FWN/Issue283

= Fedora Weekly News Issue 283 =

Welcome to Fedora Weekly News Issue 283 for the week ending August 11, 2011. What follows are some highlights from this issue.

FWN is back after a few weeks of summer quietude, and we've got several weeks' worth of Fedora coverage for you! Kicking off this week's issue, announcements from the Fedora Project, including awesome heavy metal news on a Fedora 15 release for IBM System z 64bit, details on the Fedora 16 alpha schedule and decisioning, and exciting details on hardened build support coming in Fedora 16. In QA news, details on the latest Fedora 15 Amazon EC2 Test Day, and a schedule for upcoming test days. Also more detail on Fedora 16 Alpha prep, oVirt node spin review and testing, and Instalatron anaconda testing framework details, to name but a few items. Security Advisories brings us a surprisingly short list of security-related software releases for the past three weeks, and our issue wraps up with news from the Planet Fedora, including FLOSSCamp 2011 and FUDCon India event reports, farewell news from Max Spevack, and updates from Máirín Duffy and Joerg Simon. Enjoy FWN 283!

An audio version of some issues of FWN - FAWN - are available! You can listen to existing issues on the Internet Archive. If anyone is interested in helping spread the load of FAWN production, please contact us!

If you are interested in contributing to Fedora Weekly News, please see our 'join' page. We welcome reader feedback: news@lists.fedoraproject.org

FWN Editorial Team: Pascal Calarco, Adam Williamson

Now for the details.


 * 1: what are we trying to do?

There are three somewhat-overlapping build features in play here. The first one is called "relro", which instructs the linker to emit some relocations in a special segment that can be marked read-only after relocation processing is finished but before you call into main. Or in English: more things that you've asked to be const, will actually be const. This on its own is quite cheap, and so it has been enabled globally as of redhat-rpm-config-9.1.0-13.fc16.

By default, not all symbols are resolved that early in program execution. In particular, functions are resolved lazily the first time they're called. This makes startup faster, and since not all functions are actually called in typical program execution, usually makes total execution time faster. However, if all symbols were resolved early, the relro feature could do a better job, and virtually all relocations could be made read-only. The '-z now' flag to the linker makes this happen, and an app so linked is said to be "Full RELRO" instead of "Partial RELRO".

Finally, applications may be built as position-independent executables, by passing -fPIC or -fPIE at build time and -pie at link time. This allows the runtime linker to randomize the placement of the executable at runtime, which makes it more difficult for an attacker to guess the address of writeable memory.


 * 2: how do we go about doing it?

The non-PIE parts of this are trivial, just pass the appropriate flags to the linker and you're done. PIE is more difficult, both at build time and at link time. Although both -fPIC and -fPIE produce position-independent code at the assembly level, -fPIE will (at least on amd64) produce relocation types that are only valid in an executable. This means you can't just say -fPIE in CFLAGS: your libraries will fail to link. (PIC objects in a PIE executable are fine; PIE objects in a PIC library are not. When in doubt, -fPIC.)

Likewise, at link time, the -pie and -shared options are mutually exclusive. ld.gold will simply refuse to execute if you specify both. ld.bfd will (afaict) let whichever one comes last win, and if that happens to be -pie when you're building a shared library it will fail to link because it won't be able to find a _start symbol.

All of this is only an issue because most build systems don't let you say different CFLAGS or LDFLAGS for shared libraries and executables. Sigh.

So instead, we'll teach gcc to figure it out. To do this we'll use the -specs flag to pass some rewrite rules to the compiler driver. At compile time, if we don't see -fPIC or -fPIE on the command line, we'll add -fPIC. At link time, if we don't see -shared, we'll add -pie. This way we build relocatable objects that are always suitable for either type of final link object, and we'll only attempt to build a PIE if we know we're not building a shared library. Victory!


 * 3: what does this mean for you?

The link-time bit of the last paragraph required a bit of gcc magic to get right (previously specs rules could only add strings to the command line of the program to invoke; they could not rewrite gcc's notion of which flags had been passed in the first place). Thanks to a patch from Jakub Jelinek, this is now fixed in gcc-4.6.1-7.fc16, and will be in gcc 4.7 and later. As a result, %defined _hardened_build 1 will not work until that gcc update has gone through.

Once that's done (and redhat-rpm-config-9.1.0-15.fc16 has been gone through updates), if you're using a %configure-style spec file, defining the magic macro is all you have to do. The rpm macros will notice the macro, and put the right magic into CFLAGS and LDFLAGS, and everything is great and wonderful.

If you're _not_ using %configure, then you have to do whatever is conventional for your build system to get CFLAGS and LDFLAGS inherited properly. For CFLAGS, this will be $RPM_OPT_FLAGS or %{optflags} as before. As of rpm-4.9.1-3.fc16, you will be able to say $RPM_LD_FLAGS for the corresponding LDFLAGS values. Until then, there is no such shell variable, but you can get the same effect from %{?__global_ldflags}. Yes, that's ugly, sorry.

If you are the owner of one of the packages listed here

Then I have locally built (though not extensively tested) your package with the appropriate specfile modifications, and the results do indeed appear to be fully hardened. If you would like to handle the rebuilds yourself, please let me know. Otherwise I will submit them myself once the relevant updates have gone through.

If you've made it to the end, congratulations. Please let me know if there are any issues, or any questions I can answer. In particular if the performance impact of these flags is excessive for you, there are some ways it can be mitigated that are out of scope for this particular email.

- ajax

Fedora 16 Alpha Go/No-Go Meeting, Wednesday, August 10 @ 17:00 EDT
Bobyn Bergeron announced :

"Join us on irc.freenode.net #fedora-meeting for this important meeting.

Wednesday, August 10, 2011 @21:00 UTC (17:00 EDT/14:00 PDT)

"Before each public release Development, QA and Release Engineering meet to determine if the release criteria are met for a particular release. This meeting is called the: Go/No-Go Meeting."

"Verifying that the Release criteria are met is the responsibility of the QA Team."

For more details about this meeting

In the meantime, keep an eye on the Fedora 16 Alpha Blocker list:

https://fedoraproject.org/wiki/Current_Release_Blockers

-Robyn"

FUDCon EMEA travel subsidies are open
Christoph Wickert announced :

"Hi there,

If you are planning to attend FUDCon Milan 2011 and need travel subsidies, the ticket system is now open. If you need sponsoring, please

1. register 2. put an X in the $$$ column 3. make a funding request in the the FUDCon ticket tracker 4. General instructions about sponsoring

Funding requests without a ticket will not be considered. We have a limited budget and will work hard to fund as many people as possible. We'll use these answers to help figure out budgeting for the event. We are making arrangements for attendees from other geographic regions to encourage specific initiatives such as future FUDCon events, but preference may otherwise be given to people in EMEA.

The next subsidy meeting will be held on Tuesday, August 16th at 15:00 UTC in #fudcon-planning. Please show up in case the event organizers have questions about your request.

Regards,

Christoph"

String Freeze 2011-08-02
Noriko Mizumoto announced :

"Fedora Packagers

It is String Freeze date on 2011-08-02. Fedora Localization team will soon start translating latest packages via Transifex. Our goal is Fedora software translation to be 100% completed as many languages as possible.

Please make sure that your latest POT file has been uploaded to Transifex for translators. If you think that you need to break the string freeze, then you should ask for approval from the Fedora Localization Team prior to breaking the freeze. Software string freeze policy can be found at

Thank you so much for your support in advance.

Regards,

noriko Fedora L10N"

Changes to the Packaging Guidelines
Tom Callaway announced :

"Here are the latest changes to the Fedora Packaging Guidelines:

---

Some rpm versions pass pathnames to the automatic filtering macros, so a section has been added to the guidelines to help packagers deal with it

---

For a while, Fedora considered mono packages to be architecture-specific, and installed assemblies to %{_libdir}. However, after discussions with upstream, we now consider mono packages to be architecture (and platform) independent. This means that mono packages should be correctly installed into the GAC in /usr/lib or installed into /usr/lib/PACKAGENAME.

As a notable exception, any ELF binary libraries generated in a mono package must be correctly installed into %{_libdir}, because these files are architecture-specific.

Also, even though we consider mono packages to be architecture independent, they must not be marked as "noarch". Although the assemblies are the same, the files may differ due to strings referring to the build architecture.

---

It was decided that gnome shell extension packages should have the prefix gnome-shell-extension (with no "s" on the end).

---

The section in the Fedora Packaging Guidelines concerning libexecdir has been improved and expanded

---

The Fedora Java Packaging Guidelines have been updated to reflect the latest macros for Maven 3.

---

These guidelines (and changes) were approved by the Fedora Packaging Committee (FPC).

Many thanks to Christian Krause, Aleksandar Kurtakov, Petr Pisar, Stanislav Ochotnicky, and all of the members of the FPC, for assisting in drafting, refining, and passing these guidelines.

As a reminder: The Fedora Packaging Guidelines are living documents! If you find something missing, incorrect, or in need of revision, you can suggest a draft change. The procedure for this is documented here

Thanks,

~spot"

Fedora Events
The purpose of event is to build a global Fedora events calendar, and to identify responsible Ambassadors for each event. The event page is laid out by quarter and by region. Please maintain the layout, as it is crucial for budget planning. Events can be added to this page whether or not they have an Ambassador owner. Events without an owner are not eligible for funding, but being listed allows any Ambassador to take ownership of the event and make it eligible for funding. In plain words, Fedora events are the exclusive and source of marketing, learning and meeting all the fellow community people around you. So, please mark your agenda with the following events to consider attending or volunteering near you!

Upcoming Events (June - August 2011)

 * North America (NA)
 * Central & South America (LATAM):
 * Europe, Middle East, and Africa (EMEA)
 * India, Asia, Australia (India/APJ)

Past Events
Archive of Past Fedora Events

Additional information

 * Reimbursements -- reimbursement guidelines.
 * Budget -- budget for the current quarter (as distributed by FAMSCo).
 * Sponsorship -- how decisions are made to subsidize travel by community members.
 * Organization -- event organization, budget information, and regional responsibility.
 * Event reports -- guidelines and suggestions.
 * LinuxEvents -- a collection of calendars of Linux events.

QualityAssurance
In this section, we cover the activities of the QA team. For more information on the work of the QA team and how you can get involved, see the Joining page.

Contributing Writer: Adam Williamson

Test Days
The Fedora 15 Test Day track is now finished, and the main Fedora 16 Test Day track has not yet started. If you would like to propose a main track Test Day for the Fedora 16 cycle, please contact the QA team via email or IRC, or file a ticket in QA Trac. At the weekly group meeting of 2011-07-18, the group agreed to delay the planned Fedora 15 on Amazon EC2 Test Day on 2011-07-19, as the images would not be ready in time. Adam Williamson pencilled in the X Test Week for 2011-08-30 to 2011-09-01, and Jaroslav Škarvada proposed a power management Test Day for 2011-09-29. Adam sent out a call for Test Days.

The Fedora 15 on Amazon EC2 Test Day was eventually held on 2011-08-04. The turnout was modest, but the five testers present were able to confirm the provided AMIs mostly worked well, and expose a few bugs.

Fedora 16 Alpha preparation
Throughout the last few weeks, the team has been working to prepare for the Fedora 16 Alpha release. A first acceptance test run was attempted by Tao Wu on 2011-07-19, and ran into critical early failure in the installer. A second attempt was made on 2011-07-26, and failed similarly. The first (and only) test compose was released behind schedule on 2011-08-02, and again contained significant bugs. Adam Williamson started a post-TC1 strategy discussion to decide what to do in case it seemed impractical to produce a release candidate in a reasonable timeframe, but in the event, all TC1 blockers were thought to be addressed by 2011-08-06, and a release candidate was produced.

In the meantime, blocker bug review meetings were held each Friday - 2011-07-22, 2011-07-29 and 2011-08-05 to review the substantial volume of blocker bugs which were identified.

oVirt node spin review and testing
At the 2011-07-18 weekly meeting, the group held an initial discussion of the proposed oVirt node spin, from the standpoint of whether to grant it QA approval. Athmane Madjoudj volunteered to work on making sure the necessary testing framework was in place. By 2011-07-22, he had a draft validation matrix ready for review. The draft matrix was reviewed at the weekly meeting of 2011-07-25, and the group agreed Athmane's validation matrix was good and the oVirt spin should be granted QA approval.

QA group meeting SOP
James Laska announced that he had put the draft group meeting SOP (see FWN #282) into production.

Separation of release validation and feature processes
At the FESCo meeting of 2011-07-18, FESCo approved the group's proposal (see FWN #282) to formalize the separation between the release validation and feature processes. Adam Williamson subsequently announced that he had made the necessary changes to the wiki.

Fedora 16 Alpha RATs run
Tao Wu announced the completion of the first RATs (Rawhide Acceptance Tests) automated installation testing run for Fedora 16 Alpha. He reported that the testing failed due to a major bug in installation.

Instalatron anaconda testing framework
Sergio Rubio of FrameOS wrote to let the group know of the release of Instalatron, a testing framework for anaconda based around VirtualBox input automation and ImageMagick image comparison. James Laska replied to thank Sergio for reaching out, and to point out the similar work being done by Tao Wu and Hongqing Yang to automate the Fedora installation validation matrix. Tim Flink asked some questions about the design of Instalatron, and Sergio provided some answers. Eric Blake noted that KVM had recently grown the ability to inject keyboard scancodes, which Sergio had cited as the main reason for choosing VirtualBox. David Cantrell gave a heads-up that the design of anaconda would soon change quite drastically, and James recommended the use of AT-SPI in preference to image analysis. Sergio thanked everyone for their feedback.

Release criteria updates
James Laska followed up his initial survey of ways to handle secondary architecture release criteria (see FWN #281) with a draft of the preferred approach.

James also proposed some changes to the criteria following from the second Alpha blocker bug review meeting. Rui He adjusted a test case to reflect the proposed change. Adam Williamson suggested a change to James' proposed shutdown criterion, which prompted some discussion. Ultimately James updated the criteria with the revised proposals, and proposed a test case to enforce the shutdown criterion.

Release criteria and validation testing
Rui He continued adjusting installation validation test cases in response to Adam Williamson's release criteria / validation test concordance survey. She added a test for uncategorized packages, updated some test cases to check unattended installations work , added a test for the 'use existing Linux partitions' partitioning method , updated the rescue mode test case , and added test cases for btrfs and xfs installations.

Acceptance testing SOP
Rui He proposed the creation of an SOP for the rawhide acceptance testing events. Tao Wu worked on a draft SOP, and Adam Williamson provided feedback. Eventually, Tao, Adam and James Laska progressed to a broader discussion on the nature of RATS events, and whether they should simply be folded into the Test Compose / Release Candidate process.

Security testing scripts
Steve Grubb announced some scripts for testing the security of Fedora. Adam Williamson thanked him for the work, and wondered if any of the scripts would be suitable for incorporation into AutoQA. Kamil Paral highlighted some issues with integrating third party tests in the current state of AutoQA.

AutoQA
James Laska wondered if it would be possible to run depcheck tests on EPEL packages. Kamil Paral said it had not been tried yet, and had some questions about the benefits. He summarized that "Overall it should be doable, but it requires quite some work and resources." . James said he would check if it was the EPEL SIG or individual maintainers who were interested.

Josef Skladanka posted a "brain dump" of ideas he and Kamil had come up with around depcheck.

Kamil proposed (and later carried out) the inclusion of a NEWS file in the AutoQA source, and provided a draft.

The group continued to work on several tasks related to making AutoQA output more attractive and legible.

Security Advisories
In this section, we cover Security Advisories from fedora-package-announce for the three weeks ending August 11, 2011.

http://lists.fedoraproject.org/pipermail/package-announce

Contributing Writer: Pascal Calarco

Fedora 15 Security Advisories

 * glpi-0.78.5-2.svn14966.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063408.html
 * phpMyAdmin-3.4.3.2-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html
 * libcap-2.22-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063429.html
 * libsoup-2.34.3-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063431.html
 * drupal7-7.6-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063463.html
 * p7zip-9.20.1-2.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063470.html
 * openarena-0.8.5-4.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063478.html
 * quake3-1.36-11.svn2102.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063479.html
 * cifs-utils-5.0-2.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063521.html
 * wireshark-1.4.8-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063586.html
 * system-config-firewall-1.2.29-4.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063314.html
 * mapserver-5.6.7-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063300.html
 * dbus-1.4.6-5.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063294.html
 * erlang-R14B-03.2.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063218.html
 * systemtap-1.5-8.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063198.html
 * xml-security-c-1.5.1-5.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063229.html
 * oprofile-0.9.6-21.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063084.html
 * xmms-1.2.11-15.20071117cvs.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063082.html
 * ruby-1.8.7.352-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html
 * libpng10-1.0.55-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062970.html
 * libsndfile-1.0.25-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062955.html
 * squirrelmail-1.4.22-2.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062939.html
 * icedtea-web-1.0.4-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062852.html
 * vte3-0.28.1-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062816.html
 * vte-0.28.1-1.fc15 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062815.html

Fedora 14 Security Advisories

 * openarena-0.8.5-4.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063461.html
 * quake3-1.36-11.svn2102.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063460.html
 * phpMyAdmin-3.4.3.2-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html
 * cifs-utils-4.8.1-7.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063497.html
 * wireshark-1.4.8-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063591.html
 * drupal7-7.6-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063560.html
 * mapserver-5.6.7-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063274.html
 * java-1.6.0-openjdk-1.6.0.0-54.1.9.9.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063264.html
 * systemtap-1.5-8.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063230.html
 * xml-security-c-1.5.1-4.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063159.html
 * libpng-1.2.46-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063118.html
 * erlang-R14B-03.1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063115.html
 * ruby-1.8.7.352-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html
 * oprofile-0.9.6-21.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063042.html
 * xmms-1.2.11-15.20071117cvs.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063014.html
 * squirrelmail-1.4.22-2.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062983.html
 * libpng10-1.0.55-1.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062934.html
 * cifs-utils-4.8.1-6.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062893.html
 * libvirt-0.8.3-10.fc14 - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062855.html

Planet Fedora
This is the Planet Fedora section, covering news from planet.fedoraproject.org, a collection of blogs from Fedora users spanning the globe.

Contributing Writer: Joel Braun

FLOSSCamp 2011
Nicu Buculei wrote about his time at FLOSScamp 2011, the 5th Romanian free and open source software gathering.

FUDCon India
Rahul Sundaram posted the August 9th meeting minutes for FUDCon India.

Fedora Community
Max Spevack, a former Fedora Project leader, has announced that he is leaving Red Hat and that Harish Pillay will be stepping in to fill his role.

Máirín Duffy has announced some additions to the Fedora logo Guidelines.

Joerg Simon has announced some new members to the Fedora Ambassadors team. He has also posted statistical graphs of the acceptance and numbers of Fedora ambassadors.

Máirín Duffy also gave an update on the changes to Fedora Community, a webapp designed to help Fedora's package maintainers do their jobs.

General
The Pulp team blogged on adding non-rpm content support.

Dan Walsh wrote about SELinux changes that will come with the alpha release of Fedora 16.

Robyn Bergeron talked about why the Fedora 16 alpha build is being delayed by one week, citing numerous bugs.