FWN/Issue172

= Fedora Weekly News Issue 172 =

Welcome to Fedora Weekly News Issue 172 for the week ending April 19th, 2009.

http://fedoraproject.org/wiki/FWN/Issue172

This week Announcements rubs its hands with glee over the "Fedora 11" freeze. Similarly Artwork enthuses about "Fedora 11 Landing" with great Leonidas themes including a surprise for wide-screen setups. Developments gushes about "Presto and DeltaRPM Status" and SecurityWeek asks the interesting question "Who in the Linux World Would be Responsible for a Worm?". SecurityAdvisories faithfully lists updates that might just help avoid that worm. With a red face we draw your attention with an Erratum to last week's missing QualityAssurance beat. This week's QualityAssurance beat "Test Days" advertizes the upcoming minimal installation testing and reports in "Weekly meetings" that PulseAudio issues with snd-intel-hda and snd-intel8x0 are resolved. Translation reports on the availability of a bulky "Fedora 11 Installation Guide Ready for Translation". The FedoraWeeklyWebcomic joins us again and Ambassadors shares a neat list of LinuxFestNorthWest talks by Fedora folk. If you are interested in contributing to Fedora Weekly News, please see our 'join' page. We welcome reader feedback: fedora-news-list@redhat.com content until the GOLD packages were on their way out to the mirrors at which point the nightly rawhide composes would contain  content.

On a related note Bill Nottingham asked maintainers of a list of packages not yet rebuilt in dist-f11 (with the attendant compiler and strong RPM hashes) to fix them if possible. Jesse Keating provided a slightly more aggressive list as an addendum.

and Peter's own patch to  which together make it possible to disallow zapping by default and also to turn zapping on with a 'setxkbmap -option terminate:ctrl_alt_bksp'. The net result is that it is possible to get zapping to work but the configuration needs to be set up properly and the DontZap option left disabled (as per the new default).

In discussion with Kevin Kofler Peter clarified the situation in which the new settings would take effect. Kevin responded that it appeared that for  users zapping with Ctrl-Alt-BkSp would remain as before.

Later Peter answered some questions from Suren Karapetyan about the ability to kill broken X grabs with details about how zapping works.

The above summary of an elegant technical solution ignores the long, and at times vitriolic, complaints about this change. A common trope occurring in some recent threads seems to be that changes are made by Red Hat employees who are implementing changes without community consultation and all work to a common game plan. Seth Vidal challenged the latter assumption:"In a survey of 10 RH employees you will find between 10 and 40 different opinions. sometimes more if you don't ask some of them to confine their comments to a limited amount of time." In any event it's worth noting that the resolution (which filters the "Terminate_Server" action in a manner consistent with the handling of other actions in xkb rulesets) was contributed upstream by a Red Hat employee. As a point of information Kevin Fenzi also made it clear that the change had not been instigated by FESCo.

The new options presented by Peter were in addition to those already suggested in the beta Release Notes.

as a download method. Callum Lerwick suggested that  would benefit from a userspace ISO implementation.

project and presto-enabled repositories. Interest is high enough in Presto's bandwidth-saving abilities that no fewer than three separate threads were started to ensure that it would function properly for.

Warren Togami asked if  would be enabled by default for. Last month (2009-03-21) Jonathan Dieter reported that the use of  in   had broken   but that a patched version was available in rawhide. See FWN#166 for earlier coverage of the challenges and changes resulting from the introduction of stronger hashes. Jonathan also reported that the changes necessary in infrastructure to build deltarpms had been done. These changes were made fairly rapidly thanks to work done by Michael Schroeder, the upstream  developer. One issue that concerned Axel Thimm was the security with which checksums of deltarpms were being made. Till Maas and Jonathan Dieter provided reassurance that all deltarpms are generated from original rpms which needed to pass all verifications which  and   enforce.

Martin Sourada was excited not just about  but also about the slick new   in. Martin was concerned about the issue of  and   apparently not working well together. A BugZilla entry revealed that  developer Richard Hughes quickly created a patch which Martin reported as working.

On 2009-04-16 Bill Nottingham added to the "Rawhide Report" that "[...] rawhide is composed with deltarpms against the prior rawhide. Due to a bug, this is only currently working on i386; it should be fixed for other arches tomorrow. Please test and report any issues."

A Fedora Test Day centering around Presto was also announced by James Laska. The usual excellent wiki page suggests that  can deliver significant bandwidth savings.

was being installed by default. He cautioned that  broke   and thus   functionality.

An answer posted by Bill Nottingham pointed out the java plugin as the dependent.

Dan worried that while "[a] confined nsplugin is a nice feature for confining plugins downloaded from the network. But if you run openoffice and evince from within nsplugin they get confined, causing the apps to not work properly." In response to Simo Sorce Dan explained that any attempt to write transition rules to enable said applications to work properly would create an easy avenue of attack. Simo wondered if it would be possible to either write a security wrapper to restrict the command line, or to get application developers to honor SELinux labels in some way.

Warren Togami shared that removing  was "[...] something I always do. It seems to cause more problems than it solves [...]" and James Morris expanded upon this with instructions "[...] on both removing mozplugger and restoring the security protections of SELinux.  Simply removing the package isn't enough[.]" James questioned "[...] how a package which breaks a security feature not only made it into the repo, but how it became enabled by default[?]"

A similar issue was raised by Bruno Wolff III about the re-enabling of disabled Firefox plugins. Comments by Martin Stransky suggest this is a feature of.

.

Lennart explained how /etc could be made read-only and adduced OpenSUSE, Debian and Gentoo as further evidence that a read-only root could be attained. Callum Lerwick pined for the days of floppy disks.

Toshio Kuratomi completely declined to play and asked: "I'm hereby giving notice that I don't have time to read obvious flamefests anymore. Once this thread concludes, please summarize whatever the pros and cons are and send it to the packaging committee to discuss and vote on."

Translation
This section covers the news surrounding the Fedora Translation (L10n) Project.

http://fedoraproject.org/wiki/L10N

Contributing Writer: Runa Bhattacharjee

Fedora 11 Installation Guide Ready for Translation
Ruediger Landmann announced the availability of the Fedora 11 Installation Guide for translation. Due to import of relevant content from the Red Hat Enterprise Linux Installation Guide into this Guide, the content has substantially increased. The final translation due date is 14th of May 2009 with an extension of 1 week for additional corrections. The .po files would be refreshed on April 28th 2009, to correct errors identified until that date.

New Members in FLP
Ali Fakoor has joined the Persian translation team last week.

Artwork
In this section, we cover the Fedora Artwork Project.

http://fedoraproject.org/wiki/Artwork

Contributing Writer: Nicu Buculei

Fedora 11 Landing
As a culmination of last week effort, the new and improved Fedora 11 artwork was packaged and landed in Rawhide, as Martin Sourada announced on his blog.

Fedora Weekly Webcomic
This week's installment of Nicu Buculei's comic



Security Week
In this section, we highlight the security stories from the week in Fedora.

Contributing Writer: JoshBressers

Malicious Activity Grows in 2008
2008 saw a surge in malicious code activity. This is a disturbing trend, and for the underground, this is easy money. The threat will continue to grow until either the money dries up (unlikely) or the difficulty of exploiting this is greater than the potential gain. Right now it looks like the trend will continue for several years.

Who in the Linux World Would be Responsible for a Worm ?
Last week OSNews asked a rather interesting, but easily answered question: OSNews Asks: Who'd Be Responsible for a Linux Conficker? The world of Open Source security is mostly a process that happens behind the scenes, but is quite effective. There is a wiki called OSS-Security that provides a number of links to various groups. In the event of something like a worm, the vast majority of the effort would end up happening on the Vendor Security (vendor-sec ) mailing list. This is a group of trusted Open Source distributors that communicate in private in an effort to keep the end users of Open Source software secure. To date this group has been working out quite well, and the members are very used to solving security flaws in a cooperative manner. In the event of a widespread Linux worm, there would be many tired people, and quite a lot of vendor-sec emails.

Security Advisories
In this section, we cover Security Advisories from fedora-package-announce.

https://www.redhat.com/mailman/listinfo/fedora-package-announce

Contributing Writer: David Nalley

Fedora 10 Security Advisories

 * ntop-3.3.8-3.fc10 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00388.html
 * pam-1.0.4-4.fc10 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00398.html
 * phpMyAdmin-3.1.3.2-1.fc10 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00452.html
 * udev-127-5.fc10 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00463.html
 * argyllcms-1.0.3-5.fc10 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00498.html

Fedora 9 Security Advisories

 * pam-1.0.4-4.fc9 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00420.html
 * phpMyAdmin-3.1.3.2-1.fc9 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00442.html
 * udev-124-4.fc9 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00462.html
 * argyllcms-1.0.3-5.fc9 - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00473.html

Ambassadors
In this section, we cover Fedora Ambassadors Project.

http://fedoraproject.org/wiki/Ambassadors

Contributing Writer: Larry Cafiero

LinuxFest Northwest Starts Saturday
Fedora Project will be attending and presenting at LinuxFest Northwest this weekend in Bellingham, Wash., U.S.A. With five presentations and a booth, Fedora is proud to be a sponsor of LinuxFest Northwest this year.

Below is a list of presentations at LFNW by Fedora folks, all of which will be in room Haskell 203 on the Bellingham Technical College campus.


 * Participate or Die by Karsten Wade at 1 p.m. Sunday


 * What's under the hat? A sneak peek at Fedora 11! by Jesse Keating at 11 a.m. Sunday


 * Modular Infrastructure design with Messaging by Jesse Keating at 2 p.m. Sunday


 * Fedora Remix by Clint Savage at 11 a.m. Sunday.


 * Fedora 101 by Larry Cafiero at 10 a.m. Saturday, preceding the Fedora Activity Day, which will be from approximately 10:30 (or when Larry decides to quit yammering away) to 4:30 p.m.

The complete presentation schedule for LinuxFest Northwest can be found here.

Got Ambassador News?
Any Ambassador news tips from around the Fedora community can be submitted to me by e-mailing lcafiero-AT-fedoraproject-DOT-org and I'd be glad to put it in this weekly report.