Re: F29 System Wide Change: Strong crypto settings: phase 2

2018-06-19 Thread Paul Wouters
On Thu, 14 Jun 2018, Tomas Mraz wrote: On Wed, 2018-06-13 at 00:45 -0400, Paul Wouters wrote: I don't think TLS 1.3 will see a wide deployment immediately. Sure, the famous top websites and top browsers will, but enterprises will not. And especially those with any kind of loggin/auditing

Re: F29 System Wide Change: Strong crypto settings: phase 2

2018-06-12 Thread Paul Wouters
On Wed, 6 Jun 2018, Nikos Mavrogiannopoulos wrote: I think the debate here is whether fedora (and in general operating systems) can afford to be stricter than the browsers. As an OS our attack surface is much larger than the browser setup, and thus it makes sense (to me), to be more careful.

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

2018-05-02 Thread Paul Wouters
On Wed, 2 May 2018, Lennart Poettering wrote: I presume you mean "~/.local" rather than "~/local"? I don't. As my argument goes, hidden directories containing binaries in your path are a bad idea. And it was a bad idea 15 years ago. Note that my home directory seems to only contain

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

2018-05-02 Thread Paul Wouters
On Wed, 2 May 2018, Vít Ondruch wrote: User explicitly installed SW into his home directory. Why (s)he needs to override the $PATH in addition to make the SW work? Can you account for all your ~/.??* entries in your home dir? I have several of which I have no clue what it is or why it got

Re: Prioritizing ~/.local/bin over /usr/bin on the PATH

2018-05-02 Thread Paul Wouters
On Wed, 2 May 2018, Lennart Poettering wrote: It's already there. And it is XDG complaint. The question here is about order (what takes priority). Can you point me to the XDG specification that requires it ? It was mentioned by Lenart on the bug, but he later clarified his comment[1]. So

Re: script to run after hotspot authentication?

2018-04-26 Thread Paul Wouters
On Tue, 24 Apr 2018, Sam Varshavchik wrote: Is there a way to run a custom command after hotspot authentication? You might be able to hook into dhclient. That happens when you obtain an IP address. There is no notification method that I know about that will signal me when the hotspot

script to run after hotspot authentication?

2018-04-24 Thread Paul Wouters
Hi, Is there a way to run a custom command after hotspot authentication? Fedora has/had some ways of detecting portals. dnssec-trigger, NetworkManager and Gnome3. I think the current method is supposed to be based on the latter. So I guess the problem that is used is

Re: Get stubby into Fedora to provide safe DNS resolution via DNS-over-TLS

2018-01-10 Thread Paul Wouters
st release of Getdns. See https:// > src.fedoraproject.org/rpms/getdns/blob/master/f/getdns.spec > > Maybe you could suggest the package maintainer to add a "Provides: stubby" so > it can be found directly. CCing Paul Wouters in that regard. That's a good idea! I'l

Re: CVE-2016-8655, systemd, and Fedora

2016-12-14 Thread Paul Wouters
On Wed, 14 Dec 2016, Scott Schmit wrote: IPsec requires AF_NETLINK (NETLINK_XFRM) to manage the security associations & security policies. libreswan probably also needs to be able to manage the routing for IPsec tunnels (NETLINK_ROUTE[6]). The nature of libreswan is that it allows custom

Re: CVE-2016-8655, systemd, and Fedora

2016-12-12 Thread Paul Wouters
On Mon, 12 Dec 2016, Lennart Poettering wrote: Note that I wonder if restricting address families really belongs in systemd. Why isnt this a libcap-ng capability? That way my software can support this without depending on systemd. hu? libcap-ng is a library to manage Linux process

Re: CVE-2016-8655, systemd, and Fedora

2016-12-12 Thread Paul Wouters
On Mon, 12 Dec 2016, Matthew Miller wrote: Question 1: How can we take advantage of this feature in specific? We could bulk file a bunch of bugs. Or, what about turning on some more restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in Rawhide, and having services which have

Re: Fedora captive portal page changed output :(

2016-12-05 Thread Paul Wouters
On Mon, 5 Dec 2016, Michael Catanzaro wrote: On Mon, 2016-12-05 at 09:05 -0500, Paul Wouters wrote: That is incorrect in my experience. When I go to coffee shops, my iphone shows the portal page, but my laptop shows the TLS cert invalid thing. Oh wow. I didn't know that. Feels like time

Re: Fedora captive portal page changed output :(

2016-12-05 Thread Paul Wouters
On Sun, 4 Dec 2016, Michael Catanzaro wrote: On Sun, 2016-12-04 at 16:39 -0500, Paul Wouters wrote: That is a different issue. And indeed I see it as well, and was quite surprised at them checking the TLS validity of a captive portal page. We have no plans to stop doing this, because that's

Re: Fedora captive portal page changed output :(

2016-12-04 Thread Paul Wouters
On Sun, 4 Dec 2016, Kevin Fenzi wrote: On Fri, 2 Dec 2016 21:42:07 -0600 Eric Sandeen <sand...@redhat.com> wrote: On 12/2/16 7:10 PM, Paul Wouters wrote: Fedora runs a captive portal check page at: http://fedoraproject.org/static/hotspot.txt It used to return "OK\n". No

Re: Fedora captive portal page changed output :(

2016-12-04 Thread Paul Wouters
On Sat, 3 Dec 2016, Langdon White wrote: Wouldn't it make more sense to be checking for status 200? Checking for content on the page seems fragile in general.  Who says a stolen page wouldn't return status 200? Also, and perhaps related, I filed a bug[1] about captive portals that seems to

Fedora captive portal page changed output :(

2016-12-02 Thread Paul Wouters
Fedora runs a captive portal check page at: http://fedoraproject.org/static/hotspot.txt It used to return "OK\n". Now it returns "OK" without the newline. This caused at least the geome tool (from the geome package) to return a false positive and abort, telling the user to first authenticate

Re: F24, small backward steps

2016-09-13 Thread Paul Wouters
On Tue, 13 Sep 2016, Ralf Corsepius wrote: This is a truly awful experiance from POV of a Fedora user filing bugs :-( We've set a silent trap for them with no warning of the fact that their bug reports are going to be ignored until Fedora EOL procedure closes them :-( One lesson I have

Re: F24, small backward steps

2016-09-09 Thread Paul Wouters
On Fri, 9 Sep 2016, Adam Williamson wrote: 2. fingerprint identification: The laptop has a fingerprint reader and it works fine. However I prefer not to use it. The user set up specifies that fingerprint login is disabled. However whenever I am asked for a password the

Re: Imaginary single quotes in ls ?

2016-06-06 Thread Paul Wouters
On Mon, 6 Jun 2016, bendem wrote: Are you using an alias like ls="ls --quoting-style=shell"? Not knowingly. Whatever I got, I got it from systems default. And yes this is an f-24 install. using a gnome-term if it matters. Paul On 06/06/2016 05:53 PM, Paul Wouters wrote: pau

Imaginary single quotes in ls ?

2016-06-06 Thread Paul Wouters
paul@thinkpad:/tmp/test$ touch foo bar baz paul@thinkpad:/tmp/test$ touch "touch and go" paul@thinkpad:/tmp/test$ ls -l total 0 -rw-rw-r--. 1 paul paul 0 Jun 6 11:48 bar -rw-rw-r--. 1 paul paul 0 Jun 6 11:48 baz -rw-rw-r--. 1 paul paul 0 Jun 6 11:48 foo -rw-rw-r--. 1 paul paul 0 Jun 6 11:49

Re: systemd 230 change - KillUserProcesses defaults to yes

2016-06-05 Thread Paul Wouters
On Fri, 3 Jun 2016, Lennart Poettering wrote: You are redefining the meaning of (a graphical) logout. It simply means another user can use the mouse, keyboard and screen of this device. It makes no statement on whether the machines resources are shared or not. Actually, with logind, current

Re: systemd 230 change - KillUserProcesses defaults to yes

2016-06-02 Thread Paul Wouters
> On Jun 1, 2016, at 09:48, Lennart Poettering wrote: > > Any scheme that relies on unprivileged programs "being nice" doesn't > fix the inherent security problem: after logout a user should not be > able consume further runtime resources on the system, regardless if he > does that because of a

Re: systemd 230 change - KillUserProcesses defaults to yes

2016-06-02 Thread Paul Wouters
On Thu, 2 Jun 2016, Lennart Poettering wrote: Well. Let's say you are responsible for the Linux desktops of a large security-senstive company (let's say bank, whatever), and the desktops are installed as fixed workstations, which different employees using them at different times. They log in,

Re: systemd 230 change - KillUserProcesses defaults to yes

2016-05-30 Thread Paul Wouters
On Sun, 29 May 2016, Chris Murphy wrote: On Fri, May 27, 2016 at 5:03 PM, Paul Wouters <p...@nohats.ca> wrote: If there is a systematic problem of badly written code leaving orphaned code running when a user logs out, then that broken code should be fixed instead of adding another

Re: systemd 230 change - KillUserProcesses defaults to yes

2016-05-27 Thread Paul Wouters
On Fri, 27 May 2016, Chris Murphy wrote: It seems to me systemd should be able to know the difference between a program that's zombie or unresponsive but isn't doing anything or is unresponsive but is doing something; and if not then some way for programs to say "hey wait just a minute, I need

Re: pidgin, was Re: Orphaned Packages in branched (2016-05-03)

2016-05-09 Thread Paul Wouters
On Mon, 9 May 2016, Jan Synacek wrote: I got a few of these warnings in the last few weeks and I'd like those to stop :) Is there any interest in supporting SILC? It's an old encryption chat protcol that I never used or never heard of someone using. Do the pidgin maintainers want to take the

pidgin, was Re: Orphaned Packages in branched (2016-05-03)

2016-05-03 Thread Paul Wouters
On Tue, 3 May 2016, opensou...@till.name wrote: libsilcorphan, cicku, nosnilmot 9 weeks ago Depending on: libsilc (12), status change: 2016-02-26 (9 weeks ago) pidgin (maintained by: jsynacek, itamarjp, jskarvad, mcrha, nosnilmot)

Re: mod_rewrite rule please? admin.fedoraproject.org/updates/packagename/ ?

2015-12-22 Thread Paul Wouters
On Mon, 21 Dec 2015, Michael Cronenworth wrote: On 12/21/2015 01:19 PM, Paul Wouters wrote: Could we have a mod_rewrite rule for bodhi.fedoraproject.org/updates/packagename ? One already existed. Have you not tried it? https://bodhi.fedoraproject.org/updates/libreswan I had in the past

mod_rewrite rule please? admin.fedoraproject.org/updates/packagename/ ?

2015-12-21 Thread Paul Wouters
Hi, I really miss the simple URL lookup to find links to the last few package builds of a certain package. Eg for libreswan, I could use: https://admin.fedoraproject.org/updates/libreswan/ Now I have to go search around and type in a package name, eg:

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-14 Thread Paul Wouters
On 12/12/2015 09:11 PM, Oron Peled wrote: > On Friday 11 December 2015 09:09:28 Paul Wouters wrote: >> On 12/09/2015 06:02 PM, Oron Peled wrote: >>> Why don't we plan this feature in two stages: >>> * Fedora 24: turn it on by default, but *keep using results

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-14 Thread Paul Wouters
On 12/14/2015 04:26 PM, Oron Peled wrote: >>> 2. dbus: >>>* The local DNS server would send specific DBUS signal (e.g: >>> net.dnsseq.InsecureDNSReply). >>>* A desktop process would listen on these signals and show proper >>> desktop notification. >> >> But these solutions can quickly

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-11 Thread Paul Wouters
On 12/09/2015 06:02 PM, Oron Peled wrote: > Why don't we plan this feature in two stages: > * Fedora 24: turn it on by default, but *keep using results* from bad DNS > servers, >just issue a user-visible warning, possibly with a link to a page with > friendly >explanation and

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-09 Thread Paul Wouters
On 12/09/2015 01:04 PM, Debarshi Ray wrote: > On Mon, Dec 07, 2015 at 10:48:55AM +0100, Tomas Hozza wrote: >> On 04.12.2015 15:57, Lennart Poettering wrote: >>> How do other popular desktop/consumer OSes deal with this? Windows, MacOS, >>> iOS, Android, ChromeOS? Does any of them do client-side

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-07 Thread Paul Wouters
On Mon, 7 Dec 2015, Lennart Poettering wrote: Hmm? If I work for a company "Foo Corp" that defined .foocorp as its private TLD, then I won't be able to access servers in that local network until I added .foocorp to a local whitelist Foo Corp should not have done that. If you had picked .hotel

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-07 Thread Paul Wouters
On Mon, 7 Dec 2015, Matthew Miller wrote: I read your whole post. Those possibilities seem pretty limited, from the point of view of serious regressions in Fedora usability. It isn't that I "like" Fedora being less than technically correct (especially around security-related features), but I

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-07 Thread Paul Wouters
On Mon, 7 Dec 2015, Lennart Poettering wrote: In case this is blocked on the network, Unbound is configured to tunnel the DNS queries to Fedora public infrastructure over TCP (80, 443) or SSL (443), in which case this is similar to the first situation, when Unbound forwards queries to the

Fwd: Re: F24 System Wide Change: Default Local DNS Resolver (fwd)

2015-12-07 Thread Paul Wouters
(resending - looks like mty @redhat.com is not subscribed) On 12/07/2015 04:48 AM, Tomas Hozza wrote: So, here's a question: in germany "Fritzbox" wifi routers are very popular. Their configuration page is reachable under the "fritz.box" pseudo-domain from inside their wifi network, and all

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-07 Thread Paul Wouters
On Mon, 7 Dec 2015, Florian Weimer wrote: Clearly, fedora cannot be changed to hijack a real domain, so Fritzbox better solve this quickly with an update, even if no one actually will update their router :( Well, AVM could just register fritz.box and leave it unsigned, which solves the

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-07 Thread Paul Wouters
On 12/07/2015 04:48 AM, Tomas Hozza wrote: >> So, here's a question: in germany "Fritzbox" wifi routers are very >> popular. Their configuration page is reachable under the "fritz.box" >> pseudo-domain from inside their wifi network, and all other systems on >> the network are also eachable below

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-01 Thread Paul Wouters
On Tue, 1 Dec 2015, Randy Barlow wrote: This sounds overall pretty neat to me! One detail came to my mind: how would this interact with VPN DNS servers? In my experience with VPNs, it's common for them to provide a DNS server that allows internal host resolution to work. Would this local

Re: F24 System Wide Change: Default Local DNS Resolver

2015-12-01 Thread Paul Wouters
On Tue, 1 Dec 2015, Björn Persson wrote: Tomas Hozza wrote: - dnssec-trigger does not do the Captive Portal detection and handling and we rather rely on NM for the detection and on Gnome Shell for the Portal login Can I assume that users of non-Gnome desktops will also

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Paul Wouters
And openpgpkey-milter :) And put in a TLSA record for their MX :) Paul Sent from my iPhone > On Oct 5, 2015, at 10:58, Michel Alexandre Salim > wrote: > > On a related note to that, it would be great if active Fedora contributors do > get to use an SMTP server with

Re: SPF records @fedoraproject.org versus @lists.fedoraproject.org

2015-10-05 Thread Paul Wouters
On Mon, 5 Oct 2015, Kevin Fenzi wrote: On Mon, 5 Oct 2015 11:04:40 -0400 Paul Wouters <p...@nohats.ca> wrote: And openpgpkey-milter :) And put in a TLSA record for their MX :) I don't think it makes much sense for Fedora Infrastructure to get into the business of being a SMTP

Re: python: dropping the .py files [was Re: Fedora 23 cloud image (and, for that matter, minimal anything)] bloat

2015-09-25 Thread Paul Wouters
On Fri, 25 Sep 2015, Matthew Miller wrote: On Thu, Sep 24, 2015 at 10:10:40AM +0200, Vít Ondruch wrote: Also, you might consider to ship the precompiled bytecode just optionally, using recommends. On contrary, if you insist on shipping the bytecode, why you don't drop the .py files? I see a

Re: Disable PulseAudio flat volumes to prevent it from pushing volume level to max

2015-09-21 Thread Paul Wouters
On Mon, 21 Sep 2015, Owen Taylor wrote: Experimenting with GNOME, the model presented to the user seems to be:  - Each application's volume control separate goes from 0-100% of the    maximum system volume.   - Adjusting each application is independent  - Modifying the system global volume

Re: bind: CVE-2015-5722 and CVE-2015-5986

2015-09-03 Thread Paul Wouters
On Fri, 4 Sep 2015, Bojan Smojver wrote: According to ISC, these two affect bind 9.10.2 as well (up to P3). There a no new builds (i.e. P4) for F22 of this package that I can see. Does anyone know why? Is there something Fedora specific that prevents these problems in F22 packages? I just

Re: Cleanup of Upstream Relase Monitoring bugs

2015-09-02 Thread Paul Wouters
On Wed, 2 Sep 2015, Vít Ondruch wrote: 3) Packages are updated, but the bug is kept open I would suggest probably to close the bugs for 1st category, the packages from 2nd category should be orphaned and the packages from 3rd category should not be monitored anymore. Any thoughts? I would

Re: perl-Net-DNS-SEC license correction

2015-08-07 Thread Paul Wouters
On Fri, 7 Aug 2015, Petr Šabata wrote: This package's license tag was wrong all along; the license tag will be corrected to `MIT'. Updates are on the way. hm, I had 1.01 packages pending.. Also, the license says GPL+ or Artistic. The README says: Permission to use, copy, modify, and

Re: gpg keys of older/newer fedora versions

2015-08-06 Thread Paul Wouters
On Wed, 5 Aug 2015, Neal Gompa wrote: I disagree that including the keys for EOL'd releases counts as encouraging people to use old stuff. If someone has a reason to be building RPMs for something way-old, I think it'd be nice for us to keep those GPG keys available for them. Agreed. Paul --

Re: gpg keys of older/newer fedora versions

2015-07-17 Thread Paul Wouters
On Fri, 17 Jul 2015, Zbigniew Jędrzejewski-Szmek wrote: [In light of https://bugzilla.redhat.com/show_bug.cgi?id=1241383] 'dnf install --installroot=... --releasever=XX dnf' can be used to bootstrap a Fedora chroot. The only snag is that --nogpg is often recommended, because fedora-repos only

Re: Summary of Thursday's call between GNOME and NM devels and Default DNS resolver change owners

2015-07-17 Thread Paul Wouters
On Fri, 17 Jul 2015, Chuck Anderson wrote: What doesn't work in your experience with the captive portal stuff? Usually, the dnssec-triggerd captive portal detection pops up a dialog, and when I click log in nothing happens. When I click skip (sorry I might be forgetting the exact button

Re: dnssec-trigger + GNOME + NetworkManager integration

2015-07-03 Thread Paul Wouters
And dnssec-validator.cx for a Firefox/chrome plugin that you can see in action against fedoraproject.org that already deploys this Sent from my iPhone On Jul 3, 2015, at 10:43, Petr Spacek pspa...@redhat.com wrote: On 2.7.2015 17:56, Michael Catanzaro wrote: On Thu, 2015-07-02 at 16:38

Re: dnssec-trigger + GNOME + NetworkManager integration

2015-07-01 Thread Paul Wouters
On Tue, 30 Jun 2015, Bastien Nocera wrote: Once DNSSEC is more widely deployed What is more widely deployed ? http://www.internetsociety.org/deploy360/wp-content/uploads/2013/04/2015-06-19-2015-06-19.png There are 991 zones in the root and 814 are signed and securely delegated.

Re: dnssec-trigger + GNOME + NetworkManager integration

2015-07-01 Thread Paul Wouters
On Tue, 30 Jun 2015, Michael Catanzaro wrote: I'm confused on one point: why would the user ever want to turn off DNSSEC validation (except to get past a for captive portal)? It sounds like you have no shortage of safeguards in place to make sure this always works: for it to break the user

Re: dnssec-trigger + GNOME + NetworkManager integration

2015-07-01 Thread Paul Wouters
On Wed, 1 Jul 2015, Michael Catanzaro wrote: Date: Wed, 1 Jul 2015 19:26:55 From: Michael Catanzaro mcatanz...@gnome.org To: devel@lists.fedoraproject.org Subject: Re: dnssec-trigger + GNOME + NetworkManager integration On Wed, 2015-07-01 at 18:40 -0400, Paul Wouters wrote: That's the same

Re: DNSSEC/unbound - boingboing.net failures

2015-06-30 Thread Paul Wouters
dnssec-trigger. It will be better for getting additional information. Also please see the reply by Paul Wouters to your previous email. Oh hey. I forgot that I posted this already, and didn't see the reply. Ugh, time for a vacation! -- Matthew Miller mat...@fedoraproject.org Fedora Project

Re: how do I diagnose dnssec/unbound issues?

2015-06-27 Thread Paul Wouters
Try using unbound-host which uses the same configuration file? Otherwise grep the logs for unbound or possibly increase verbosity to 2 or 3 in the conf file. If it happens again and you are comfortable with it, you can run unbound-control dump to get the full DNS cache which could tell what's

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Paul Wouters
On Thu, 18 Jun 2015, Dan Williams wrote: True. In fact with unbound it is pretty trivial to do. The equivalent unbound python code for that would be: import unbound ctx = unbound.ub_ctx() ctx.resolvconf(/this/networks/respresentation/of/resolv.conf) Hmm, that doesn't really allow for split

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-18 Thread Paul Wouters
On Thu, 18 Jun 2015, Dan Williams wrote: The drawbacks I see to dnssec-trigger here are: 2) provides only HTTPS IPC, perhaps because it works on all platforms. But a Linux-only solution would typically use a unix socket or D-Bus and be secured by Unix or D-Bus permissions instead of using

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-17 Thread Paul Wouters
On Wed, 17 Jun 2015, Tomas Hozza wrote: While I don't actually care, this might well be a sticking point for many people since their DNS information is going to an untrusted (to them) DNS server. Yeah, I tend to trust Fedora, but not everyone will. If you don't trust fedora infrastructure,

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-16 Thread Paul Wouters
On Tue, 16 Jun 2015, Bastien Nocera wrote: That’s what dnssec-trigger ideally _should_ do. What would it _actually_ do, e.g. with the current code? That's defined by login-command: in /etc/dnssec-trigger/dnssec-trigger.conf which we did not change from the default xdg-open. It uses the URL

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-15 Thread Paul Wouters
On Mon, 15 Jun 2015, Miloslav Trmač wrote: Detect it and show the sandboxed browser. If that means that the user has to type their Facebook password again, then the user is welcome to do that. I don't see why we should make it easier to track users, though. That’s what dnssec-trigger

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-15 Thread Paul Wouters
On Mon, 15 Jun 2015, Stephen John Smoogen wrote: Is the code on how ChromeOS or Android detects captivity part of the 'public' code? It seems to do a 'good' job in finding many captive portals so might be something to get an idea on how many weird ways things are out there. I think everyone

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-14 Thread Paul Wouters
On Sat, 13 Jun 2015, Michael Catanzaro wrote: There is one thing I don't understand. Surely the above is exactly what will happen if you were to get stuck behind a captive portal with Firefox or any normal browser? But portals still work reliably for users. You should visit more hotels. The

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-13 Thread Paul Wouters
On Sat, 13 Jun 2015, Michael Catanzaro wrote: Hm... the captive portal helper loads www.gnome.org but it only runs after NetworkManager has decided there is a captive portal. We can make this URL configurable at build time if there's really a problem, but I'm not sure there is, since it's not

Re: GNOME captive portal helper (was Re: F23 System Wide Change: Default Local DNS Resolver)

2015-06-13 Thread Paul Wouters
On Sat, 13 Jun 2015, Andrew Lutomirski wrote: It'd be nice to not show http://www.gnome.org (the test URL we load, expecting to be hijacked) if the portal decides not to redirect you to a new URI (not sure how common that is), but I think we will have to or we can't fix this It could

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On Fri, 12 Jun 2015, Matthew Miller wrote: Another integration concern: the network config GUI (and ifcfg files, for that matter) let me list specific DNS servers. With this feature, are those used (and if so, how)? If not, is my configuration just silently ignored? I do not know if it is

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On 06/12/2015 11:10 AM, Petr Spacek wrote: HERE we need to coordinate with other parties who might want to write into the /etc/resolv.conf file. These include (but might not be limited to): NetworkManager initscripts dhclient libreswan ? resolved connman Option

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On 06/12/2015 12:53 PM, Dan Williams wrote: b) Broken networks: Some networks are so broken that even without captive portal they are not able to deliver DNSSEC data to the clients. In that case will try tunnel to other DNS servers on the Internet (Fedora Infra or public DNS root) and use

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On Fri, 12 Jun 2015, Matthias Clasen wrote: I've just installed dnssec-trigger on rawhide to try this out, and found that it breaks networking on my Workstation. I used to get a network connection on login, now I get a question mark in top bar, and a status icon with obsure menu options

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On Fri, 12 Jun 2015, Matthew Miller wrote: I personally find the anchor icon very confusing. As a non-expert in this area, it doesn't represent anything which seems relevant to me, and all of the right click menu options, once I figured out to right click, are obscure to me. Agreed. I don't

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On Fri, 12 Jun 2015, Andrew Lutomirski wrote: All that makes sense. Thanks. FWIW, I think that a little C program to spin up a namespace that's good enough to point a stateless Firefox instance at a captive portal login with overridden DNS nameserver settings would only be a couple of hundred

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-12 Thread Paul Wouters
On Fri, 12 Jun 2015, Dan Williams wrote: That is why HTTP redirection and DNS failure have to be detected by whatever is the hot spot detector. Both items weigh in on triggering a hotspot logon window. Agreed. But how does the DNS failure actually get relayed to the thing doing the HTTP

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-11 Thread Paul Wouters
On Thu, 11 Jun 2015, Dan Williams wrote: Unfortunately the Proposal doesn't say anything about how this will actually work, which is something NetworkManager needs to know. It also fails to address the failure cases where your local DNS doesn't support DNSSEC or is otherwise broken here out of

f22 screensaver/lockout issue requiring reboot :/

2015-06-10 Thread Paul Wouters
Hi, Am I the only one who is constantly locked out of their X session on fedora 22? Once the screen locks, it refuses my actual password to unlock. Even killing X with ctrl-alt-backspace doesn't help because it will just startup again in locked screen mode. I basically have to reboot every time

Re: f22 screensaver/lockout issue requiring reboot :/

2015-06-10 Thread Paul Wouters
I wrote: On 06/10/2015 09:04 AM, Paul Wouters wrote: Am I the only one who is constantly locked out of their X session on fedora 22? Once the screen locks, it refuses my actual password to unlock. Even killing X with ctrl-alt-backspace doesn't help because it will just

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-09 Thread Paul Wouters
On Tue, 9 Jun 2015, Matthew Miller wrote: One (new!) thing I'm concerned with, now that I've enabled it on my system, is the persistant tray notification. This is... confusing and ugly. Can we (for F23 if possible, and F24 if not) get better GNOME Shell integration here? That's been on the

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-03 Thread Paul Wouters
On Wed, 3 Jun 2015, Petr Spacek wrote: It is somewhat questionable whether DNS rebinding vulnerabilities are, in fact, a problem which should be solved at the client side. But Oh yes. DNS pinning in browser is just a band-aid and not proper solution. I would argue that DNS rebinding attack

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-03 Thread Paul Wouters
On Wed, 3 Jun 2015, Petr Spacek wrote: ???On 3.6.2015 13:45, Reindl Harald wrote: If you feel that the standard is broken then *please* continue with discussion on IETF's dnsop mailing list: https://www.ietf.org/mailman/listinfo/dnsop come on stop trolling that way because you know exactly

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-02 Thread Paul Wouters
On Tue, 2 Jun 2015, Simo Sorce wrote: and just because you have a local resolver firefox won't stop it's behavior It can, w/o a local resolver FF developers will definitely keep caching on their own, with a decent local resolver they can allow themselves to disable their own and go back to

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-02 Thread Paul Wouters
On Tue, 2 Jun 2015, David Howells wrote: I'm using dnsmasq to look up *.redhat.com addresses over VPN whilst looking up other addresses from my ISP. That is automatically handled for you if you use libreswan for your VPN and unbound is running. It will add a forward for the domain

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-02 Thread Paul Wouters
On Tue, 2 Jun 2015, David Howells wrote: Install a local DNS resolver trusted for the DNSSEC validation running on 127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf. The automatic name server entries received via dhcp/vpn/wireless configurations should be stored

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-01 Thread Paul Wouters
On Mon, 1 Jun 2015, Tomas Hozza wrote: Yes, we think the change makes sense for Server. It is still beneficial from the security point of view to do the DNSSEC validation on Server. Agreed. Even though the configuration on Server will be static, dnssec-trigger + unbound can be used for

Re: F23 System Wide Change: Default Local DNS Resolver

2015-06-01 Thread Paul Wouters
On Mon, 1 Jun 2015, drago01 wrote: production. Yes, that's a glibc bug, and glibc should fix it. Nonetheless, bugs like that wouldn't matter as much if there were a local resolver. That's not how bugs should be dealt with ... if there is a bug it should be fixed where it is not duct taped

Re: Deprecation of ISC's DLV registry

2015-05-20 Thread Paul Wouters
On Wed, 20 May 2015, Tomas Hozza wrote: I received a heads-up from ISC that they are planning to deprecate their DLV registry (https://dlv.isc.org/) in the future. The use of ISC's DLV repository should be removed from any default configuration to prevent any issues in the future. I'm aware

Re: Testing request: gdm-on-Wayland on hybrid graphics laptops (esp. Macbooks)

2015-05-14 Thread Paul Wouters
I had gdm issues on my f19 to f22beta upgrade too. Startx worked. Worse, the lock screen cannot unlock. Claims wrong passwd. Killing Xorg just led to restarted locked screen. Only way out was init 1 Sent from my iPhone On May 14, 2015, at 16:01, Adam Williamson adamw...@fedoraproject.org

Re: /usr/share vs /usr/libexec

2015-04-22 Thread Paul Wouters
On Wed, 22 Apr 2015, Miloslav Trmač wrote: now I'm curious. Does it make more sense for these sort of scripts to live in /usr/libexec, or in /usr/share? /usr/libexec. From (info standards): `libexecdir' The directory for installing executable programs to be run by other programs

Your Outstanding Requests on closed bugs

2015-03-30 Thread Paul Wouters
Hi, So I get a regular reminder for Your Outstanding Requests However, a bunch of these are on closed bugs. It seems stuck somehow in thinking it needs something from me. For example: Bug 815617: PATCH: properly deal with crypt() returning NULL (1043 days old)

Re: Your Outstanding Requests on closed bugs

2015-03-30 Thread Paul Wouters
On Mon, 30 Mar 2015, Michael Cronenworth wrote: On 03/30/2015 08:39 AM, Paul Wouters wrote: There are currently no flags set at all. Check the flags on the attachment itself (your second link). Ohh. there is shows up. How odd. Thanks. Now at least I know how to get rid of it, although I

Re: Your Outstanding Requests on closed bugs

2015-03-30 Thread Paul Wouters
On Mon, 30 Mar 2015, Petr Šabata wrote: Bug 815617: PATCH: properly deal with crypt() returning NULL (1043 days old) https://bugzilla.redhat.com/show_bug.cgi?id=815617 https://bugzilla.redhat.com/attachment.cgi?id=585827action=edit This bug is already closed. And has no flags set. In

Re: Captive portal detection on wired connections - bug or feature?

2015-03-25 Thread Paul Wouters
On Wed, 25 Mar 2015, Adam Williamson wrote: Lots of people have been seeing it, it may be related to some issues with the Fedora infrastructure this afternoon (the check works by trying to contact a Fedora server). I've seen them regularly in the last few hours but I'm on hotel wifi, so it

Re: Why sysrq is limited to only sync command on official fedora kernel?

2015-02-25 Thread Paul Wouters
On Wed, 25 Feb 2015, Lennart Poettering wrote: Hmm? Syncing is allowed to my knowledge. C-a-d and gdm allow a clean reboot/poweroff. But sysrq does an abnormal reboot/poweroff, which we cannot allow. Similar, remounting read-only is also security senstive, which we cannot allow. Without being

Re: NowpPublishing fedora developer PGP keys in DNSSEC

2015-02-01 Thread Paul Wouters
On Sun, 1 Feb 2015, Björn Persson wrote: Paul Wouters wrote: paul@bofh:~$ openpgpkey --fetch pwout...@fedoraproject.org openpgpkey: /var/lib/unbound/root.anchor is not a file. Unable to use it as rootanchor Huh? turns out a bug in %post of unbound-libs. I pushed a fix into rawhide. I've

Re: NowpPublishing fedora developer PGP keys in DNSSEC

2015-01-29 Thread Paul Wouters
On Thu, 29 Jan 2015, Vít Ondruch wrote: Dne 28.1.2015 v 21:34 Paul Wouters napsal(a): openpgpkey --fetch pwout...@fedoraproject.org $ openpgpkey --fetch pwout...@fedoraproject.org Error: query data is not secured by DNSSEC - use --insecure to override It's time for you to start using

Re: NowpPublishing fedora developer PGP keys in DNSSEC

2015-01-29 Thread Paul Wouters
On Thu, 29 Jan 2015, Petr Spacek wrote: Fedora is probably the First to use OPENPGPKEY at a large scale. https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01 Paul, thank you for doing this experiment! I definitely support it. For people who do not watch dane-list closely, please keep

NowpPublishing fedora developer PGP keys in DNSSEC

2015-01-28 Thread Paul Wouters
Hi, Fedora is probably the First to use OPENPGPKEY at a large scale. https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-01 Everyone[*] who added a GPG keyid in FAS has their key published now using the OPENPGPKEY specification. You can obtain a key using the openpgpkey command of the

Re: Now Publishing fedora developer PGP keys in DNSSEC

2015-01-28 Thread Paul Wouters
On Wed, 28 Jan 2015, Till Maas wrote: The keyid is part of the fingerprint, so with the fingerprint one can download the key and verify it. Therefore it is the only right thing to do. I'm not saying don't store the fingerprint, but use a separate field for that which is not the keyid field.

Re: F22 System Wide Change: Default Local DNS Resolver

2015-01-25 Thread Paul Wouters
On Tue, 13 Jan 2015, Neal Becker wrote: Just tried it on f21. Did: sudo systemctl enable dnssec-triggerd.service sudo systemctl start dnssec-triggerd.service host slashdot.org: [ works fine ] Now a local machine: host nbecker7 btw use dig, not host. host has been deprecated for many

[perl-Net-DNS/f20] * Tue Jan 20 2015 Paul Wouters pwout...@redhat.com - 0.82-1 - Updated to 0.82 Support for IPv6 lin

2015-01-25 Thread Paul Wouters
Summary of changes: 99b228c... * Tue Jan 20 2015 Paul Wouters pwout...@redhat.com - 0.82 (*) (*) This commit already existed in another branch; no separate mail sent -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel

[perl-Net-DNS/f21] * Tue Jan 20 2015 Paul Wouters pwout...@redhat.com - 0.82-1 - Updated to 0.82 Support for IPv6 lin

2015-01-25 Thread Paul Wouters
Summary of changes: 99b228c... * Tue Jan 20 2015 Paul Wouters pwout...@redhat.com - 0.82 (*) (*) This commit already existed in another branch; no separate mail sent -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel

  1   2   3   4   5   >