Developments
In this section the people, personalities and debates on the @fedora-devel mailing list are summarized.
Contributing Writer: Oisin Feeley
Approaches to a Minimal Fedora
Luya Tshimbalanga alerted[1] the list to a post on FedoraForum.org in which a user "stevea" had produced a 67MB "minimalFedora" system. Jeff Spaleta worried[2] that the bare-bones system was unable to receive updates and that this was something which "we as a project might not officially want to endorse." One way out of that suggested by Jef was that interested parties could produce a derived distribution which pushed out entire updated images. Recent changes in the trademark guidelines make such a move easier.
[1] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01304.html
[2] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01305.html
A parallel to the minimal OS appliance image used in the oVirt project was discerned[3] by Daniel Berrange. Daniel reported their 'oVirt managed node' as being less than 64MB and built entirely from the Fedora 9 repositories. Later Daniel posted[4] that the similarities ended with the desire for a small image. The oVirt goal was to use only Fedora as upstream whereas stevea's approach had been to substitute coreutils with busybox. Daniel acknowledged "[...] finding the bits which aren't needed is fun in itself & somewhat of a moving target. So wherever possible we've been filing BZ to get some RPMs split up into finer grained sub-RPMs" and included a link to his project's kickstart %post stanza. Richard Jones suggested[5] that KDE's filelight was useful for finding bloated files and Vasile Gaburici added[6] that there was a GNOME equivalent called baobab. Vasile also included[7] a script which he uses to "keep track of bloatware".
[3] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01307.html
[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01319.html
[5] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01373.html
[6] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01374.html
[7] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01376.html
A follow-up post from Daniel concluded[8] that the only bits of upstream Fedora actually used in stevea's approach were the kernel and busybox as even glibc and initscripts had been ditched. Daniel wondered "So not really much trace of Fedora left at all. Not sure why you'd go to the trouble of doing the initial anaconda install at that point - might as well just 'rpm *no-deps' install kernel + busybox RPMs into a chroot & add the custom init script."
[8] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01320.html
Doubt on the advantages of stripping down Fedora to make it run on embedded targets was cast[9] by Patrice Kadionik when he argued that using the Fedora kernel with all its patches and modules was too bloated. Instead he preferred to use the vanilla kernel with busybox with the result that "[...] you have a Linux kernel (about 1MB) with its root [filesystem] (about 1-2 MB) adapted completely to the target platform." Alan Cox replied[10] that the ability to receive updates and benefit from the maintained and tested code was desirable if there were enough extra space.
[9] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01353.html
[10] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01357.html
W. Michael Petullo added a link[11] to his "FedoraNano" project which has the goal of reducing redundancies, identifying probable cases for sub-packaging and documenting a method to install a small Fedora onto solid state drives.
[11] http://www.flyn.org/fedoranano/fedoranano.html
Using PackageKit Without NetworkManager-Controlled Interfaces
A question from Martin Langhoff asked[1]: "[i]s there anything preventing PK from connecting to the network over non-[NetworkManager]-controlled network interfaces?" This question appeared to be predicated on the assumption that PackageKit had a dependency on NetworkManager.
[1] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01209.html
Jeremy Katz clarified[2] that PackageKit depended on NetworkManager-glib and not on NetworkManager. He added that this was because PackageKit attempted to determine the status of the network connection prior to checking for updates. Dan Williams confirmed[3] that this was the case and expanded on the explanation: "If talking to NM fails, the app should either (a) assume a connection, or (b) could be more intelligent by asking SIOCGIFCONF/netlink for interfaces, and if at least one interface is IFF_UP | IFF_RUNNING and has an IP address, then try." Using NetworkManager in this way allows PackageKit to be restricted to sensible choices about the type of networks over which it is acceptable to receive updates.
[2] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01210.html
[3] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01213.html
A further point raised by Martin was that there were a surprising number of dependencies and Dan pointed[4] to bugzilla entry#351101[5] while noting that "[PackageKit] should only depend on NetworkManager-glib, which itself should not pull in NetworkManager in the future." That bug specifically affects multilib systems, that is x86-64 systems with i386 packages on them, and prevents the simple removal of the older version of NetworkManager-glib and replacement with a re-factored one. This will be fixed for Fedora 10 using the installer anaconda.
[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01214.html
[5] https://bugzilla.redhat.com/show.bug.cgi?id=351101
In a separate thread Martin asked[6] what debugging facilities were available for network scripts beyond using bash -x. He detailed his "hack du jour" by which /etc/udev/rules.d/60-net.rules invokes net.hotplug.debugger which in turn uses bash -x net.hotplug with STDIN and STDOUT redirected to a logfile. It appeared from the lack of further suggestions that this is a good strategy. He also provided[7] a note which explained that he was upgrading the "School Server" spin to Fedora 9 from Fedora 7.
[6] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01263.html
[7] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01207.html
Git-1.6.0 Commands to be Moved Out of PATH
A response by Todd Zullinger to a "cvsextras" commit[1] of changes to git questioned[2] whether setting gitexecdir=%{_bindir} was a justified deviation from upstream intent. According to Todd "[..] we've effectively negated upstream's intent to present less binaries in the users path". Currently there are 137 git-commands in the /usr/bin directory. Todd suggested that it was better that individual users added the output of $(git *exec-path) to their PATH environment variable. As a precaution against breaking scripts upon update to git-1.6.0 Todd suggested that this addition to PATH should be made by the package.
[1] http://www.redhat.com/archives/fedora-extras-commits/2008-August/msg05593.html
[2] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01330.html
The package maintainer responsible for the change, James Bowes replied[3] that he had recently attempted to do as Todd suggested and that had resulted in complaints. He was worried that although Todd's change made sense there had been no due diligence conducted to see what would break if the git-* commands were moved in such a way. Josh Boyer replied[4] that the original complaint had been about "yank[ing] out commands [...] from a stable release [Fedora 9]". Todd Zullinger discounted such complaints and dreamt[5] that "[...] a warning could be hand delivered by a beautiful naked person of whatever gender the user prefers and many would still scream when the change finally landed. :)" He suggested that in order to achieve predictability and consistency across distributions it was best to follow upstream and use the update to 1.6.0 as a flag day.
[3] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01361.html
[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01363.html
[5] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01389.html
In response to queries as to whether there was a need to update Fedora 9 also Josh Boyer replied[6] that a security bug was fixed by git-1.6.0 but that he thought that this might have also been fixed by "a later release of 1.5.6.x."
[6] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01390.html
Resurrecting Multi-Key Signatures in RPM
Spurred on by the disquiet caused by the recent signing of Red Hat packages (but not as far as is known any Fedora packages)[1] it was suggested[2] by Bojan Smojver that multiple GPG signatures of RPM packages would be a good idea. Distributing the signing could include using alternate buildsystems "[...] with no public access [...] to verify package checks before signing[.]"
[1] https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
[2] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01136.html
Andrew Bartlett thought that the checksum part would be a problem because a build often includes hosts, build times and other specifics and Chris Adams added[3] that even individual files within a package had such information embedded. Bojan decided to find out how many packages were so constrained and Seth Vidal suggested[4] a useful rpm command rpm -qp *dump pkg.rpm to list all available information about each package.
[3] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01140.html
[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01146.html
Seth was dubious about the general idea and upon being pressed doubted the security gain and noted the cost incurred on users trying to verify that a package was signed correctly. Bojan expanded[5] upon the idea that for a "[...] multi-key, multi-build system, an attacker would need to get his hands on a lot of private key passwords, break multiple independent build systems [...] It is similar to what a reporter does to confirm a story. One source, not so reliable. Two sources, more reliable. Many sources, most likely reliable." Stephen Smoogen described[6] this a logical fallacy and argued that due to the number of packages all signing would need to be automated and thus probably each of the multiple sources would "[...] get their information from the same top level source."
[5] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01198.html
[6] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01205.html
A useful post by Nils Philippsen laid out[7] four practical objections. Prime among these was that there were additional pieces of data, besides those mentioned above, embedded in a specific build even though the source package may have the same tag. The possibility of making the build system vulnerable to a DoS attack was also mentioned. A sub-thread on German banking practices and the value of multiple credentials developed[8] as did one[9] on the problems of determinism in producing identical binaries.
[7] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01156.html
[8] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01275.html
[9] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01329.html
Tom Lane was also among those that expressed[10] a general skepticism that the increased burden of such a scheme was realistic: "Most of us [packagers] are overworked already. We aren't going to jump through any hoops for third-party signatories." Bojan argued[11] that if the system were automated then it probably would be vulnerable but suggested that it would be better if a community effort to absorb the extra non-automatic work would be a solution in line with "open source" practices. Reluctantly he concluded "[n]ever mind, it was just an idea. Probably not even a good one. Back to the drawing board... ;-)"
[10] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01141.html
[11] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01215.html
Intrusion Recovery Slow and Steady
A politely phrased request[1] was made on 25-08-2008 by Mike Chambers for information about when normal service would resume in the Fedora Project after the disruptions[1a]. Enigmatically Dominik 'Rathann' Mierzejewski observed[2] that there had been "some speculation on fedora-advisory-board that might explain the information blackout, so please don't jump to conclusions until you really know what happened" This led Chris Adams to observe that the list archives appeared to be offline and to restate the request for information "[...] in the absence of information, rumors and speculation fill the gap (which is not good)."
[1] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01102.html
[2] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01122.html
Several days later (on 28-08-2008) a similar request was made[3] by Alan Dunn. He wondered whether bodhi was pushing updates out again, and Josh Boyer responded[4] that planning and implementation of "how to revoke the current gpg key used to sign RPMs" were in progress. Jesse Keating cautioned[5] that the migration to a new key would be slow "I'm currently re-signing all of the 8 and 9 content with these new keys so that we can make them available along with the new updates with the new key for these product lines. This is going to take some time due to the nature of how our signing works."
[3] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01308.html
[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01309.html
[5] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01310.html
A proposal mooted[6] on @rel-eng by Warren Togami and others provided some insight into at least the part of the plans that involve the problem of how to distribute a new package signing key.
[6] http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html
"nodata" asked[7] whether the new plans included a means to push out critical security updates even while there was a general outage. The thinking behind this seems to be that an attacker could decide to knock out Fedora infrastructure in order to gain some time to exploit a known vulnerability even if a simple fix existed. Jesse Keating replied[8] confidently that in such a scenario the Fedora Project would do "whatever it takes [...] to get a critical update onto a public webserver should the need arise" and cautioned against wasting time trying to plan for every possible scenario. Toshio Kuratomi added[9] that although it might be possible to speed up recovery "[...] unfortunately if the infrastructure problem is bad enough, there's no way we can push package X out until the problem is at least partially resolved."
[7] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01313.html
[8] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01314.html
[9] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01316.html
On 27-08-2008 Paul Johnson noted that it was possible to "compose and build" and asked "when will updates via yum become available for rawhide?" Jeremy Katz responded[10] that "[a]t the moment, the compose is falling over for new reasons unrelated to the infrastructure changes. Hopefully we'll see a rawhide make its way out to the masses real soon now."
[10] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01249.html
Later Mike Chambers and Ola Thoresen reported[11] that updating from Fedora 9 to Rawhide seemed to be working. Several Rawhide Reports also appeared[12].
[11] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01350.html
[12] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg01339.html