the flag day to try and get things in now, instead
> of needing to wait a month. Having such peak workloads is not a good
> idea in general, and esp. not with volunteers.
Can't they get them from updates-testing if they need a fix "right
now" ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
> new release name is only applied in the tree at branch time.
> > Several
> > > people were using Rawhide considerably in advance of branching -
> > > including myself - and the problems showed up right when we branched
> > and
> > > the new fedora-re
to get work done ?
An obviously caring about appearance as well as functionality or as a
compromise is wrong, right ?
Simo.
[1]
http://3.bp.blogspot.com/-PWiGSr3ymuw/TpnXBp-z0VI/D34/mMosookklVY/s1600/workclothes-01.jpg
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 2013-03-13 at 10:16 +0100, Reindl Harald wrote:
>
> Am 13.03.2013 02:54, schrieb Simo Sorce:
> > On Tue, 2013-03-12 at 23:23 +0100, Reindl Harald wrote:
> >>
> >> Am 12.03.2013 23:13, schrieb Simo Sorce:
> >>> On Tue, 2013-03-12 at 22:37 +0
On Tue, 2013-03-12 at 23:23 +0100, Reindl Harald wrote:
>
> Am 12.03.2013 23:13, schrieb Simo Sorce:
> > On Tue, 2013-03-12 at 22:37 +0100, Reindl Harald wrote:
> >>
> >> Am 12.03.2013 22:34, schrieb Simo Sorce:
> >>> I reboot VMs a lot for d
On Tue, 2013-03-12 at 22:37 +0100, Reindl Harald wrote:
>
> Am 12.03.2013 22:34, schrieb Simo Sorce:
> > I reboot VMs a lot for development, 2 seconds do make a difference
>
> Bruhahaha
>
> 100 reboots = 200 seconds = 3.3 Minutes more for 100 reboots
> well, i boot
cup a coffee!
>
> You keep touting window 8 - maybe you should just use it an leave
> Linux alone!
I reboot VMs a lot for development, 2 seconds do make a difference, it's
a little thing but 99% of the time I do not care about what is shown,
just that the machine is back up as fast as possible.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
document that the -i argument takes an interval using
C locale and not do locale dependent parsing. It would be much more
robust and if you are good enough to use the -i switch you probably know
how to type 0.1 instead of 0,1 (or whatever format is in your locale) as
well.
Simo.
--
Simo Sorce *
d
> starting puppet.
When I install a freeipa server I do not want firstboot because I am not
going to create local users anyway. I am going to install freeipa and
then create users in LDAP.
So far I just skipped firstboot by using tricks, like telling it I was
going to configure a network server and then just canceling. But it
would be nicer if I could simply skip it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Tue, 2013-01-29 at 13:45 -0500, Daniel J Walsh wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/29/2013 01:34 PM, Simo Sorce wrote:
> > On Tue, 2013-01-29 at 13:28 -0500, Daniel J Walsh wrote:
> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>
les on the system you could remove the /.autorelabel file and boot
> without a relabel.
Can we have a relabel mode that just searches only files changed after a
specific date ?
If we stored the time of last "good" shutdown somewhere it would mean we
might be able to relabel only a m
On Tue, 2013-01-29 at 15:55 +, Bryn M. Reeves wrote:
> On 01/29/2013 03:45 PM, Simo Sorce wrote:
> > I guess it was in the short while I switched to Ubuntu, because from my
> > memory I used to change hardware on my machines and always be extremely
> > happy at how L
On Tue, 2013-01-29 at 15:34 +, Bryn M. Reeves wrote:
> On 01/29/2013 03:24 PM, Simo Sorce wrote:
> > Wow this brings me back to Windows 95/XP antifeatures where changing
> > hardware even a little bit strands you to not be able to boot and having
> > to go to rescue mode.
nyway. And every time you need to remove a kernel you have to
regenerate the full rescue system anyway, so every now and again you'll
need to do this.
I rebuilding is an issue, wouldn't it make sense to pre-generate the
rescue initramfs at kernel build time ? Does it real
On Fri, 2013-01-25 at 21:57 +, Matthew Garrett wrote:
> On Fri, Jan 25, 2013 at 03:51:14PM -0500, Frank Ch. Eigler wrote:
> > Simo Sorce writes:
> >
> > > [...] B) I will *not* trust an update system that cuts me out of my
> > > remote server and make me *ho
Reinstalling whole system after
> > each release will be super painful.
> >
>
> ?
>
> Keep your server configuration in git and keep the relevant data on
> separated partition then reinstall and checkout the config(s)
Why should I do all this when I can simply apt-get upgrade^W^Wyum
upgrade ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Fri, 2013-01-25 at 19:20 +0100, Lennart Poettering wrote:
> On Fri, 25.01.13 08:58, Simo Sorce (s...@redhat.com) wrote:
>
> > On Fri, 2013-01-25 at 05:42 +, Matthew Garrett wrote:
> > > On Thu, Jan 24, 2013 at 11:46:24PM -0500, Simo Sorce wrote:
> > >
> &g
On Fri, 2013-01-25 at 05:42 +, Matthew Garrett wrote:
> On Thu, Jan 24, 2013 at 11:46:24PM -0500, Simo Sorce wrote:
>
> > We are all grown up enough to decide for our own, just give the
> > information and let the admin take care of that.
>
> Well, that's t
On Fri, 2013-01-25 at 04:46 +0100, Lennart Poettering wrote:
> On Thu, 24.01.13 21:15, Simo Sorce (s...@redhat.com) wrote:
>
> > On Fri, 2013-01-25 at 00:12 +0100, Lennart Poettering wrote:
> > > I mean, here's an example: let's say openssl is updated, which is
&g
hat you can upgrade SSSD and it's
dependencies and even change sssd's configuration w/o having to restart
applications.
So I would remove the nsswitch problem, for the most part (we still have
some nsswitch things sssd does not handle like hostname resolution, but
we may take that over a
t;
> > --;
>
>
> I think you have a good point, but adding every imaginable featw into
> glibc is not really a good solution. Maybe glib is a better place for
> these kinds of functions?
It really depends on what is the audience. A lot of software doesn't
link to glib and will not link to this huge lib just for 2 functions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
tely different, management is completely different
> etc...
> People definitely need some time for testing and transition to bind10.
It is not only a matter of configuration, is bind10 going to be
pluggable ? FreeIPA with bind-dynd-ldap depends on bind9 and will
require some major work
.
> Is there a reason to keep both versions around in a way we didn't with
> other bind major upgrades?
Bind 10 is a completely new project.
Shares no code nor anything with bind 9, they could as well have changed
name to avoid confusion but they did not.
It will take quite a while befo
rnings getting missed. In fact, I dislike even the fact that we're
> required to use verbose mode for package builds, exactly for that reason. It
> makes build.log a lot larger (multiple MiB!) and a lot less useful.
+1
verbose mode should be used only when debugging a build priva
them you'll need to
decide what to do.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
issue with policykit (on both machines) where it wouldn't work
and slow down login and many other operations resolved simply with 'yum
reinstall PolicyKit'
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Fri, 2012-12-07 at 18:13 +, "Jóhann B. Guðmundsson" wrote:
> On 12/07/2012 04:59 PM, Simo Sorce wrote:
> > On Fri, 2012-12-07 at 16:47 +, "Jóhann B. Guðmundsson" wrote:
> >> On 12/07/2012 03:51 PM, David Woodhouse wrote:
> >>> On
omised and
become a proxy to compromise the projects you are working on.
If you choose to stay on an older machine you should at least install an
OS that gets security updates for a lot longer.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
that the SCL will be confined in its own 'root' so
they will not conflict ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 2012-12-05 at 16:09 -0700, Stephen John Smoogen wrote:
> On 5 December 2012 15:56, Simo Sorce wrote:
> > On Wed, 2012-12-05 at 15:47 -0700, Stephen John Smoogen wrote:
> >> Would that not cause a combinatoric nightmare with having to make sure
> >> you had a li
ct version that is 'known to work'.
It would be really nice to be able to do this in Fedora land.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 2012-12-05 at 15:14 -0700, Stephen John Smoogen wrote:
> On 5 December 2012 15:07, Simo Sorce wrote:
> > On Wed, 2012-12-05 at 16:10 -0500, Matthew Miller wrote:
> >> On Wed, Dec 05, 2012 at 04:06:38PM -0500, Bill Nottingham wrote:
> >> > > 1) Fedora is
es
can be verified or you accept multiple rpms in the repo and the fact
some deps my hold back security updates.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
tools) fill the gaps. I plan to rip out or otherwise disable the GUI
> side, and merge the -tui subpackage back into the main package.
That would be nice.
Thanks.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
etter argument.
> So, PK's usecase is a valid and an important one. You cannot replace
> that by Unix groups.
You might say that it would be difficult or inconvenient, but it can be
replaced if you really want to.
Whether it would make sense to try is a different story ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Sun, 2012-11-04 at 19:47 +0200, Alek Paunov wrote:
> On 04.11.2012 19:25, Simo Sorce wrote:
>
> > note that this is "also" our strength in some respect because it allows
> > the system to evolve a lot more quickly, but it also means upgrades are
>
> Indeed.
y notice we do not have many 3rd party vendors, I think ABI
instability is reason number, 1, 2 and 3 of why we can't have reliable
third parties with a community built OS.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
although they *do* do their damn best to make sure they don't break most
important stuff. (By simply not changing interfaces, ABIs, or adding
compatibility libraries in the system).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://ad
un much smoother than one big change at once where you go tfrom pkg
release N-10 to N
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
er to deliver the good things we already
> currently deliver.
+1 really
> Anyway, I think the point is mashed into the ground by now, so I'll
> stop. My proposal is more about trying to get people thinking at a
> fundamental level than it is necessarily something I actually expe
eally only critical
bugfixes I think a lot of people would be happy to run on a 'stable'
release that really is just a frozen development release that had a
month or two of stabilization (just like we do now) and then is left
mostly untouched.
> > So things aren't per
On Wed, 2012-10-17 at 18:20 -0400, Andrew Schultz wrote:
> Simo Sorce wrote:
> > All very nice, but the current situation is that this info *is* sent to
> > the log.
> > So I applaud if you want to go and fix applications, in the meanwhile we
> > cannot relax security ar
On Wed, 2012-10-17 at 14:31 -0600, Jeff Law wrote:
> On 10/17/2012 02:26 PM, Simo Sorce wrote:
> > On Wed, 2012-10-17 at 14:12 -0600, Jeff Law wrote:
> >> On 10/17/2012 11:07 AM, Simo Sorce wrote:
> >>>
> >>> Personally I do not like the nss_init() c
On Wed, 2012-10-17 at 14:12 -0600, Jeff Law wrote:
> On 10/17/2012 11:07 AM, Simo Sorce wrote:
> >
> > Personally I do not like the nss_init() calls, it will just make it even
> > more difficult to diagnose 'heisenbugs' when some apps start doing it,
> > s
regression. And I'm having trouble thinking of other
> information that is super-private (should only be seen by root) and useful.
All very nice, but the current situation is that this info *is* sent to
the log.
So I applaud if you want to go and fix applications, in the meanwhile we
cannot relax security around that log IMO.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 2012-10-17 at 20:39 +0200, Lennart Poettering wrote:
> On Wed, 17.10.12 12:58, Simo Sorce (s...@redhat.com) wrote:
>
> > On Wed, 2012-10-17 at 17:45 +0200, Lennart Poettering wrote:
> > > On Wed, 17.10.12 10:44, Matthew Miller (mat...@fedoraproject.org) wrote:
> &
ld rather have glibc do it automatically with rate limiting.
Like no more than once every 3 minutes do a stat on one of the getent
calls and reload if necessary, still this would be thousands of
unnecessary (vs 0 necessary) stat() calls every day, not the best
solution.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
so far.
Stef can you open a ticket so we discuss and consider whether to do it ?
This will take time however, in the meanwhile it would be really nice if
we could do it the simple way by just adding sss by default until a
better solution is found.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
ar/log/messages written with a (syslog-formatted?) note pointing
> >to journalctl (maybe even showing the new time-based filtering?)
>
> I'd much prefer adding /var/log/README instead, in order not to confuse
> tools which assume a properly formatted log file in /var/log/messages.
Good enough I guess.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Wed, 2012-10-17 at 11:21 -0400, Simo Sorce wrote:
> On Wed, 2012-10-17 at 17:17 +0200, Stef Walter wrote:
> > In Fedora 17 and 18 we have a problem where remote users are unable to
> > log in until the machine has been rebooted. This used to work
> > previously. To fix
; # pamtester zapp authenticate # type password, should succeed
>
> * Now go to gdm by logging out or switch user.
> * Try to log in as zapp.
> * Hang.
> * Reboot
> * Try to log in as zapp.
> * Success
>
>
> TRACKER BUG: https://bugzilla.redhat.com/show_bug.cgi?id=867473
>
>
27;s fancy
> features.
>
> Are these reasonable? Are there other important things I'm missing?
The plan sounds very reasonable in general.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
y be a policy execution engine for (rather exotic)
> requirements like "crash the box if the message does not go to disk".
It seem your intention is to make the journal so much better that it
will be the preferred choice (and indeed the default).
So make it really better and support time
us, so we made it the default in
> systemd, too.
Except this is a regression in the security model IMHO.
Note I am not saying it must not be done, but I want to understand if
there is any value on it or you just picked it 'because Debian'.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Tue, 2012-10-09 at 22:33 -0400, Matthew Miller wrote:
> On Tue, Oct 09, 2012 at 10:30:38PM -0400, Simo Sorce wrote:
> > Oh come on, stop bashing unix, logrotate could certainly grow a size
> > checking policy if people felt the need, unix is not holding you back,
> > in
very good reasons.
>
> Yeah, because Unix doesn't really allow much else...
>
Oh come on, stop bashing unix, logrotate could certainly grow a size
checking policy if people felt the need, unix is not holding you back,
in fact you are building this stuff on a unix-like sys
ackage would have to
> split out a -docs subpackage with all the docs in it. Anaconda /might/
> do what you want in the future, by way of kickstart commands, but that's
> not something we're going to expose in the UI.
Can't you just you reinstall a package without the nod
icy may make sense on space-constrained configuration but in any
other system they make little sense, and log compression on rotation is
all you really need (lots of repetitions in the logs allow big gains
when compressing).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Tue, 2012-10-09 at 20:34 +0200, Lennart Poettering wrote:
> On Tue, 09.10.12 14:26, Simo Sorce (s...@redhat.com) wrote:
>
> > On Tue, 2012-10-09 at 20:17 +0200, Lennart Poettering wrote:
> > > > Could we make that a default on Fedora in addition to adm? (I assume
>
What's the point of 2 different groups ?
We have filesystem permissions to determine what a user/group can do,
plus we have selinux on top to enforce in a different way some of these
policies.
What does 2 different groups give you besides confusion ?
Simo.
--
Simo Sorce * Red Hat, Inc * New
401 - 500 of 693 matches
Mail list logo
