Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Le vendredi 08 mars 2013 à 04:15 +, Sérgio Basto a écrit : About what you wrote: Don't understand the concern on so must security, I use it under a router so this port are close to exterior and in side my LAN don't see a problem to have a tcp port, neither have completely untrusted email. Usually, clamav interact with the rest of the world by reading files sent by anybody on the internet using smtp, so it is processing potentially hostile input, even with all closed ports on the firewall. For exemple, if there is a flaw in the parser of exe parser of clamav and i send you a cooked email with a exe that trigger the exploit, with a hardened setup, clamav would 1) have no network access ( thus preventing me to use it to spam or attack the lan ) 2) not have possibility to spawn a shell or anything ( thus requiring me to write or find a more complex exploit, and preventing me from spawing a process that would survive a restart of clamav ) 3) would not be able to use a local exploit using something in /dev, in the unlikely event such a exploit exist at the same time than a clamav issue. So if someone is running with all protections ( fw, selinux down ), they would still cause issues to some exploits. That's not a magic solution, but better than nothing. That's defence in depth. Some people may not have firewall setup or selinux setup, or some people may be attacked from the inside of the LAN and have disabled selinux on the whole server because that was written on the web. So while a firewall and selinux prevent some type of attack ( and is useful to have of course ), it can be good to have others type of protections in case of. -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Sáb, 2013-03-02 at 10:26 +0100, Michael Scherer wrote: Le vendredi 01 mars 2013 à 00:24 +, Sérgio Basto a écrit : Hi, I also use clamav as daemon and I use fedora package, recently I upgrade the box, that use clamav, to Fedora 17. I had to do a new clamd.service based on what exist, so here it is /usr/lib/systemd/system/clamd.service : [Unit] Description = clamav server (clamd) daemon After = syslog.target nss-lookup.target network.target Before= spamassassin.service [Service] Type = simple ExecStart = /usr/sbin/clamd -c /etc/clamd.conf --nofork=yes Restart = on-failure PrivateTmp = true [Install] WantedBy=multi-user.target given that clamav is a security sensitive package ( ie, we feed it with all kind of crap coming from network ), wouldn't it be interesting to investigate using : - PrivateNetwork=yes afaik, clamav use socket to communicate, so this could help to mitigate exploit that download from the network, or just a attacker using a exploit to attack a inside ressource. - LimitNPROC=1 not sure if clamav is multiprocess when run as daemon, should be checked too. This would permit to mitigate some exploits, ie, not able to fork/exec would block let's spawn a shell bound to port XXX. - DeviceAllow= and just allow /dev/null or /dev/zero I guess. the reasoning are on the page of systemd http://0pointer.de/blog/projects/security.html , in short, if someone using code injection to attack a device for local privileges escalation from clamav, this would mitigate some exploit. - CapabilityBoundingSet=~CAP_SYS_PTRACE , and maybe more stringent restriction, again, this requires some tests. This one is harder to setup since we need lots of runtime tests, and since clamav is not running as root, I am not sure this bring much, when compared to the work it may requires. While some of theses are surely already blocked by selinux, some people unfortunately tend to disable it, so we should think about defence in depth. And if that work fine, we can start to apply this idea to others daemons as well. Hi, some ideas, If you do a re-review of the package I can help you on review, please CC directly to me . I have a server with qmail and Fedora 17 based on qmailrocks and now just http://qmail.jms1.net/patches/combined-details.shtml Clamav package works with it without patches :) I'm thinking document it, my email server solution but don't had much time, also now that qmail is public domain, it use and integrated a few packages of Fedora. About what you wrote: Don't understand the concern on so must security, I use it under a router so this port are close to exterior and in side my LAN don't see a problem to have a tcp port, neither have completely untrusted email. Best regards, -- Sérgio M. B. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Le vendredi 01 mars 2013 à 00:24 +, Sérgio Basto a écrit : Hi, I also use clamav as daemon and I use fedora package, recently I upgrade the box, that use clamav, to Fedora 17. I had to do a new clamd.service based on what exist, so here it is /usr/lib/systemd/system/clamd.service : [Unit] Description = clamav server (clamd) daemon After = syslog.target nss-lookup.target network.target Before= spamassassin.service [Service] Type = simple ExecStart = /usr/sbin/clamd -c /etc/clamd.conf --nofork=yes Restart = on-failure PrivateTmp = true [Install] WantedBy=multi-user.target given that clamav is a security sensitive package ( ie, we feed it with all kind of crap coming from network ), wouldn't it be interesting to investigate using : - PrivateNetwork=yes afaik, clamav use socket to communicate, so this could help to mitigate exploit that download from the network, or just a attacker using a exploit to attack a inside ressource. - LimitNPROC=1 not sure if clamav is multiprocess when run as daemon, should be checked too. This would permit to mitigate some exploits, ie, not able to fork/exec would block let's spawn a shell bound to port XXX. - DeviceAllow= and just allow /dev/null or /dev/zero I guess. the reasoning are on the page of systemd http://0pointer.de/blog/projects/security.html , in short, if someone using code injection to attack a device for local privileges escalation from clamav, this would mitigate some exploit. - CapabilityBoundingSet=~CAP_SYS_PTRACE , and maybe more stringent restriction, again, this requires some tests. This one is harder to setup since we need lots of runtime tests, and since clamav is not running as root, I am not sure this bring much, when compared to the work it may requires. While some of theses are surely already blocked by selinux, some people unfortunately tend to disable it, so we should think about defence in depth. And if that work fine, we can start to apply this idea to others daemons as well. -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Em Wed, 27 Feb 2013 14:05:11 -0800 Toshio Kuratomi a.bad...@gmail.com escreveu: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: ... * ivtv-firmware -- Firmware for the Hauppauge PVR 250/350/150/500/USB2 model series The needed firmware files for those cards were merged a long time ago into linux-firmware git tree. It seems, however, that those patches got excluded there: $ rpm -q linux-firmware -l|grep v4l /lib/firmware/v4l-cx231xx-avcore-01.fw /lib/firmware/v4l-cx23885-avcore-01.fw /lib/firmware/v4l-cx23885-enc.fw IMO, the best thing to do here is to just drop this package and make sure that the needed firmwares are provided by linux-firmware: -rw-rw-r-- 1 v4l v4l 16382 Ago 10 2012 v4l-cx231xx-avcore-01.fw -rw-rw-r-- 1 v4l v4l 141200 Ago 10 2012 v4l-cx23418-apu.fw -rw-rw-r-- 1 v4l v4l 158332 Ago 10 2012 v4l-cx23418-cpu.fw -rw-rw-r-- 1 v4l v4l 16382 Ago 10 2012 v4l-cx23418-dig.fw -rw-rw-r-- 1 v4l v4l 16382 Ago 10 2012 v4l-cx23885-avcore-01.fw -rw-rw-r-- 1 v4l v4l 16382 Ago 10 2012 v4l-cx25840.fw Btw, it should be noticed that cx231xx/cx23885 devices require a firmware there (v4l-cx23885-enc.fw). This firmware is wrong at linux-firmware tree, and got removed by a recent changeset (c11f374, at linux-firmware git tree). We're working with Conexant in order to replace it soon with a new firmware for it. * ivtv-utils -- Tools for the iTVC15/16 and CX23415/16 driver AFAIKT, this is legacy stuff. Everything needed on userspace for ivtv is now provided by v4l-utils package. -- Cheers, Mauro signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, 27 Feb 2013 14:05:11 -0800 Toshio Kuratomi a.bad...@gmail.com wrote: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * clamav * dhcp-forwarder * fedora-usermgmt (epel branches still owned by ensc) * gif2png * hunt * ip-sentinel * kismet * libextractor * libtasn1 * milter-greylist I've taken milter-greylist. Paul. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Hi all! I'll be happy to help with vtk and vtkdata, if at any time needed. Best, Mario On 28 February 2013 12:49, Paul Howarth p...@city-fan.org wrote: On Wed, 27 Feb 2013 14:05:11 -0800 Toshio Kuratomi a.bad...@gmail.com wrote: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * clamav * dhcp-forwarder * fedora-usermgmt (epel branches still owned by ensc) * gif2png * hunt * ip-sentinel * kismet * libextractor * libtasn1 * milter-greylist I've taken milter-greylist. Paul. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * clamav I've added me as comaintainer to clamav and i'm willing to take ownership if it is orphoned. Shure, i will do a new review request because i want to reorganized the package like it is for epel. Fedora's version is total user unfriendly, ie. needed to copy configuration files by hand and no default daemon configuration. I used the epel version for a long time for myself, because you need only installation and enable the the daemon, that's all. Wolfgang -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, Feb 27, 2013 at 4:05 PM, Toshio Kuratomi a.bad...@gmail.com wrote: Greetings, * fedora-usermgmt (epel branches still owned by ensc) * hunt * ip-sentinel * kismet * libextractor Taken. -J -- http://cecinestpasunefromage.wordpress.com/ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, Feb 27, 2013 at 02:05:11PM -0800, Toshio Kuratomi wrote: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * x11-ssh-askpass I'll take this as I use it every day. -- David Cantrell dcantr...@redhat.com Manager, Installer Engineering Team Red Hat, Inc. | Westford, MA | EST5EDT -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Thu, Feb 28, 2013 at 8:06 AM, Jon Ciesla limburg...@gmail.com wrote: On Wed, Feb 27, 2013 at 4:05 PM, Toshio Kuratomi a.bad...@gmail.comwrote: Greetings, * fedora-usermgmt (epel branches still owned by ensc) * hunt * ip-sentinel * kismet * libextractor Taken. Also took dietlibc f18 and f17, and will take devel if orphaned. I assume that was the intent but I don't want to appear heavy-handed. . . -J -J -- http://cecinestpasunefromage.wordpress.com/ in your fear, seek only peace in your fear, seek only love -d. bowie -- http://cecinestpasunefromage.wordpress.com/ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Qui, 2013-02-28 at 14:58 +0100, Rave it wrote: At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * clamav I've added me as comaintainer to clamav and i'm willing to take ownership if it is orphoned. Shure, i will do a new review request because i want to reorganized the package like it is for epel. Fedora's version is total user unfriendly, ie. needed to copy configuration files by hand and no default daemon configuration. I used the epel version for a long time for myself, because you need only installation and enable the the daemon, that's all. Hi, I also use clamav as daemon and I use fedora package, recently I upgrade the box, that use clamav, to Fedora 17. I had to do a new clamd.service based on what exist, so here it is /usr/lib/systemd/system/clamd.service : [Unit] Description = clamav server (clamd) daemon After = syslog.target nss-lookup.target network.target Before= spamassassin.service [Service] Type = simple ExecStart = /usr/sbin/clamd -c /etc/clamd.conf --nofork=yes Restart = on-failure PrivateTmp = true [Install] WantedBy=multi-user.target Cheers, -- Sérgio M. B. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Maintainers wanted for packages from 2013-02-27 FESCo Meeting
Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1028 == tor package was reassigned to a new maintainer. Former maintainer dropped ownership of his other packages. Those are now orphaned and in need of a new owner. Note to potential new maintainers: although not mandatory, you may want to open an optional re-review request as the spec files for some of these may be very out of sync with the current Fedora Packaging Guidelines * clamav * dhcp-forwarder * fedora-usermgmt (epel branches still owned by ensc) * gif2png * hunt * ip-sentinel * kismet * libextractor * libtasn1 * milter-greylist * mimetic * util-vserver * x11-ssh-askpass * xmlrpc-c * dietlibc (devel is still owned by ensc but maybe that was an oversight) == https://fedorahosted.org/fesco/ticket/1091 == Non Responsive Maintainer ticket for mediawiki. The mediawiki package was assigned a new maintainer due to nonresponse. The former owner owns other packages as well. Fesco asks that comaintainers be solicited for these packages. If package maintainer is nonresponsive for more packages, consider performing the Mass Orphaning clause of the Nonresponsive Maintainers Policy: http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers#Notes_for_Mass_Orphaning * apt -- Debian's Advanced Packaging Tool with RPM support * arpack -- Fortran77 subroutines for solving large scale eigenvalue problems * chrpath -- Modify rpath of compiled programs * fail2ban -- Ban IPs that make too many password failures * fakechroot -- Gives a fake chroot environment * fakeroot -- Gives a fake root environment * fedora-package-config-apt -- Fedora configuration files for the apt-rpm package manager * fedora-package-config-smart -- Fedora configuration files for the Smart package manager * freenx-client -- Free client libraries and binaries for the NX protocol * freenx-server -- Free Software (GPL) Implementation of the NX Server * greylistd -- Greylisting daemon * ivtv-firmware -- Firmware for the Hauppauge PVR 250/350/150/500/USB2 model series * ivtv-utils -- Tools for the iTVC15/16 and CX23415/16 driver * libcdaudio -- Control operation of a CD-ROM when playing audio CDs * maildrop -- Mail delivery agent with filtering abilities * mediawiki-openid -- The OpenID extension for MediaWiki * nx -- Proxy system for X11 * perl-Text-CharWidth -- Get number of occupied columns of a string on terminal * perl-Text-WrapI18N -- Line wrapping with support for several locale setups * php-pear-Auth-OpenID -- PHP OpenID * po4a -- A tool maintaining translations anywhere * smart -- Next generation package handling tool * synaptic -- Graphical frontend for APT package manager. * vtk -- The Visualization Toolkit - A high level 3D visualization library * vtkdata -- Example data file for VTK Please let FESCo know via a ticket if you need any help becoming a comaintainer because the owner is nonresponsive. Thanks, Toshio pgpiY82_GXeiR.pgp Description: PGP signature ___ devel-announce mailing list devel-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, Feb 27, 2013 at 02:05:11PM -0800, Toshio Kuratomi wrote: * maildrop -- Mail delivery agent with filtering abilities Added myself to maildrop -- Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT) pgpSTCJtAkMn9.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, Feb 27, 2013 at 17:03:29 -0800, Brian C. Lane b...@redhat.com wrote: On Wed, Feb 27, 2013 at 02:05:11PM -0800, Toshio Kuratomi wrote: * maildrop -- Mail delivery agent with filtering abilities Added myself to maildrop I'd like to co-maintain maildrop since I use it to filter my email. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, 27 Feb 2013, Toshio Kuratomi wrote: * clamav * dhcp-forwarder I've added myself as (co)maintainer to these two. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On 02/27/2013 11:05 PM, Toshio Kuratomi wrote: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: == https://fedorahosted.org/fesco/ticket/1091 == Non Responsive Maintainer ticket for mediawiki. The mediawiki package was assigned a new maintainer due to nonresponse. The former owner owns other packages as well. Fesco asks that comaintainers be solicited for these packages. If package maintainer is nonresponsive for more packages, consider performing the Mass Orphaning clause of the Nonresponsive Maintainers Policy: http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers#Notes_for_Mass_Orphaning * fakechroot -- Gives a fake chroot environment * fakeroot -- Gives a fake root environment I tried to add myself to these two, but I was facing packagedb errors when trying to do so and am not sure if everything was processed correctly. - Some packagedb admin please cross check the status. * po4a -- A tool maintaining translations anywhere This package already is co-maintained by me for quite a while. Ralf -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Maintainers wanted for packages from 2013-02-27 FESCo Meeting
On Wed, 2013-02-27 at 14:05 -0800, Toshio Kuratomi wrote: Greetings, At today's FESCo meeting there were two tickets which had the end result of needing to have new maintainers and comaintainers for some packages: * libtasn1 Taken. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel