On Sat, 2014-05-03 at 10:14 +0300, Panu Matilainen wrote:
Well then you've misread, and now people trying to search for
information on rpm collections will be even more confused...
Like said elsewhere in this thread, collections are experimental, not
enabled in Fedora and will never be in
On 04/30/2014 05:28 PM, Adam Jackson wrote:
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to order the transaction so
that systemd gets installed first, and the
On Wed, 30.04.14 09:44, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote:
Em 29-04-2014 18:27, Martin Langhoff escreveu:
On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net wrote:
On Wed, 30.04.14 10:42, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/30/2014 10:28 AM, Adam Jackson wrote:
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to
On Wed, 30.04.14 19:56, Marcelo Ricardo Leitner (marcelo.leit...@gmail.com)
wrote:
This makes no sense. I mean, why would anyone bother with playing with
systemd's binaries which (with the exceptio of s-d-v, see above) do not
increase your set of capabilities when executed, if you have
On Fri, May 02, 2014 at 12:41:51PM +0200, Lennart Poettering wrote:
Created a ticket.
https://fedorahosted.org/fpc/ticket/425
Next I will create a change request if the ticket is approved.
Note that just dropping systemd from your images might not be the best
choice, as you then have no
On Fri, May 02, 2014 at 03:50:36PM +0200, Vít Ondruch wrote:
Note that just dropping systemd from your images might not be the best
choice, as you then have no owners for a lot of drop-in dirs, which made
be bad for verifying the software installed in the container images...
Yeah, I was just
2014-05-02 12:47 GMT+02:00 Lennart Poettering mzerq...@0pointer.de:
On Wed, 30.04.14 19:56, Marcelo Ricardo Leitner (marcelo.leit...@gmail.com)
wrote:
This makes no sense. I mean, why would anyone bother with playing with
systemd's binaries which (with the exceptio of s-d-v, see above) do
Dne 2.5.2014 16:29, Matthew Miller napsal(a):
On Fri, May 02, 2014 at 03:50:36PM +0200, Vít Ondruch wrote:
Note that just dropping systemd from your images might not be the best
choice, as you then have no owners for a lot of drop-in dirs, which made
be bad for verifying the software installed
On 05/02/2014 06:32 AM, Lennart Poettering wrote:
On Wed, 30.04.14 09:44, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote:
Em 29-04-2014 18:27, Martin Langhoff escreveu:
On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net
On Tue, 29.04.14 15:36, Marcelo Ricardo Leitner (marcelo.leit...@gmail.com)
wrote:
Em 29-04-2014 12:27, Lennart Poettering escreveu:
On Tue, 29.04.14 10:37, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 06:33 AM, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh
On 04/29/2014 05:47 PM, Marcelo Ricardo Leitner wrote:
Em 29-04-2014 18:27, Martin Langhoff escreveu:
On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net wrote:
defense in depth means limit the attack surface as much as you can
As folks
On 04/30/2014 01:44 PM, Daniel J Walsh wrote:
I agree, where do I open a bugzilla to make this happen? rpm? Distro?
Systemd?
Dont you need to first file a change with FPC to the packaging guideline
then file bug against every component that has that Require, then
provide patches that
On 04/29/2014 12:31 PM, Lennart Poettering wrote:
On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote:
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to
On 04/30/2014 10:05 AM, Kalev Lember wrote:
On 04/29/2014 12:31 PM, Lennart Poettering wrote:
On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote:
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they
On Wed, Apr 30, 2014 at 16:05:37 +0200,
Kalev Lember kalevlem...@gmail.com wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to order the transaction so
that systemd gets installed first, and the packages that ship
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to order the transaction so
that systemd gets installed first, and the packages that ship service
files get installed
On 04/30/2014 10:28 AM, Adam Jackson wrote:
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to order the transaction so
that systemd gets installed first, and the
On 04/30/2014 04:28 PM, Adam Jackson wrote:
If you are right, this is an argument for rpm collections, which we've
had for ages now and should really start using.
YES!
Getting rid of the copy-pasted rpm scriptlets would be a huge win. They
are error prone and require huge effort to get them
On 04/30/2014 04:24 PM, Daniel J Walsh wrote:
On 04/30/2014 10:05 AM, Kalev Lember wrote:
For example, when a package bar has a postinstall script that does:
systemctl enable bar.service /dev/null 21 || :
.. but if systemctl gets installed _after_ foo in the same transaction,
then the
On 04/30/2014 02:52 PM, Kalev Lember wrote:
On 04/30/2014 04:28 PM, Adam Jackson wrote:
If you are right, this is an argument for rpm collections, which we've
had for ages now and should really start using.
YES!
Getting rid of the copy-pasted rpm scriptlets would be a huge win. They
are
On 30 April 2014 15:52, Kalev Lember kalevlem...@gmail.com wrote:
Getting rid of the copy-pasted rpm scriptlets would be a huge win.
Totally agree. We should make this happen. SUSE has been doing it for years.
Richard
--
devel mailing list
devel@lists.fedoraproject.org
On Wed, Apr 30, 2014 at 10:28:56AM -0400, Adam Jackson wrote:
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
I suspect just dropping the deps would break initial installations, e.g.
anaconda / livecd-creator. RPM uses the deps to order the transaction so
that systemd gets
On Wed, 2014-04-30 at 12:34 -0400, Chuck Anderson wrote:
On Wed, Apr 30, 2014 at 10:28:56AM -0400, Adam Jackson wrote:
On Wed, 2014-04-30 at 16:05 +0200, Kalev Lember wrote:
For example, when a package bar has a postinstall script that does:
systemctl enable bar.service /dev/null
On Wed, Apr 30, 2014 at 1:14 PM, Adam Jackson a...@redhat.com wrote:
It is hard to find anything useful by searching for rpm
collections.
Yeah, they're not well documented yet. Luckily I was able to track
down
a copy of the rpm source so I could read how it works.
In an industry
Em 30-04-2014 07:57, Lennart Poettering escreveu:
On Tue, 29.04.14 15:36, Marcelo Ricardo Leitner (marcelo.leit...@gmail.com)
wrote:
Em 29-04-2014 12:27, Lennart Poettering escreveu:
On Tue, 29.04.14 10:37, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 06:33 AM, Lennart
On Wed, Apr 30, 2014 at 3:56 PM, Marcelo Ricardo Leitner
marcelo.leit...@gmail.com wrote:
If that's what you think, okay. I do agree with you that suids all are the
worse thing. After all, it's like winning the lottery for hackers and that's
probably where they focus most. But still fear
On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote:
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen.
Would removing the requires on systemd
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which docker containers do not need.
If you discount the
On 04/29/2014 06:31 AM, Lennart Poettering wrote:
On Mon, 28.04.14 15:11, Toshio Kuratomi (a.bad...@gmail.com) wrote:
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to
On 04/28/2014 06:44 PM, Adam Jackson wrote:
On Mon, 2014-04-28 at 17:01 -0400, Daniel J Walsh wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which docker containers
On 04/29/2014 06:33 AM, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which
On Tue, Apr 29, 2014 at 10:58 AM, Alexander Larsson al...@redhat.com wrote:
On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because they ship a
unit file and want
On tis, 2014-04-29 at 11:21 -0400, Josh Boyer wrote:
On Tue, Apr 29, 2014 at 10:58 AM, Alexander Larsson al...@redhat.com wrote:
On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services
On Tue, 29.04.14 10:37, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 06:33 AM, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload
On Tue, 29.04.14 16:58, Alexander Larsson (al...@redhat.com) wrote:
On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because they ship a
unit file and want
2014-04-29 17:40 GMT+02:00 Lennart Poettering mzerq...@0pointer.de:
On Tue, 29.04.14 16:58, Alexander Larsson (al...@redhat.com) wrote:
Its around 15 megs or so, although on rhel7 its 20 megs larger because
of a dependency that kmod has on /usr/bin/nm (binutils) that doesn't
seem to be
On Tue, Apr 29, 2014 at 11:47 AM, Miloslav Trmač m...@volny.cz wrote:
2014-04-29 17:40 GMT+02:00 Lennart Poettering mzerq...@0pointer.de:
On Tue, 29.04.14 16:58, Alexander Larsson (al...@redhat.com) wrote:
Its around 15 megs or so, although on rhel7 its 20 megs larger because
of a
On tis, 2014-04-29 at 17:40 +0200, Lennart Poettering wrote:
On Tue, 29.04.14 16:58, Alexander Larsson (al...@redhat.com) wrote:
On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of
On Tue, 29.04.14 18:03, Alexander Larsson (al...@redhat.com) wrote:
On tis, 2014-04-29 at 17:40 +0200, Lennart Poettering wrote:
On Tue, 29.04.14 16:58, Alexander Larsson (al...@redhat.com) wrote:
On tis, 2014-04-29 at 12:33 +0200, Lennart Poettering wrote:
On Mon, 28.04.14 17:01,
On Tue, 2014-04-29 at 18:14 +0200, Lennart Poettering wrote:
On Tue, 29.04.14 18:03, Alexander Larsson (al...@redhat.com) wrote:
systemd = cryptsetup-libs = device-mapper-libs = device-mapper
Don't have time to look up the details atm, but iptable was reached via
initscripts somehow.
Em 29-04-2014 12:27, Lennart Poettering escreveu:
On Tue, 29.04.14 10:37, Daniel J Walsh (dwa...@redhat.com) wrote:
On 04/29/2014 06:33 AM, Lennart Poettering wrote:
On Mon, 28.04.14 17:01, Daniel J Walsh (dwa...@redhat.com) wrote:
The problem is lots of services require systemd because
Once upon a time, Marcelo Ricardo Leitner marcelo.leit...@gmail.com said:
You're considering only the escalation way to do it, but there are
other ways to exploit code laying around, like when some web pages
don't sanitize the URL enough and end up allowing executing
something in the system,
Am 29.04.2014 20:51, schrieb Chris Adams:
Once upon a time, Marcelo Ricardo Leitner marcelo.leit...@gmail.com said:
You're considering only the escalation way to do it, but there are
other ways to exploit code laying around, like when some web pages
don't sanitize the URL enough and end up
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove anything *unneeded* from production systems
that are best practices for many years and for good reasons
No, the point
On 04/29/2014 03:17 PM, Chris Adams wrote:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove anything *unneeded* from production systems
that are best practices for
Am 29.04.2014 21:17, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove anything *unneeded* from production systems
that are best practices for
On Tue, Apr 29, 2014 at 12:33 PM, Reindl Harald h.rei...@thelounge.net wrote:
simple example:
* binary XYZ is vulerable for privilege escalation
This makes no sense...
* we talk about a *local* exploit until now
...I don't even know what you're trying to say here...
* a bad configured
Am 29.04.2014 21:36, schrieb Andrew Lutomirski:
On Tue, Apr 29, 2014 at 12:33 PM, Reindl Harald h.rei...@thelounge.net
wrote:
simple example:
* binary XYZ is vulerable for privilege escalation
This makes no sense...
for you
* we talk about a *local* exploit until now
...I don't
On Tue, Apr 29, 2014 at 03:31:45PM -0400, Daniel J Walsh wrote:
On 04/29/2014 03:17 PM, Chris Adams wrote:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove
Am 29.04.2014 21:31, schrieb Daniel J Walsh:
On 04/29/2014 03:17 PM, Chris Adams wrote:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove anything *unneeded* from
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
simple example:
* binary XYZ is vulerable for privilege escalation
A local, non-privileged binary cannot be vulerable for privilege
escalation. If I can run a non-privileged binary to escalate, then
there is a problem with some
On Tue, Apr 29, 2014 at 12:48 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 29.04.2014 21:36, schrieb Andrew Lutomirski:
On Tue, Apr 29, 2014 at 12:33 PM, Reindl Harald h.rei...@thelounge.net
wrote:
simple example:
* binary XYZ is vulerable for privilege escalation
This makes no
Am 29.04.2014 21:59, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
simple example:
* binary XYZ is vulerable for privilege escalation
A local, non-privileged binary cannot be vulerable for privilege
escalation. If I can run a non-privileged binary to
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
don't get me wrong but you are talking bullshit
Put up or shut up.
you can't download whatever you like to do in any random situation
and excutue it like in a sehll - if you have only *one command* through
a web application you
Am 29.04.2014 22:22, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
don't get me wrong but you are talking bullshit
Put up or shut up
i shut when i say - not when you say
https://www.google.com/search?q=local+root+exploit+CVE
google as example for
On Tue, Apr 29, 2014 at 4:16 PM, Reindl Harald h.rei...@thelounge.netwrote:
don't get me wrong but you are talking bullshit
Reindl, your SNR is way way high. Maybe try sending /less/ emails,
concentrating in being clear and helpful?
Don't worry, there is _always_ someone who's wrong on the
Em 29-04-2014 17:04, Andrew Lutomirski escreveu:
On Tue, Apr 29, 2014 at 12:48 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 29.04.2014 21:36, schrieb Andrew Lutomirski:
On Tue, Apr 29, 2014 at 12:33 PM, Reindl Harald h.rei...@thelounge.net wrote:
simple example:
* binary XYZ is
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
google as example for CVE-2014-0038 and as i already explained
you: a attacker has no shell, you have two ways to force a existing
local exploit by a web-application:
A: try to get a complete script on the machine and execute it
Am 29.04.2014 23:00, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
google as example for CVE-2014-0038 and as i already explained
you: a attacker has no shell, you have two ways to force a existing
local exploit by a web-application:
A: try to get a
On Tue, Apr 29, 2014 at 1:57 PM, Marcelo Ricardo Leitner
marcelo.leit...@gmail.com wrote:
Em 29-04-2014 17:04, Andrew Lutomirski escreveu:
On Tue, Apr 29, 2014 at 12:48 PM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 29.04.2014 21:36, schrieb Andrew Lutomirski:
On Tue, Apr 29, 2014 at
Am 29.04.2014 23:09, schrieb Andrew Lutomirski:
If you want to go down that path, set up selinux to prevent execing
things that oughtn't to be execed. But trying to prevent exploits
from working by removing every possible helper from the path is a
losing proposition and is just not worth
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
defense in depth means limit the attack surface as much as you can
No, because as much as you can is turn the system off and bury it in
concrete (with an armed guard).
The goal is as much as practical. Trying to remove things that
Am 29.04.2014 23:20, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
defense in depth means limit the attack surface as much as you can
No, because as much as you can is turn the system off and bury it in
concrete (with an armed guard).
The goal is as
On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.netwrote:
defense in depth means limit the attack surface as much as you can
As folks are trying to point out to you, these principles are well
understood in this group.
However, _any minimally usable environment will have a
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
however, thank you to show me that any discussion with you is worthless
Right back at you.
--
Chris Adams li...@cmadams.net
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Tue, Apr 29, 2014 at 5:28 PM, Chris Adams li...@cmadams.net wrote:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
however, thank you to show me that any discussion with you is worthless
Right back at you.
The CoC does say a few things on this topic.
I am finding Reindl's
Em 29-04-2014 18:27, Martin Langhoff escreveu:
On Tue, Apr 29, 2014 at 5:12 PM, Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net wrote:
defense in depth means limit the attack surface as much as you can
As folks are trying to point out to you, these principles are well
Am 29.04.2014 23:33, schrieb Martin Langhoff:
On Tue, Apr 29, 2014 at 5:28 PM, Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net:
however, thank you to show me that any discussion with you is worthless
Right back at you.
The CoC does say a few things on
On Tue, Apr 29, 2014 at 11:09 PM, Reindl Harald h.rei...@thelounge.net wrote:
Am 29.04.2014 23:00, schrieb Chris Adams:
Once upon a time, Reindl Harald h.rei...@thelounge.net said:
google as example for CVE-2014-0038 and as i already explained
you: a attacker has no shell, you have two ways
On 28 April 2014 15:01, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which docker containers do not need.
rpm -q --whatrequires
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen.
Would removing the requires on systemd and doing:
/usr/bin/systemctl reload ||:
Work for these cases?
-Toshio
On Mon, 2014-04-28 at 17:01 -0400, Daniel J Walsh wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen. Systemd then triggers a
require for udev and kmod, which docker containers do not need.
rpm -q --whatrequires systemd|
On Mon, Apr 28, 2014 at 03:11:07PM -0700, Toshio Kuratomi wrote:
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen.
Would removing the requires on systemd and
Le 29/04/2014 00:11, Toshio Kuratomi a écrit :
On Apr 28, 2014 5:01 PM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
The problem is lots of services require systemd because they ship a
unit file and want systemctl reload to happen.
Would removing the requires on
75 matches
Mail list logo