On Friday 18 December 2009 03:54:53 pm Adam Jackson wrote:
On Fri, 2009-12-18 at 20:26 +, Richard W.M. Jones wrote:
For libguestfs [RHBZ#547496] I want to add some extra 'Requires'
dependencies by running a shell script over a particular file that
gets generated during the build.
On Wednesday 18 November 2009 04:45:05 pm James Antill wrote:
On Wed, 2009-11-18 at 16:04 -0500, Steve Grubb wrote:
The problem is the *Default* not the fact that you can consciously
allow users to update without a password.
And I wonder what the audit trail will show? Does it show
On Wednesday 18 November 2009 01:35:30 pm Simo Sorce wrote:
On Wed, 2009-11-18 at 13:23 -0500, Seth Vidal wrote:
I'm not sure how this is 'surprise root'. IT will only allow installs
of pkgs signed with a key you trust from a repo you've setup.
which pretty much means: if the admin trusts
On Wednesday 07 October 2009 06:16:50 pm Matthias Clasen wrote:
On Wed, 2009-10-07 at 17:11 -0400, Steve Grubb wrote:
On Friday 02 October 2009 01:56:21 pm Jon Stanley wrote:
Meeting summary
---
* incomplete features (jds2001, 17:04:12)
* AGREED: Lower Process
On Friday 02 October 2009 01:56:21 pm Jon Stanley wrote:
Meeting summary
---
* incomplete features (jds2001, 17:04:12)
* AGREED: Lower Process Capabilities is retained, dbus changes are
being committed to complete the feature. (jds2001, 17:38:58)
I'm wondering if this is
On Friday 02 October 2009 02:42:43 pm Bill Nottingham wrote:
enforcing dependencies between SysV and upstart scripts - if a package
that provides a service that a SysV service depends on (via LSB headers)
changes to an upstart script, things go wrong.
Also last time I checked, they still
On Thursday 17 September 2009 09:39:48 pm Yuan Yijun wrote:
What's happened in our rawhide boot sequence that cause selinux to not be
running anymore? Selinux is not disabled in the grub.conf kernel line and
sestatus shows its disabled. There is nothing in the system logs saying
that there
On Friday 18 September 2009 08:34:03 am Ralf Ertzinger wrote:
Hi.
On Fri, 18 Sep 2009 08:24:18 -0400, Steve Grubb wrote:
I also think that the reason xinetd came into existence in the first
place has long since passed. The original intent was to save memory
by not having half a dozen
hi,
What's happened in our rawhide boot sequence that cause selinux to not be
running anymore? Selinux is not disabled in the grub.conf kernel line and
sestatus shows its disabled. There is nothing in the system logs saying that
there was a problem.
If selinux is not disabled and it does not
On Friday 04 September 2009 02:30:14 am Jim Meyering wrote:
Quick summary: use this tool:
http://clang-analyzer.llvm.org/
If you're not using its scan-build tool, then start. Right now.
Really. It's that good.
llvm is in Fedora. Looking at the build instructions for clang, it seems
On Friday 04 September 2009 02:17:10 pm Dan HorĂ¡k wrote:
I am building kernels for some ARM based devices that use Fedora/ARM as
user-land.
Glad to see someone else looking at the ARM kernel.
These devices are usually very limited in the size of kernel
that can be stored in their flash
On Friday 21 August 2009 04:34:24 pm Aurelien Bompard wrote:
- ulogd -- The userspace logging daemon for netfilter
I'm taking this one.
Thanks,
-Steve
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
On Thursday 13 August 2009 05:53:37 pm John Poelstra wrote:
Can you update the feature page to reflect the reduced scope of the
feature and its completion percentage? All I see since FESCo met was
the change to the detailed description related to the permissions.
That *is* the reduction in
Hello,
I wanted to let everyone know that I will be pushing audit-2.0 into rawhide in
the next day or two. It will change the version number of libaudit. The
following packages are known to have dependencies on audit-libs:
repoquery --repoid=rawhide --whatrequires --alldeps
On Monday 10 August 2009 12:41:48 pm Jesse Keating wrote:
I wanted to let everyone know that I will be pushing audit-2.0 into
rawhide in the next day or two. It will change the version number of
libaudit. The following packages are known to have dependencies on
audit-libs:
I would
On Monday 10 August 2009 01:04:32 pm Jesse Keating wrote:
OK, fine. I'll wait until after the Alpha freeze is over.
Even after that one has to wonder, why is a change like this going in
after the feature freeze.
It would have been in before feature freeze if sc-audit hadn't gotten stuck
On Monday 10 August 2009 02:02:47 pm Jason L Tibbitts III wrote:
SG == Steve Grubb sgr...@redhat.com writes:
SG It would have been in before feature freeze if sc-audit hadn't
SG gotten stuck in package review.
A couple of points here, since you seem to be blaming the review
process
On Friday 31 July 2009 04:42:12 am Frank Murphy wrote:
I think what is meant, it that the app is useless, without either
web\media input. Which the user should not have to do to take full
advantage of it.
I think this is a bit like virus definitions. 800Mb is excessive to ship in a
package. I
On Wednesday 29 July 2009 09:49:29 am Serge E. Hallyn wrote:
There was a patch floated on selinux list circa June 2007 that would
have allowed SELinux to directly grant capabilities. But it met a
certain amount of resistance from people concerned about the
implications of changing the
On Monday 27 July 2009 09:11:33 am Serge E. Hallyn wrote:
Quoting Steve Grubb (sgr...@redhat.com):
On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote:
I trust you meant to write 0555?
No, I really mean 005 so that root daemons are using public
permissions. Admins of course have
Hello,
I wanted to send an email to give everyone a heads up about a project I'm
working on. You can find the write-up here:
https://fedoraproject.org/wiki/Features/LowerProcessCapabilities
The basic idea goes something like this: We would like to do something to
prevent priv escalation for
On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote:
Steve Grubb sgr...@redhat.com writes:
The directory for /bin is 0755 root root. So, even if we drop all
capabilities, the root acct can still trojan a system.
If we change the bin directory to 005, then root cannot write
On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote:
I trust you meant to write 0555?
No, I really mean 005 so that root daemons are using public permissions.
Admins of course have DAC_OVERRIDE and can do anything. Try the script in a
VM and tell me if there are any problems you see.
I
On Sunday 26 July 2009 09:01:14 pm Tom Lane wrote:
0005 is certainly not meaningfully more secure than 0555.
There are some secrets in files that semi-trusted root apps should not have
access to.
-Steve
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
On Thursday 23 July 2009 02:16:10 pm Ahmed Kamal wrote:
Here's a RFE for FireKit, a firewall desktop kit. What this does is:
1- Exposes a dbus interface for applications to programatically open/close
ports
I don't exactly like this. If one application gets compromised, it can now
open other
On Friday 24 July 2009 04:56:51 pm Casey Dahlin wrote:
Just because selinux has policy doesn't mean the app is installed.
If the app is not installed nothing is running in its context, so none of
the rules will ever trigger.
If the attacker can work out the chain of allowed transitions, they
On Thursday 09 July 2009 10:45:55 am devzero2000 wrote:
There are also other two big problem, imho, now, with prelink support:
1 - it render impossibile to do a centralizzated integrity checker (with as
example rfc.sf.net ): very very bad
The aide program in rawhide is prelink friendly. So
On Friday 12 June 2009 09:02:39 am Daniel Lezcano wrote:
As I only need the CAP_SYS_BOOT, I will define it manually in the source
code and will remove the include, that's ugly but anyway... :/
Alternatelyas of today, libcap-ng is now in Fedora. It has a far simpler
API and you should be
On Wednesday 03 June 2009 04:57:32 pm Kevin Kofler wrote:
Steve Grubb wrote:
And then should the bug be closed hoping that one day you pull in a
package that solves the user's problem?
If the bug is fixed upstream, the Fedora report can be reopened with a
request to backport the fix
On Tuesday 02 June 2009 07:34:17 pm Kevin Kofler wrote:
Steve Grubb wrote:
I don't want to start a long thread, but just to ask a couple questions
for my own clarification. Does a maintainer's responsibilities end with
packaging bugs? IOW, if there is a problem in the package
On Tuesday 02 June 2009 11:09:49 pm Ralf Corsepius wrote:
Kevin Kofler wrote:
Steve Grubb wrote:
I don't want to start a long thread, but just to ask a couple questions
for my own clarification. Does a maintainer's responsibilities end with
packaging bugs? IOW, if there is a problem
On Tuesday 02 June 2009 06:17:02 pm Steven M. Parrish wrote:
This is from the official Bugzappers page
https://fedoraproject.org/wiki/BugZappers/StockBugzillaResponses#Upstreamin
So, this raises the question about bugzappers. Should they be making the
determination for maintainers that the
Hello,
I don't want to start a long thread, but just to ask a couple questions for my
own clarification. Does a maintainer's responsibilities end with packaging
bugs? IOW, if there is a problem in the package that is _broken code_ do they
need to do something about it or is it acceptable for
33 matches
Mail list logo