From Fedora Project Wiki

< FWN

Fedora Weekly News Issue 159

Welcome to Fedora Weekly News Issue 159 for the week ending January 19th, 2009.

http://fedoraproject.org/wiki/FWN/Issue159

This week's issue reveals the code name for Fedora 11 and provides coverage from the latest FUDCon in announcements. News abounds from around Fedora Planet, including musings on the reduction of the OLPC dev team, thoughts on what it means to contribute to Fedora from several contributors, and much more. Development reports on several discussions from the recent FUDCon on the possible future of comps.xml, new packages to Rawhide coming, and more. More depth of discussion on the need for a Fedora Project CMS is offered in the Docs beat, and Translations has lots more to report on new members of various internationalization teams. The Art beat has a wonderful in-depth look at approaches for themes for Fedora 11, and security advisories brings us up to date with recent updates there. We complete the issue with news from virtualization developments, including two items regarding sVirt, a project to add security labeling support to Linux-based virtualization, and other focused discussions with libvirt. Enjoy!

If you are interested in contributing to Fedora Weekly News, please see our 'join' page[1]. We welcome reader feedback: fedora-news-list@redhat.com

FWN Editorial Team: Pascal Calarco, Oisin Feeley, Huzaifa Sidhpurwala

[1] http://fedoraproject.org/wiki/NewsProject/Join

Announcements

In this section, we cover announcements from the Fedora Project.

http://www.redhat.com/archives/fedora-announce-list/

http://www.redhat.com/archives/fedora-devel-announce/

Contributing Writer: Max Spevack

Fedora 11 Release Name

At FUDCon Boston, Paul Frields announced that "Leonidas" had won the vote, and will be the code name of Fedora 11. There was much screaming and yelling, and reciting of lines from "The 300".

ref: http://www.redhat.com/archives/fedora-devel-announce/2009-January/msg00004.html

FUDCon Boston

FUDCon Boston was a great success. Not only are many videos from the sessions available on the Fedora Wiki, but there is also a collection of blog posts from various attendees.

ref: http://www.redhat.com/archives/fedora-announce-list/2009-January/msg00013.html

ref: https://fedoraproject.org/wiki/FUDCon:FUDConF11_blogs

Technical Announcements

Jon Stanley announced that he and Dennis Gilmore "are beginning an effort to migrate fedora-* redhat com to lists.fedoraproject.org." There are several benefits to this move, including greater control of the Fedora lists, a stronger Fedora identity (@lists.fedoraproject.org as opposed to @redhat.com), and the ability to be more responsive to community requests.

ref: http://www.redhat.com/archives/fedora-announce-list/2009-January/msg00012.html

Jesse Keating announced that on January 20th, "we will be doing a non-blocking freeze of Rawhide to be the basis of Fedora 11 Alpha. Only targeted fixes will be pulled into the Alpha tag after the freeze. Rawhide itself will continue on as to not disrupt development."

ref: http://www.redhat.com/archives/fedora-devel-announce/2009-January/msg00005.html

Upcoming Events

Fedora will have a presence at several events in the next few weeks. Feel free to join us,

February 6 - 8: Free and Open Source Developers European Meeting (FOSDEM)

February 20 - 22: Southern California Linux Expo (SCALE)

Also, people are encouraged to register for Fedora or JBoss.org related speaking slots at LinuxTag 2009.

ref: https://fedoraproject.org/wiki/FedoraEvents/FOSDEM/FOSDEM2009

ref: https://fedoraproject.org/wiki/SCALE7X_Event

ref: https://fedoraproject.org/wiki/LinuxTag_2009_talks

Planet Fedora

In this section, we cover the highlights of Planet Fedora - an aggregation of blogs from Fedora contributors worldwide.

http://planet.fedoraproject.org

Contributing Writer: Adam Batkin

General

Marc F Ferguson expounded[0] upon the wonders of "Being a Part of Something Bigger" by joining the Fedora Project and switching to Linux! While there are lots of positive posts out there, this one captures the positive feeling that a lot of folks have by joining a project like Fedora.

Andrew Overholt appealed[1] for anyone interested in helping get JBoss AS 5.0 into Fedora.

Karsten Wade wrote[2] about some of the issues and concerns involved with picking a CMS for Fedora.

Abhishek Rane posted[3] some nice screenshots of Amarok 2.0.1.1 (as well as a download link for Fedora 10).

Jef Spaleta continued[4] his across-the-intertubes discussion with Mark Shuttleworth about Canonical's Launchpad being closed source, and talked about his motivations behind contributing to Fedora: "I have never received a paycheck from Red Hat in any capacity...Making sure companies which proclaim to be open source advocates are actually ‘walking the walk’ is on my personal agenda." In another post, Jef added[5] the statistic "2 out of the top 3 'ideas' on Ubuntu's brainstorm this week are requests to take features from the Fedora Feature process for Fedora 10 and port them to Ubuntu". He continued[6] by showing that Soyuz (a component of Launchpad that Canonical has not open sourced) has a much higher number of open bugs than other components. Along a similar line of thought, he discussed[7] in more general terms, "How important is opening sourcing in the cloud?"

Greg DeKoenigsberg mused[8] about the loss of most of the OLPC software development team and what that means for OLPC, Sugar and Fedora.

Jesus Rodriguez announced[9] that Spacewalk 0.4 ("an open source Linux and Solaris systems management solution") has been released, including a list of features and enhancements and some known issues.

Scott Williams proposed[10] offering support for end-of-life versions of Fedora in a new Freenode IRC channel (#Fedora-EOL), complete with some discussion in the comments about whether or not this was a good idea.

Dave Jones generated[11] a neat graph of the performance of an SSD

Jef Spaleta provided[12] some interesting statistics about VCS usage from Debian as well as fedorahosted.org, and discussed some of the implications.

[0] http://www.fergytech.com/2009/01/17/being-apart-of-something-bigger/

[1] http://overholt.ca/wp/?p=114

[2] http://iquaid.org/2009/01/11/moving-toward-a-content-management-decision/

[3] http://www.abhishekrane.com/2009/01/12/magellanamarok-2011-released-screenshot-changelog/

[4] http://jspaleta.livejournal.com/32178.html

[5] http://jspaleta.livejournal.com/32733.html

[6] http://jspaleta.livejournal.com/33152.html

[7] http://jspaleta.livejournal.com/32488.html

[8] http://gregdek.livejournal.com/43698.html

[9] http://zeusville.wordpress.com/2009/01/15/spacewalk-04-released/

[10] http://vwbusguy.wordpress.com/2009/01/16/help-needed-fedora-eol/

[11] http://www.codemonkey.org.uk/2009/01/16/gskill-ssd-performance/

[12] http://jspaleta.livejournal.com/32888.html

FUDcon Boston

Máirín Duffy took[1] some photos of the latest FUDcon Boston shirts.

Chris Tyler announced[2] that "Video from eight of the FUDCon F11 sessions plus Paul Frield's closing remarks/State of Fedora are now available".

Karsten Wade asked[3] "Where are your FUDCon session notes?" (so if you have any session notes from FUDcon, feel free to follow these tips to share them with others who may not have been so fortunate to attend in-person).

[1] http://mihmo.livejournal.com/67737.html

[2] http://blog.chris.tylers.info/index.php?/archives/170-FUDCon-F11-Video.html

[3] http://iquaid.org/2009/01/16/where-are-your-fudcon-session-notes/

How-Tos

John Poelstra wrote[1] about how to perform "Fast Spaceless Backups".

Bogomil Shopov shared[2] a quick tutorial on "Installing LXDE on Fedora". LXDE is the Lightweight X11 Desktop Environment ("a desktop environment which is lightweight and very very fast").

[1] http://poelcat.wordpress.com/2009/01/14/fast-spaceless-backups/

[2] http://www.bogomil.info/int/installing-lxde-on-fedora

Developments

In this section the people, personalities and debates on the @fedora-devel mailing list are summarized.

Contributing Writer: Oisin Feeley

The Possible Future of Comps ?

Seth Vidal reported[1] that one outcome of the recent FUDCon[2] had been an initiative to overhaul the comps.xml file. This file is part of the metadata used to define group membership of related packages in order to allow[3] yum or anaconda to aid in installation.

Seth described the intent to replace the fixed group definitions with metapackages created on-the-fly, based on examining and dependency-solving repository metadata, as "a fairly radical departure". Related changes will be the ability to define groups within groups and the addition of new metadata to allow tag cloud classification. Some of the anticipated benefits are the ability to find desired software more easily, the creation of more fine-grained groups and a more intuitive persistence of groups.

One apparent sticking point raised by Bill Nottingham was that the flattening of the package levels included the removal of "conditional" packages and "[...] a large portion of the language support is built around conditional packages." Seth argued[4] that removing conditional packages was something which was desirable whether or not this particular initiative took hold. This seemed like a problem especially for KDE but Bill prototyped[5] a yum plugin to solve the problem.

Some examples in which removing a metapackage would not remove dependencies installed to satisfy the metapackage were teased out[6][7] in conversations between Josh Boyer and Seth and Jesse Keating.

Florian Festi thought[8] that the list of problems to be solved should be expanded to include how multilib is handled, the proliferation of noarch subpackages and poor implementations of parts of the tool-chain. He also emphasized that with the "increasing number of languages supported and packages being properly translated we ship more and more language dependent content the users are not interested in. We are currently missing both a way to package these contents properly and a mechanism the control which should be actually installed."

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00733.html

[2] http://fedoraproject.org/wiki/FUDCon

[3] http://fedoraproject.org/wiki/PackageMaintainers/CompsXml#How_comps_is_used

[4] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00748.html

[5] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00882.html

[6] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00751.html

[7] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00777.html

[8] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00841.html

New GPG Signing Keys for Each Release

Jesse Keating asked[1] what value Fedora users perceived in the presence of the "[...] two gpg keys per release, one for rawhide/updates-testing and one for the final release and stable updates."

Todd Zullinger suggested[2] that eschewing the importation of the "updates-testing" key would ensure that "[...] no packages from updates-testing are installed on a box [.]" Casey Dahlin disliked[3] such a use of keys to categorize things.

Todd asked if each new release would come with a new key, similar to the way this was handled after the infrastructure intrusion. He balanced the sense of confidence given by keeping a key around for a "reasonably long time" versus the mitigation of "the lack of any way to revoke a key in the rpm db [.]" Jesse confirmed[4] "[...] yes, we plan to use new keys each release. We can use gpg web-"-trust thing and sign the new keys with the old keys and whatnot, does that actually help people?j

Douglas E. Warner and Steve Grubb worried[5] that the inability to revoke keys exposed machines to repository metadata attacks and Steve revealed[6] that the import of keys is "[...] one of the few security sensitive actions that is not put into the audit system."

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00999.html

[2] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01001.html

[3] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01020.html

[4] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01003.html

[5] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01036.html

[6] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01050.html

libssl.so.7 Going Through a Bumpy Patch

Tomas Mraz advised[1] that he was going to build a new OpenSSL in rawhide which would require a soname bump due to minor breakage of the ABI. As a transitional measure he intended to temporarily provide symlinks to the old soname so that most of the 288 affected packages should continue working until they were rebuilt. Jesse Keating expressed[2] disquiet with the timing as the large number of rebuilds would be "[...] likely to break buildroots, break anaconda composes, break installs, break users. This isn't the kind of crap we want to land in rawhide just before a freeze, and just before an effort to turn that freeze into something usable. PLEASE wait until after Alpha has been cut to do this." He seemed slightly mollified[3] by Tomas' use of compatibility symlinks and rpm provides.

When Benny Amorsen wondered why such breakage was occurring again with openssl Tomas explained[4] that the design "declar[ed] some important structures which have to be changed/extended with new functionality in the public headers. Unless they move these structures to private headers this situation is going to happen again." Christopher Aillon joked[5] that it was happening again because Benny had not ported his applications to use NSS(see FWN#107[6]).

Later Horst von Brand reported[7] widespread problems with many packages which seemed to fail. RalfErtzinger explained[8] that "[t]he problem is that the openssl package was supposed to contain symlinks for libssl.so.7 and libcrypto.so.7, and rpm -ql says that the package does contain them, but they are, in fact, missing from the filesystem."

Tomas Mraz scrambled[9][10] to sort out the problem by trying to run ldconfig in the %post of the openssl package. Kevin Kofler suggested[11] a possible cause.

Jesse Keating fretted[12] that all of this was exactly what he did not want just before next week's alpha freeze[13].

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00758.html

[2] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00761.html

[3] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00764.html

[4] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00880.html

[5] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00977.html

[6] https://fedoraproject.org/wiki/FWN/Issue107#Crypto_Consolidation

[7] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00941.html

[8] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00942.html

[9] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00943.html

[10] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00946.html

[11] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01051.html

[12] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01000.html

[13] https://fedoraproject.org/wiki/Releases/11/Schedule

MinGW Package Reviews Requested

Richard W.M. Jones noted[1] that the rapid development cycle[2] meant that Fedora 11 was already approaching (2009-01-20) alpha-freeze and asked for package reviews of the outstanding parts of the MinGW Windows cross-compiler feature[3]. He offered to trade reviews with interested parties and provided links to outstanding reviews.

There is apparently no question that the feature, which will allow generation of Windows targets on Fedora, will slip from Fedora 11.

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00793.html

[2] https://fedoraproject.org/wiki/Releases/11/Schedule

[3] https://fedoraproject.org/wiki/Features/Windows_cross_compiler

MySQL 5.1 Coming to Rawhide After Alpha-Freeze

A heads-up was posted[1] by Tom Lane to advise that mysql-5.1.30 would be pushed into rawhide immediately after the alpha freeze. He warned: "This involves an ABI break: libmysqlclient.so has increased its major version number from 15 to 16 [...]" and provided a list of affected packages along with the offer to launch rebuilds for anyone who wished.

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00721.html

Spins SIG Controversy

A vigorous disagreement erupted when Jeroen van Meeuwen announced[1] that the Spins SIG[2] would henceforth be having meetings every two weeks (Jeroen later rescheduled[3] the meeting to Mondays at 17:00 UTC) and that the first meeting would be to finalize a new process arrived at during the last FUDCon.

Rahul Sundaram contended[4] that "[s]uch decisions shouldn't be taken at FUDCon because it automatically excludes people who cannot be present at the event. You should use the events only to discuss the issues and make the decisions over mailing lists or irc where others can participate as well." A long thread mostly involving just Rahul, Jeroen and Josh Boyer resulted.

In response to Rahul's point that the new process was onerous as it mandated a weekly compose and report JoshBoyer seemed[5] to be of the opinion that this was a good thing. BillNottingham added[6]: "It's not really adding anything to the amount of work that needs to be done, in total. It's just shifting around who it gets done by and when."

Some weight was given to Rahul's argument that the method of arriving at the new process was a problem when Jeroen posted[7] that no minutes had been kept of the meeting and pointed to a "5-minute after best-recollection of what happened" summary on the wiki[8] as a source of information.

JesseKeating argued[9] that FUDCon was a useful, "high-bandwidth" means of having discussions and that public email was too slow to make decisions compared to IRC, IM, phone and face-to-face meetings. Subsequently he added that the result of the FUDCon discussions was a proposal and not a decision and suggested that unless the skeleton process was approved quickly then there might be no spins for Fedora 11. Rahul responded[10] that the original post had been a simple declaration which did not suggest it was merely a proposal. Rahul added[11] that there was a need to clarify the process in order to avoid the confusion of the past.

[1] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00695.html

[2] http://fedoraproject.org/wiki/SIGs/Spins

[3] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00782.html

[4] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00789.html

[5] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00811.html

[6] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00826.html

[7] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00838.html

[8] http://fedoraproject.org/wiki/SIGs/Spins_NewProcess

[9] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00864.html

[10] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00872.html

[11] https://www.redhat.com/archives/fedora-devel-list/2009-January/msg00874.html

Documentation

In this section, we cover the Fedora Documentation Project.

http://fedoraproject.org/wiki/DocsProject

Contributing Writer: Jason Taylor

Fedora Content Management System (CMS)

There has been a need for a CMS within the project and there will soon be a decision made in this regard. Karsten posted[0] the reasoning behind moving to a CMS[1] and the need for people with CMS administration experience to lend a hand.

[0] https://www.redhat.com/archives/fedora-docs-list/2009-January/msg00077.html

[1] https://fedoraproject.org/wiki/CMS_solution_for_Fedora_Project_websites#Background

Translation

This section covers the news surrounding the Fedora Translation (L10n) Project.

http://fedoraproject.org/wiki/L10N

Contributing Writer: Runa Bhattacharjee

Dimitris Glezos Appointed to the Fedora Board

The current chair of the Fedora Localization Steering Comittee (FLSCo), DimitrisGlezos has been selected[1] to fill one of the appointed seats on the Fedora Board[2].

[1] https://www.redhat.com/archives/fedora-announce-list/2009-January/msg00007.html

[2] http://fedoraproject.org/wiki/Board

New Team for Kashmiri and New Coordinator Marathi

RakeshPandit announced[2] the start of the Kashmiri Translation Project for Fedora. The Marathi Translation team found its new coordinator in SandeepShedmake[3].


[2] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00040.html

[3] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00073.html

Packagekit Translations for Fedora 11

RichardHughes, the maintainer of Packagekit announced that a new version of the package would be released in a couple of weeks and this version would be included in Fedora 11. He mentions that quite a few popular languages do not have complete translations at the moment. Translators can mail the packagekit mailing list for queries regarding translateable strings[4]. Meanwhile, it has been noticed that both the Gnome and Fedora Status pages do not contain updated translations statistics for this package[5].

[4] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00071.html

[5] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00075.html

Confusion over Translations for Newly Coined Words

RichardvanderLuit brought forward an interesting problem related to the translations of newly coined words for English, which are specifically targetted for computer science[6]. The word in question is "untrusted" which differs from the general English antonym for "trusted".

[6] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00080.html

Branching of Fedora Packages

AnkitPatel started a discussion about the availability of a branching process in the VCS for Fedora packages, to provide for backporting of translations[7]. MiloslavTrmac (Mirek) suggested submitting patches in bugzilla for such cases, as upstream packages generally do not branch out for versions in the distributions[8]. Linking up the translation interface with an automated bug sumission process was suggested by AsgeirFrimannsson as a possible solution[9]. Discussions still continue, listing merits and demerits of the possibility of large scale backporting via bugzilla and separation of the translations from the packages.

[7] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00046.html

[8] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00047.html

[9] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00051.html

New Members in FLP

ZakWang from Hunan, China[10] joined the Simplified Chinese team and RakeshPandit joined to start the Kashmiri Team for Fedora[11].

[10] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00068.html

[11] https://www.redhat.com/archives/fedora-trans-list/2009-January/msg00040.html

Artwork

In this section, we cover the Fedora Artwork Project.

http://fedoraproject.org/wiki/Artwork

Contributing Writer: Nicu Buculei

Theming Fedora 11

For this release cycle, the Art team is trying a slightly different process with linking the desktop theme to the release name, so just after the codename "Leonidas" was announced for Fedora 11, the process started with Máirí­n Duffy proposing on @fedora-art two possible approaches, navigation "We could get some inspiration from traditional nautical tools, like compasses, navigational charts, telescope, all that kind of stuff. It could have a kind of steampunk look" and water "Or we can get some inspiration from water and water traffic. For example, imagine time lapse photos of a river in a city over the course of a day, with folks rowing crew in the morning, sailing in the afternoon, with tour/party boats coming through in the evening - for the time-lapse wallpaper".

[1] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00034.html

Nicu Buculei observes[2] that even if the release name is based on a historical ship, most people will associate it with the ancient Greek hero "Technically the vote was for the ship but I am sure (and the reaction after the announcement are a reassurance) most people voted for the Spartan" and support a theme based on the Ancient Greece culture "So I am thinking about the Golden ratio, used a loot in the Ancient Greek architecture, notably on the Parthenon and probably a graphic based on the Golden ratio would be fit", a take endorsed[3] by Samuele Storari "The Hellenic age was the top of the acient greece time and it spouse the first concept as well, maybe we can use a steam punk, futuristic theme for the old art" and Konstantinos Antonakoglou[4] "Basically, I imagine a trireme-like, or even an ancient fish-boat (with or without the Fedora logo on its sail :P) sailing on a sea of stars (with splashes on its front). I guess it can be combined with the golden ratio , math etc."

[2] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00045.html

[3] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00046.html

[4] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00047.html

At the same time, Charlie Brej noted[5] some possible inadvertent uses of the release name "The only problem is the theme should be as acceptable to as many people as possible. So, for the Leonidas theme we should stay away from: violence, nudity, blood, glorification of war, nationalistic sentiments etc..."

[5] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00048.html

Mark reiterated[6] his old idea or reusing the theme of an older release, "How do you guys feel about a full theme in the old fedora (Core 1 till 4) colors? The link with the F11 name is (just making it up now) : Reviving old days. (the name represents something old and the theme represents the beginning years of fedora)", an idea not liked by the rest of the team, as noted by Máirí­n Duffy][7] and Luya Tshimbalanga[8].

[6] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00053.html

[7] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00054.html

[8] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00055.html

Máirí­n Duffy started[9] a wiki page[10] to collect all the proposals, keep an eye on it to follow the development.

[9] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00050.html

[10] https://fedoraproject.org/wiki/Artwork/F11_Artwork

Closely related tot he theme development is the draft scedule[11] for the Art Team proposed[12] by John Poelstra.

[11] http://poelstra.fedorapeople.org/schedules/f-11/f-11-art-tasks.html

[12] https://www.redhat.com/archives/fedora-art-list/2009-January/msg00058.html

Security Advisories

In this section, we cover Security Advisories from fedora-package-announce.

https://www.redhat.com/mailman/listinfo/fedora-package-announce

Contributing Writer: David Nalley

Fedora 10 Security Advisories

Fedora 9 Security Advisories

Virtualization

In this section, we cover discussion on the @et-mgmnt-tools-list, @fedora-xen-list, @libvirt-list and @ovirt-devel-list of Fedora virtualization technologies.

Contributing Writer: Dale Bewley

Libvirt List

This section contains the discussion happening on the libvir-list.

sVirt 0.30 Released

James Morris announced[1] "the release of v0.30 of sVirt[2], a project to add security labeling support to Linux-based virtualization.

[1] http://www.redhat.com/archives/libvir-list/2009-January/msg00158.html

[2] http://selinuxproject.org/page/SVirt

sVirt Qemu Hurdles

Daniel J Walsh began to work on the svirt lock down of the qemu process, and saw[1] a problem with "the Package-x-generic-16.pngqemu binaries are being used to both setup the guest image environment and then to run the guest image."

"The problem with this is the act of installing an image or setting up the environment an image runs within requires much more privileges then actually running the image."

"SELinux runs best when one processes forks/execs another process this allows us to run the two processes under different labels. Each process with the privileges required to run."

[1] http://www.redhat.com/archives/libvir-list/2009-January/msg00198.html

Fine Grained Access Controls

Konrad Eriksson desired[1] is "an addition[2] to Package-x-generic-16.pnglibvirt that enables access control on individual actions and data that can be accessed through the library API. This could take the form of an AC-module that, based on the identity of the caller, checks each call and grants/denies access to carry out the action (could also take parameters in account) and optionally filter the return data. The AC-module could then interface different backend AC solutions (SELinux, RBAC, ...) or alternatively implement an internal scheme."

Daniel P. Berrange pointed[3] out how this relates to sVirt. "At this stage sVirt is primarily about protecting guests from each other, and protecting the host from guests. Konrad's suggestions are about protecting guests/hosts from administrators, by providing more fine grained control over what libvirt APIs an admin can invoke & on what objects. Both bits of work are required & are complementary to each other."

[1] http://www.redhat.com/archives/libvir-list/2009-January/msg00282.html

[2] http://wiki.libvirt.org/page/TodoFineGrainedSecurity

[3] http://www.redhat.com/archives/libvir-list/2009-January/msg00362.html

Configuring Host Interfaces RFC

David Lutterkort composed[1] an RFC beginning "For certain applications, we want Package-x-generic-16.pnglibvirt to be able to configure host network interfaces in a variety of ways; currently, we are most interested in teaching libvirt how to set up ordinary ethernet interfaces, bridges, bonding and vlan's. Below is a high-level proposal of how that could be done. Please comment copiously ;)"

Adding this type of support struck some as a complex open-ended prospect. John Levon argued[2] "We should be considering why libvirt is /well-placed/ to configure the host. I think it should be pretty clear that it's actually not: the problems around distro differences alone is a good indication. The proposed API is anaemic enough to not be of much use. This is way beyond carving out the physical system into virtual chunks and it's a big step towards lib*virt* becoming libmanagement."

Daniel P. Berrange countered[3] "The existance of many different [implementations] is exactly the reason for libvirt to have this capability. Libvirt is providing a consistent mgmt API for management of guests and host networking interfaces is as much a part of this as the storage management. Libvirt is providing this capability across virtualization technology." Also saying[4] "Network interface APIs are the core missing piece of libvirt API functionality IMHO."

[1] http://www.redhat.com/archives/libvir-list/2009-January/msg00350.html

[2] http://www.redhat.com/archives/libvir-list/2009-January/msg00398.html

[3] http://www.redhat.com/archives/libvir-list/2009-January/msg00403.html

[4] http://www.redhat.com/archives/libvir-list/2009-January/msg00414.html