On Sun, 8 Jun 2014, Tomasz Torcz wrote:
On Sun, Jun 08, 2014 at 12:21:08PM -0400, Paul wrote:
That bug was not found by the rampaging libressl people either.
Perhaps moving from OpenSSL to NSS would be better if you are that worried
about OpenSSL bugs
We've tried that:
On Wed, 30 Apr 2014, Robert Marcano wrote:
What about domain and search lines? If NetworkManager will always use
127.0.0.1, it should still modify resolv.conf with the domain name received
from DHCP
That's actually not always correct from a security point of view.
If you set your system do
On Wed, 30 Apr 2014, Dan Williams wrote:
Untrusted networks use WPA too, like coffee shops that don't leave the
network open, but write the WPA key on the chalkboard menu or print it
on standup cards at the tables. I've seen quite a few of these.
You are at least consciously logging into
On Wed, 30 Apr 2014, Simo Sorce wrote:
Why would you care for the domain name as provided by dhcp ?
internal DNS views, eg server.internal.corp.com where the search domain
gets set to internal.corp.com and server.corp.com does not exist.
By default you wouldn't want that as you roam with a
On Tue, 29 Apr 2014, P J P wrote:
Similarly, what do we tell users who used to edit /etc/resolv.conf to do in the
new system?
We tell users to never edit the '/etc/resolv.conf' file and ensure that the
local resolver is listening at 127.0.0.1:53.
We should leave a comment in resolv.conf
To: Paul Wouters p...@nohats.ca
Subject: Re: https://bugzilla.redhat.com/show_bug.cgi?id=1089767
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hoi Paul,
On 04/22/2014 03:57 AM, Paul Wouters wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1089767
See discussion. It would be good to have
On Mon, 28 Apr 2014, Adam Jackson wrote:
A completely arbitrary datapoint:
dmt:~% file /lib64/* | grep ELF.*shared | cut -f 1 -d : | xargs nm -aDu | grep
-c setjmp
79
At a minimum you'd have to rewrite freetype, have fun with that.
I'm happy for libreswan/openswan to not use it, if someone
On Mon, 28 Apr 2014, Marcelo Ricardo Leitner wrote:
Speaking of which, I am not sure how dnsmasq plays with DNSSEC and/or
failover, but NetworkManager already has a config option
(/etc/NetworkManager/NetworkManager.conf, dns=dnsmasq) that makes it
configure a local dnsmasq instance on
On Thu, 24 Apr 2014, Florian Weimer wrote:
I'm working on advice on automated X.509 certificate generation during
package installation.
I would strongly recommend doing it on first service start. I've lived
through the FreeS/WAN times and my experience with it for 15+ years
caused us (in
On Thu, 24 Apr 2014, Florian Weimer wrote:
I don't think openssl genrsa 2048 has this issue on today's machines. (I
know I saw it with GNUTLS.)
I was sceptical, so I tried this on a freshly booted VM:
root@bofh:~# virsh start north
Domain north started
root@bofh:~# ssh root@north
Last
On Thu, 17 Apr 2014, Daniel J Walsh wrote:
Didn't mean to accuse you of saying that. I do like the idea of asking
if you are on a trusted network.
For DNS issues we have similar issues. A sane default seems to be that
if you plugin a cable or you enter wifi WPA(2) details, you are
trusting
On Mon, 14 Apr 2014, William Brown wrote:
This seems like a sane(ish) method of doing this. What happens if the
hotspot page is down? Why not use a mirror-like setup with yum where you
try 2 or 3 mirrors and if they fail then you declare it to be a portal?
It has multiple A records matching
On Mon, 14 Apr 2014, Dan Williams wrote:
But another scenario I've seen: older Netgear routers which intercept
www.routerlogin.net as the setup page. The instructions literally
are:
1) connect your computer to the router with a cable
2) go to www.routerlogin.net
3) follow the setup guide
On Tue, 15 Apr 2014, William Brown wrote:
How do you setup DNS over TLS?
Unbound has this capability already build in. unbound-control activates
via (currently via dnssec-triggerd, in the future via NM) using the
keywords tcp-upstream or ssl-upstream.
I meant for say bind, but okay.
bind
On Mon, 14 Apr 2014, Dan Williams wrote:
Ok, that could be a problem. This is a user setting up wifi on a router
they just bought, so it has no upstream connection yet, is not yet
configured at all, and they are just following the directions in the
printed brochure they got with the router.
On Mon, 14 Apr 2014, Juan Orti Alcaine wrote:
One thing I would like to note is that in machines which don't have a
hardware clock, I had problems starting bind and unbound, because the date
was back to 1970 in each boot, so the root dns key was not yet valid and
there were no valid dns
On Sun, 13 Apr 2014, William Brown wrote:
Yes. It depends on the trustworthiness of the network and or
preconfiguration of some of your own networks you join.
Not really: Every network you join, you have to semi-trust. If you don't
trust it, why did you join it?
You don't always control
On Sun, 13 Apr 2014, William Brown wrote:
PS: It also seemed like the proposal was to *bypass* the networks
provided forwarders from DHCP. This *is* a serious issue if it's the
case.
We only bypass DHCP provided forwarders that are broken. We actually
WANT to use them as much as possible,
On Sun, 13 Apr 2014, Richard W.M. Jones wrote:
So you've gone out of your way to run a daemon but prevent it from
working as configured, instead of just reconfiguring it to do what you
need.
I have to go out of my way to *stop* NetworkManager from running and
to configure a fixed IP address.
On Mon, 14 Apr 2014, William Brown wrote:
What is a captivity-sign as you so put it?
Check for clean port 80. It fetches the url specified in
dnssec-triggerd.conf's url: option
(default http://fedoraproject.org/static/hotspot.txt)
If it returns a redirect or a page that does not contain the
On Sat, 12 Apr 2014, William Brown wrote:
I should clarify. I cache the record foo.work.com from the office, and
it resolves differently externally. When I go home, it no longer
resolves to the external IP as I'm using the internally acquired record
from cache.
This currently works for the
On Sat, 12 Apr 2014, Reindl Harald wrote:
a DNS server doing recursion don't ask any forwarder
That's wrong. a DNS server can use a forwareder for some or all of its
recursive queries. unbound+dnssec-triggerd mostly cause unbound to do
full recursion but using the ISP nameserver as forward
On Sat, 12 Apr 2014, Chuck Anderson wrote:
I'm proposing that /etc/resolv.conf is never re-written under any
circumstances. A local caching resolver should ALWAYS be used and
resolv.conf should ALWAYS say:
nameserver 127.0.0.1
Cheers. That's a goal I share with you, but...
All the magic
On Sat, 12 Apr 2014, Chuck Anderson wrote:
I don't disagree that there is lots of broken DNS out there. But
realistically, we still need to default to using the DHCP-provided DNS
servers as forwarders because there are unfortunately lots of
circumstances where this is required to resolve
On Sat, 12 Apr 2014, Reindl Harald wrote:
we should not do anything - because we don't have a clue about the
network of the enduser
We know and handle a lot more than you think already using unbound with
dnssec-trigger and VPNs. Why don't you give it a shot and give us some
feedback on how it
On Sat, 12 Apr 2014, Reindl Harald wrote:
That's wrong. a DNS server can use a forwareder for some or all of its
recursive queries. unbound+dnssec-triggerd mostly cause unbound to do
full recursion but using the ISP nameserver as forward for all queries.
oh no - please try to understand what
On Sat, 12 Apr 2014, Richard W.M. Jones wrote:
chattr +i /etc/resolv.conf
That is the trick currently used by dnssec-triggerd to prevent other
applications from messing with that file.
Oh crap, that means I'm going to need a really really don't touch
this file flag, perhaps a one-way flag
On Sat, 12 Apr 2014, Chuck Anderson wrote:
Okay, so here is where you and I differ then. We need a solution to
run everywhere, on every system, in every use case.
Sounds like wanting ponies? Obviously I fully agree with a solution that
works everywhere, all the time, for everyone, however
On Sun, 13 Apr 2014, William Brown wrote:
Now can we go back to actually discussion technical arguments again?
Actually no.
This whole thread has forgotten one major thing ... use cases.
That was in response to someone using appeal of authority statements, not
factual discussions.
On Fri, 11 Apr 2014, Dan Williams wrote:
That's great. Thank you so much for sharing this information. I'll add it to
the wiki page.
About the wifi hotspots breakage, I'm still not in the clear. IIUC how they
work is, all client traffic is blocked/redirected to a designated server till
On Fri, 11 Apr 2014, Przemek Klosowski wrote:
On 04/11/2014 03:14 PM, P J P wrote:
On Saturday, 12 April 2014 12:40 AM, Bruno Wolff III wrote:
It looks like your proposal is going to break things for people using
some wifi hotspots.
Why, how?
It's a hack designed to handle someone that
On Fri, 11 Apr 2014, Chris Adams wrote:
Unless you have a specific reason not to, you should use the DNS server
from DHCP.
My specific reason is that I dont trust random strangers.
That may be the only DNS server that will work, there may be
private DNS info not available anywhere else,
On Fri, 11 Apr 2014, Bruno Wolff III wrote:
If you are running a caching resolver you don't need the DNS information from
DCHP (except except for the hotspot issue) at all. For example, dnscache can
be used for this. (It doesn't do dnssec though, so wouldn't provide what is
wanted for the
On Fri, 11 Apr 2014, Bruno Wolff III wrote:
Unless you have a specific reason not to, you should use the DNS server
from DHCP. That may be the only DNS server that will work, there may be
private DNS info not available anywhere else, etc.
Split horizon should still work with a caching
On Fri, 11 Apr 2014, Chris Adams wrote:
Once upon a time, Bruno Wolff III br...@wolff.to said:
The advantage of using your dns server is that you know what you're
getting.
You'll also lose almost all content-delivery network advantages (most of
that is mapped to close servers with DNS).
On Fri, 11 Apr 2014, Bruno Wolff III wrote:
I'm not sure what you are trying to say here.
It was a comment about ISPs changing TTLs (or other things). DNSSEC can be
used to tell you the data might not be authoritative, but doesn't tell you
what the correct information is.
First, TTLs you
On Fri, 11 Apr 2014, Bruno Wolff III wrote:
Second, I still don't understand the point. Are you suggesting it is
better to believe all DNS lies than to not know where the lies lead?
Not better. That DNSSEC doesn't really solve everythin one might want it to.
And hence one might want to avoid
On Fri, 11 Apr 2014, Simo Sorce wrote:
I hope the NM integration will show up at some point. It's really a
pretty nice setup.
I am using it too successfully. Only occasionally unbound seem to get
confused, not clear when, it doesn't happen more than twice a month and
systemctl restart
On Thu, 10 Apr 2014, Chuck Anderson wrote:
Yesterday, a new version of dnsmasq was released [2] that adds full
DNSSEC support and provides an alternative to unbound which
dnssec-trigger requires. There has also been great work done to solve
the NTP/DNSSEC bootstrap problem [3]. What options
On Thu, 10 Apr 2014, Billy Crook wrote:
I don't think pointing resolv.conf at 127.0.0.1 is the right answer
for this. The functionality should be implemented as a 'hosts'
service to be listed in nsswitch.conf between files and dns.
For security reasons, you really want resolv.conf to only
On Wed, 9 Apr 2014, Chris Adams wrote:
Once upon a time, Matthew Miller mat...@fedoraproject.org said:
On Wed, Apr 09, 2014 at 10:20:36PM +0200, Lennart Poettering wrote:
[technical reasoning snipped]
Hence: please let's just remove securetty entirely from the default PAM
stacks. It's
I'm updating socat to run all its test cases, and I'm running into an
error only on the arm architecture:
test 151 SCTP4LISTENFORK: SCTP4 listen handles 2 concurrent
connections... !port 40157 timed out! FAILED
2014/04/09 01:36:12 server[6004] E socket(2, 1, 132): Protocol not supported
On Thu, 3 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-03 at 07:32 -0700, quickbooks office wrote:
This change will not affect logging into the console using the local
account and then doing su to get root privileges.
What local account ?
Is there a problem with logging into the local user
On Fri, 21 Mar 2014, Lennart Poettering wrote:
we kinda do have dnssec per default. All DNS servers installed per
default do DNSSEC. Installing dnssec-trigger makes that even more
pervasive.
Well, but glibc can't do the DNSSEC client side, can it?
Applications that want to do DNSSEC
On Fri, 21 Mar 2014, Lennart Poettering wrote:
As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's
just not there...
You are proposing changing the api of getaddrinfo()? Could luck with
that?
Yes, applications that want to see DNSSEC results will have to do a little bit
On Thu, 20 Mar 2014, Lennart Poettering wrote:
I wonder whether it wouldn't be time to say goodbye to tcpwrappers in
Fedora.
I'd be happy to see those go.
Those who depend on it though, should see some failed closed
behaviour, so their service does not suddenly become more exposed.
Paul
--
On Fri, 21 Mar 2014, Lennart Poettering wrote:
I mean, in this day and age we should not consider an ACL language well
designed if it basically pushes users to use IDENT and DNS for
authentication. (And no, don't say the words DNSSEC, nobody sets that
up, we don't have it as default, and
On Thu, 6 Feb 2014, Adam Williamson wrote:
painstakingly hand-weeding something like M*a's ldetect-lst you can get
some minor benefits, like doing this kind of distinction where we want
to load the native driver for a real card but not qemu's emulated
cirrus.
You are telling me it is hard to
I'm using a minimal netinstall version of fedora20 for testing using
KVM. We very often cycle these machines (once per test, we run hundreds
of tests)
Regularly, we get tests failing because the VM does not boot within 60
seconds, and seems to hang at:
a stop job is running for User
On Thu, 6 Feb 2014, Reindl Harald wrote:
Regularly, we get tests failing because the VM does not boot within 60
seconds, and seems to hang at:
a stop job is running for User Manager for 0
here you go
https://bugzilla.redhat.com/show_bug.cgi?id=1023820
On Thu, 6 Feb 2014, Reindl Harald wrote:
which is user 0
that is yours, an not only yours
https://bugzilla.redhat.com/show_bug.cgi?id=1023820
This workaround solved my problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1023788#c2
basically:
cat /etc/systemd/system/sshd-shutdown.service
On Mon, 3 Feb 2014, Adam Jackson wrote:
On Sun, 2014-02-02 at 22:02 -0500, Paul Wouters wrote:
ftp://ftp.nohats.ca/Xorg.0.log
[54.323] (II) VESA(0): VESA VBE Total Mem: 2048 kB
[54.323] (II) VESA(0): VESA VBE OEM: Cirrus Logic GD-5480 VGA
[54.324] (II) VESA(0): VESA VBE OEM
The target install: yum install kvm actually installs only qemu-system-x*86
but not qemu-kvm or libvirtd-daemon-kvm.
Should not those be added to the kvm target?
Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of
On Sat, 1 Feb 2014, Adam Williamson wrote:
You can't do a text install from a live image, but you can from DVD or net
inst. We'd need the x logs to know what was going on with x startup.
ftp://ftp.nohats.ca/Xorg.0.log
Paul
--
devel mailing list
devel@lists.fedoraproject.org
Hi,
I tried to help a friend upgrade his redhat 7.3 server (!) to
something more modern. Since his server's BIOS had issues with
booting from DVD, I setup a PXE environment on my laptop and
booted the net-install (and later the live image) kernel and
ram disk.
After PXE boot, and leaving the
On Sat, 1 Feb 2014, Adam Williamson wrote:
You can't do a text install from a live image, but you can from DVD or net
inst. We'd need the x logs to know what was going on with x startup.
I did not keep a copy of the X log, but it showed no problems. It logged
various screens in resolutions
On Sat, 1 Feb 2014, Adam Williamson wrote:
You can't do a text install from a live image, but you can from DVD or net
inst. We'd need the x logs to know what was going on with x startup.
Using the netinstall's isolinux/ vmlinuz,initrd and pxelinux.cfg file,
the machine (physical but also VMs
Summary of changes:
55968d7... - Updated to 0.73 (*)
(*) This commit already existed in another branch; no separate mail sent
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
Summary of changes:
4de2b17... Add BSD, ISC, and MIT to licenses (*)
caf51f2... Perl 5.18 rebuild (*)
3eddd70... Specify more dependencies (*)
59e0814... - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass (*)
55968d7... - Updated to 0.73 (*)
(*) This commit already existed in
Summary of changes:
924bfee... 0.69 bump (*)
5cb1442... Fix renamed Win32 excludes (*)
ebd03d7... 0.70 bump (*)
6d81f44... Review dependencies (*)
d7ca4c7... 0.71 bump (*)
ebca744... 0.72 bump (*)
c1d41bb... - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass (*)
A file has been added to the lookaside cache for perl-Net-DNS:
06d107032a0e6b7fd7ec69bcfb0b7577 Net-DNS-0.73.tar.gz
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
commit 55968d7a7952a423ef3bf71dbc497e6f6c393e23
Author: Paul Wouters pwout...@redhat.com
Date: Fri Nov 29 15:57:45 2013 -0500
- Updated to 0.73
.gitignore|1 +
perl-Net-DNS.spec |8 ++--
sources |2 +-
3 files changed, 8 insertions(+), 3 deletions
On Thu, 14 Nov 2013, Adam Jackson wrote:
Yes. People hit this _constantly_ in a lot of ways. Like why am I not
getting debuginfo packages. The theory is that you might want to build
with some other set of macros, which is why rpmbuild doesn't just
require r-r-c.
I think this is foolish, and
On Wed, 13 Nov 2013, Tomas Mraz wrote:
I've orphaned workrave and ipsec-tools in all active branches of Fedora
as I do not use them any more.
I will take ipsec-tools, as we use it for our interop tests with
libreswan.
Paul
--
devel mailing list
devel@lists.fedoraproject.org
On Mon, 28 Oct 2013, Michael Schwendt wrote:
/home/sandro/.local/bin in the PATH is not the default.
Or is it new for Rawhide?
$ grep PATH /etc/skel/.bash_profile
PATH=$PATH:$HOME/.local/bin:$HOME/bin
export PATH
Exists for a longer time already, added in of the .fc16 builds:
* Tue Jun 07
On Sat, 19 Oct 2013, Robert Scheck wrote:
On Wed, 09 Oct 2013, Paul Wouters wrote:
I'm not a really user of phpMyAdmin so if someone who actually uses
this package wishes to take maintainership, please do!
you noticed, that you pushed yet another version of phpMyAdmin with a *.swf
file
On Thu, 17 Oct 2013, Jan Kratochvil wrote:
Workaround of that bug is one line of code, it just has not been accepted yet.
And this is the core of the problem. No one has been spending 5 minutes
on fixing prelink, yet people have described hours and days of effort wasted
because of prelink. If
On Thu, 17 Oct 2013, Daniel P. Berrange wrote:
There's no reason to kill the package entirely. Some people still
want to use it despite the current issues. So just don't install it
by default. Reducing everything down to absolutes isn't helpful.
Agreed, there's no reason to kill it
On Thu, 17 Oct 2013, Hans de Goede wrote:
We could change the default /etc/sysconfig/prelink to default to no
prelinking, then for people with an unmodified /etc/sysconfig/prelink,
this will become the new /etc/sysconfig/prelink and the first time the
cronjob runs after the update it will
On Tue, 15 Oct 2013, Dhiru Kholia wrote:
In short, we could not distinguish the performance gains of prelink over
the background noise in many (or even most) cases.
So, I was wondering if you are aware of any use-cases where prelink
provides measurable benefits. In would be awesome if you
On Tue, 15 Oct 2013, Reindl Harald wrote:
since OpenSSL in Fedora from now on supports ECDHE
depending software needs to be rebuilt to make use
of it as well as libraries like NSS/GNUTLS should
do the same and depending packages like Firefox
needs a rebuild against refreshed NSS to support
it
On Tue, 15 Oct 2013, Jan Kratochvil wrote:
I just do not understand why to give up on that negligible optimization when
it brings no disadvantages.
Because you did not my previous email?
- complexity
- complicated prelink blacklists
- complicated cron job exclusion with sysconfig
- FIPS
On Tue, 15 Oct 2013, Jan Kratochvil wrote:
- FIPS foot-bullets
I really do not care and do not run FIPS.
Your personal views are irrelevant. You are a package maintainer. When
other people care about FIPS, you as a package maintainer should care
about playing nicely with FIPS.
On Tue, 8 Oct 2013, Sérgio Basto wrote:
3.5.8.2 was released time ago with
several bugs fixed: http://bugzilla.redhat.com/959946
Current version in Fedora Rawhide: 3.5.8.1
Welcome to phpMyAdmin 3.5.8.2, a security release.
I updated all branches in fedora and epel to 3.5.8.2. These are now
On Tue, 17 Sep 2013, Till Maas wrote:
I just blocked the following packages in koji for F20+, because they
were retired some time ago, but not yet blocked:
autotrust
They might also lack a dead.package, but I will write a separate mail
about this.
Indeed. fixed. (autotools was merged
On Mon, 9 Sep 2013, Reindl Harald wrote:
I don't get it, either
google dhe versus ecdhe performance
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
Let’s focus on the server part. Enabling DHE-RSA-AES128-SHA cipher suite
hinders the performance of TLS handshakes by a
On Mon, 9 Sep 2013, Gregory Maxwell wrote:
I am certainly not ignoring legal concerns. While there are some
patented EC cryptographic techniques, the basic infrastructure
including ECDH over prime fields was first published back in 1984 and
is not patentable.
The IETF has published an
On Fri, 30 Aug 2013, Daniel P. Berrange wrote:
Or you could just map a directory on the host into /var/lib/mock/result
in the guest, using the virtio-9p filesystem feature of KVM. Basically
this gives you shared filesystem, but without any TCP/networking involved.
NB, works with KVM in Fedora
On Thu, 22 Aug 2013, Chris Murphy wrote:
On Aug 22, 2013, at 6:12 PM, Josh Boyer jwbo...@fedoraproject.org wrote:
I'm not necessarily disagreeing, but there are essentially two camps
right now. Those that don't care about release names one bit (like
me), and those that do. If those that do
On Tue, 20 Aug 2013, Michael Schwendt wrote:
For openswan, the openswan-doc subpackage is not obsoleted, just the
base package is.
# repoquery --whatobsoletes openswan
libreswan-0:3.3-1.fc19.x86_64
That's strange, because openswan is a dead.package. :-/
I'll fix that.
Paul
--
devel
Hi,
I just noticed the mass rebuild on Aug 3 botched up my EVR for
libreswan:
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1
It should have been:
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
The previous version was:
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
How
On Thu, 15 Aug 2013, Matthew Garrett wrote:
I want increased participation in the creation of Fedora, which is a
product with a defined set of software shipped as default. I'm also
happy with people working to make it practical to use Fedora as the
basis for derived products (such as the spins
On Thu, 15 Aug 2013, Reindl Harald wrote:
Am 15.08.2013 15:40, schrieb Paul Wouters:
We can't tell people to re-install from scratch every 6 months.
What we need is an apt-get dist-upgrade equivalent.
*we have*
http://fedoraproject.org/wiki/Upgrading_Fedora_using_yum
i currently count 450
On Fri, 9 Aug 2013, Daniel P. Berrange wrote:
That's just utilities, not the actual binary.
Yep, since UML is basically just another special kernel build, I always
had the impression that you'd have to convince the kenrel RPM maintainers
to add another sub-RPM containing the UML build for it
On Thu, 8 Aug 2013, Richard W.M. Jones wrote:
Le jeudi 08 août 2013 à 22:35 +0100, Richard W.M. Jones a écrit :
I wonder (idly) if anyone has every tried to package UML for Fedora,
and if there is anything in the packaging guidelines that would stop
UML being packaged as a regular package?
On Wed, 17 Jul 2013, Chris Adams wrote:
Once upon a time, Jaroslav Reznik jrez...@redhat.com said:
ntpdate is slowly being depricated. STIG enhancements for RHEL 6 penalize
systems that make use of ntpdate. Also documentation from the NSA Hardening
Guidelines as well as CIS Hardening
On Wed, 17 Jul 2013, Jaroslav Reznik wrote:
= Proposed Self Contained Change: Remove deprecated calls of using ntpdate in
favor of ntpd =
https://fedoraproject.org/wiki/Changes/ntpdate
Having just read man ntpd for -q -g -x, I see that it is a valid
replacement for using ntpdate on boot. (I
On Wed, 17 Jul 2013, Chris Adams wrote:
Have you tried the -q, -g, and -x options to ntpd?
Yes, see other email. I saw it and provided we allow large clock skew
providing all 3 options, I'm okay with replacing ntpdate.
I have been thinking about how to solve that properly. One idea is to
On Wed, 17 Jul 2013, Chris Adams wrote:
Once upon a time, Paul Wouters pwout...@redhat.com said:
That's easiest said then done. It takes a lot of queries before you hit
pool.ntp.org. And then you have to 1) ensure no one else uses those DNS
answers and 2) flush the cache when enabling DNSSEC
On Wed, 17 Jul 2013, Chris Murphy wrote:
a. ntpd/ntpdate aren't installed by default with Fedora 19. I don't see the
feature proposing this be changed.
That's a bug then. It is needed for DNSSEC.
b. A default installation of Fedora 18/19, has no means of updating the RTC
correctly if it's
On Wed, 17 Jul 2013, Till Maas wrote:
On Wed, Jul 17, 2013 at 09:23:44AM -0400, Paul Wouters wrote:
Finally, for an easy fix for rebooting raspberry pi and co, I would
really like to save the timestamp and load it on reboot, similar to the
ranseed file.
Debian has a package for this:
http
On Wed, 17 Jul 2013, Chris Adams wrote:
Once upon a time, Paul Wouters pwout...@redhat.com said:
I understand the query. But you would either need to bypass the local
dns caching resolver or flush the cache afterwards. The second option has
a race condition, but the first has the problem
On Wed, 17 Jul 2013, Chris Adams wrote:
Once upon a time, Paul Wouters p...@nohats.ca said:
On Wed, 17 Jul 2013, Chris Murphy wrote:
a. ntpd/ntpdate aren't installed by default with Fedora 19. I
don't see the feature proposing this be changed.
That's a bug then. It is needed for DNSSEC
Hi,
For daemons, it happens that people (or puppet/ansible) makes a config
change that causes the config file to not load and be invalid. When
restarting the service, it will stop but not start. Ideally, the stop
should be aborted.
I was looking at ExecStopPre= (which is mentioned in the
On Mon, 15 Jul 2013, Jóhann B. Guðmundsson wrote:
If I grok correctly what you are asking for, you are actually looing for
an ExecRestartPre=, not an ExecStopPre=. You want somthing that is run
before we stop a service when we intend to restart it. But when we
shutdown the system and stop the
On Mon, 24 Jun 2013, Richard W.M. Jones wrote:
Note there is still a problem that an LDFLAGS hack was needed in the
spec file, otherwise libtool (or something) eats the hardening LDFLAGS.
Too often Makefiles contain CFLAGS= / LDFLAGS=, instead of CFLAGS?= / LDFLAGS?=
Paul
--
devel mailing
On Tue, 28 May 2013, Petr Pisar wrote:
I've corrected license declaration at sharutils package:
The only effective difference is the texinfo documentation is covered by
GFDL instead of GPL.
Why do we even bother shipping an old obsoleted documentation format
only RMS can actually use? In
On Sun, 24 Feb 2013, Bill Nottingham wrote:
Date: Sun, 24 Feb 2013 05:19:43
From: Bill Nottingham nott...@redhat.com
To: devel@lists.fedoraproject.org
Subject: [ACTION REQUIRED] Retiring packages for Fedora 19
Before we branch for Fedora 19, as is custom, we will block currently
orphaned
On Tue, 7 May 2013, Matej Cepl wrote:
Subject: Re: Concern about FedoraCryptoConsolidation
On 2013-05-07, 04:10 GMT, Richard Levenberg wrote:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
While I understand the reasons for this idea of Consolidation I have a
concern that very
On Fri, 3 May 2013, Daniel P. Berrange wrote:
Surely if you are mass creating vm's you use ks + cobbler and or
spacewalk to do that instead af ISO file.
Both of those require you to deploy extra infrastructure, which isn't
needed if using the ISO. Different approaches suit different people,
201 - 300 of 474 matches
Mail list logo
