- 1 Fedora Weekly News Issue 84
- 1.1 Announcements
- 1.2 Planet Fedora
- 1.3 Developments
- 1.3.1 Packaging Extensions for Mozilla Applications: Security Implications
- 1.3.2 L10N Issue With system-sonfig-samba, Support or Bugreport?
- 1.3.3 Fedora 7 Release Notes Freeze: Going, going ...
- 1.3.4 Broken Dependencies in Fedora Extras. Mikmod To Be Reverted. Packagers: Watch For Dlopens!
- 1.3.5 KDE LiveCD -- English Only, And Which parted GUI?
- 1.3.6 Mass Package Rebuilds - Papering Over Cracks or Shaking the Tree?
- 1.3.7 Extras i386 Mock Rebuild -- Large Number of Failures Due to Yum Bug
- 1.3.8 How To Deal With Binary Incompatibility Introduced By Compiler Changes
- 1.3.9 The Great PERL Package Split
- 1.3.10 Add Option To Experiment With updates-testing To Firstboot?
- 1.4 Maintainers
- 1.5 Documentation
- 1.6 Translation
- 1.7 Infrastructure
- 1.8 Artwork
- 1.9 Security Week
- 1.10 Security Advisories
- 1.11 Events and Meetings
- 1.11.1 Release Engineering Meeting: 2007-04-16
- 1.11.2 Release Engineering Meeting: 2007-04-19
- 1.11.3 Packaging Committee Meeting: 2007-04-17
- 1.11.4 FESCo Meeting Summary for 2007-04-19
- 1.11.5 Event Report: ICT Week - PETRONAS University of Technology (Malaysia)
- 1.11.6 Event Report: FISL 8.0 (Brazil)
- 1.12 Feedback
Fedora Weekly News Issue 84
Welcome to Fedora Weekly News Issue 84 for the week of April 15th through April 21st, 2007. The latest issue can always be found here and RSS Feed can be found here .
In this section, we cover announcements from various projects.
F7T4 and SATA/IDE Testing (This Means You!)
WillWoods announces in fedora-test-list - This is your early warning that F7 Test4 - the last of the pre-F7 test releases - is coming out NEXT WEEK.
IF YOU HAVE BEEN HAVING PROBLEMS WITH DISK DETECTION AND/OR OTHER DISK-RELATED THINGS, please read this!
One of the biggest changes in F7 is the new IDE driver stack, which uses libata (like the SATA drivers do). Not only are IDE hard drives now called /dev/sdX, but they're using new and interesting code. This could be (and has been) causing some problems relating to drive detection at boot time and install time, especially with upgrades from FC6 and earlier.
Multi-Lingual Release Announcement
KarstenWade announces in fedora-marketing-list - The time has come to produce the final list of talking points we want covered in the F7 release.
By producing this list, we are enabling writers to write a native-language, region-specific version of the Fedora 7 release announcement.
firstname.lastname@example.org is going away
MikeMcGrath announces in fedora-announce-list - Please note that in one week (April 25th) email@example.com email addresses are going away.
These reasons are purely technical. People that need exceptions should contact someone on the infrastructure team or stop by #fedora-admin on irc.freenode.net for consideration on a case by case basis.
In this secton, we cover a highlight of Planet Fedora - an aggregation of blogs from world wide Fedora contributors.
The XO in the Real World
JohnPalmieri points out in his blog - "The FISL congress is over and it was great talking to the enormous amount of people who showed interest in the XO learning laptop and the OLPC project . It was nice to see people’s interest turn into large smiles by the time I was done explaining the project and answering their questions. Many stayed for fifteen minute or more and some even came back multiple times to play around with the machines and ask more questions."
"The experience made the long hours working the booth worth it. It also affirmed to me the real reasons I decided to work on the project when given the chance to switch from Red Hat’s desktop group."
PIdgin hits Rawhide
WarrenTogami points out in his blog - "A pre-beta7 snapshot of pidgin-2.0.0 is in FE7, and gaim is now removed from Core. This gives us a small window for gaim-* plugin package maintainers to rename the plugin packages, and for everyone to test that an upgrade from gaim to pidgin goes smoothly for the core application and all plugins."
"nautilus-sendto seemed to be the only package within Core with a dep on gaim. I have rebuilt nautilus-sendto without that gaim dep for now. We will be able to re-add it later only after the distributions are merged, since pidgin is now in Extras. We have put pidgin directly into Extras in order to avoid issues where it must build against other packages in Extras like meanwhile-devel."
Design a Linux logo for an Indy Racing Car
MairinDuffy points out in her blog - "Thought you open source artists out there might be interested: Tux 500 Logo Contest "
Volunteers Needed on Fedora Docs Project
JohnBabich points out in his blog - "I am reading with concern regarding the great work that three individuals are doing on the Fedora 7 Release Notes: Paul, Rahul and Karsten. They do a terrific job with the result being best-in-class documentation for each release of Fedora Linux. They are three highly-committed people who work behind-the-scenes to do a mostly thankless job."
"Therefore, I am appealing to the Fedora community (and beyond) to contribute time and talent to help keep Fedora one of the best community distros available."
In this section, we cover the problems/solutions, people/personalities, and ups/downs of the endless discussions on Fedora Developments.
Packaging Extensions for Mozilla Applications: Security Implications
Firefox, Thunderbird, and other applications often have optional and popular functional extensions available. The code for these does not pass through the Fedora packaging process, and updating/removing them is not recorded in the rpmdb, leading to external code (in the applications with the most security problems  ) being installed without trace.
VilleSkyttä remembered  a conversation from the past that suggested there was some interest in packaging the extensions. He was specifically interested in making it easier to obtain a 64-bit version of enigmail. ChristopherAillon responded that the only way he could see of doing it was a bit ugly  , by querying RPM in %post and requiring triggers. OwenTaylor had some opposite experience with mugshot, which uses triggers but avoids the RPM queries; it might be useful to anyone seeking to package Firefox extensions  .
EnricoScholz wondered [4a] why Firefox was packaged in a way that seemed inimical to an rpm-based system (using versioned directories in /usr/lib). Christopher explained that this was because of a non-stable ABI, and that Enrico's proposed alternatives seemed a bit hackish [4b] , but Enrico remained unconvinced based on his experience with packaging 15 extensions for Firefox-1.5. OwenTaylor agreed with Enrico that the packaging of Firefox seemed to have no advantage other than for parallel installs of different versions [4c] .
Countering, EnricoScholz brought up the security angle  and also the simplicity and ease of use that we've all grown accustomed to from Fedora's repositories. ChristopherAillon introduced a distinction between trust and security and referenced the recent Mozilla Developer's Summit that discussed this issue, leading AndrewOverholt to request further details to aid in a similar problem facing Eclipse packagers  .
This was an interesting discussion that could affect a large number of projects. Extensibility through scripting is something that many applications offer, and if there's an easy way to re-use other people's code, then that will be taken by many end users regardless of risks.
L10N Issue With system-sonfig-samba, Support or Bugreport?
In a pleasant and productive exchange, AlainPortal pointed out some problems with the presence of two strings in a pot file, leading to a non-translatable interface for system-config-samba. His attempts to get the attention of the maintainer prompted a gentle caution  from GilboaDavara that @fedora-devel was not a support list and that it would be better to file a bugzilla entry.
The developer, NilsPhillipsen, wasn't disturbed and didn't think that he was being pestered for support  and encouraged a bugzilla entry.
 pot files are a standard, human-readable way of providing for localization of string in software. http://www.gnu.org/software/gettext/manual/gettext.html#Files
Fedora 7 Release Notes Freeze: Going, going ...
KarstenWade announced  on Friday April 20th 2007 that there were only 24 hours to get changes to the release notes incorporated into the ISO. The good news is that the Web-based release notes can be updated any time, so if you miss(ed) this deadline, then you can still communicate essential information.
For those of us that have suffered with weird Sony VAIO cdrom install issues in the past, ChuckAnderson raised a very useful question  about whether the current information in the release notes was useful (after the move to libata).
AlanCox was worried that anyone that had one of these VAIOs (with external CDROM) would not be able to install F7 and asked that if anyone does have one, to do an "lspci -vxxxx" with the cardbus controller inserted and to send it to him  .
Broken Dependencies in Fedora Extras. Mikmod To Be Reverted. Packagers: Watch For Dlopens!
The April 19th 2007 automatically generated report of broken dependencies in Fedora Extras  revealed that an update of mikmod was playing havoc with a lot of packages. HansdeGoede was one of the maintainers of many of these and along with others argued that it was far too late in the release cycle to introduce a change like this.
JindrichNovy agreed, and while admitting to being the guilty party, explained that mikmod was pretty stagnant and that the beta fork had some worthwhile improvements  . He suggested making this change after the release of F7.
DominikMierzejewski ('Rathann') was bitten  by the perl packaging problems mentioned in this same FWN issue.
After HansdeGoede suggested that the list might be incomplete, MichaelSchwendt asserted that the tool that generates these reports (repoclosure) was pretty smart. Hans didn't deny this but wondered if it would miss some specific cases  , such as a library being explicitly loaded within code by dlopen, and thus avoiding rpm's autodependency generation. Michael assented to this and said that it was the responsibility of the packager to look out for this sort of thing.
KDE LiveCD -- English Only, And Which parted GUI?
The KDE LiveCD team has been making great strides to showcase what this highly polished desktop environment can bring to the Fedora user experience .
SebastianVahl was concerned that this LiveCD is only available in English and he proposed two directions in which localized versions might be made available  . These boil down to either making a huge DVD, or else to making a good tutorial so that users of other languages can localize the CD for themselves. Comments are solicited.
A decision also needs to be made about whether to go with gparted or qtparted . According to CallumLerwick, GilboaDavra, and FrankSchmitt, ntfs-formatted partitions can be resized with gparted but not with qtparted (which is seemingly unmaintained since 2004), and that gparted is going into the LiveCD on that basis .
Mass Package Rebuilds - Papering Over Cracks or Shaking the Tree?
JohnPoelstra posted details of the Release Engineering Meeting . ThorstenLeemhuis was against one of the decisions made in the meeting: the rebuilding en masse of all packages at Test2 release time. His worries about the bandwidth impact versus the potential gains were discussed with DaveJones  , who wondered if those that could be affected were likely to be running rawhide. Thorsten argued that while they might not, they could still be affected if they simply tried to upgrade from a stable release of Fedora N to Fedora N+1. A brief exchange with AxelThimm unearthed the difficulty of obtaining concrete historical data as to what extent Fedora was rebuilt in the past, but the figures looked high.
In a separate branch of the same discussion, Axel came out very strongly in favor of the rebuilds  , asserting that in essence avoiding rebuilds is just papering over the cracks and shifting bugs from development to maintenance, and that it is better to identify security and other problems and fix them prior to release.
Following input from JakubJelinek  , JesseKeating noted that rebuilds should not be carried out merely to shake the tree and see what falls out, but when there are specific problems expected due to large changes in some critical components.
Extras i386 Mock Rebuild -- Large Number of Failures Due to Yum Bug
MattDomsch posted the latest report on Dell's rebuilding of Extras packages in mock . As usual, this report contains details of how many packages built/failed to build succesfully. MamoruTasaka noticed that one of the reported failures actually built succesfully for him .
HansdeGoede and MarcinZajączkowski were also surprised to see their names appear  and didn't think there was a reason for their packages to break. JesseKeating noticed that the version of yum being used by Matt was lacking a crucial bug fix and that many of the failures were a result of that rather than a problem with the packages themselves. The errors were false-negatives rather than false-positives and Matt wasn't too concerned about having to rebuild the tiny fraction compared to the thousands that had been succesfully processed.
How To Deal With Binary Incompatibility Introduced By Compiler Changes
As always, Fedora aggressively pursues the latest stable versions of software, including essential components of the compiler toolchain.
PatriceDumas was worried about the potential for binary incompatibility resulting from the introduction of gfortran as a replacement for the aging g77 . AndrewHaley sought clarification of the problem that Patrice was trying to solve, suggesting that using an "soname" was the usual way to track changes in the Application Binary Interface (ABI) [2a] . Patrice argued that this would lead to using a different soname version in Fedora than was being used upstream  .
It seemed that there was some confusion and JakubJelinek helpfully suggested that what was at issue was not the binary compatibility of essential compiler libraries, but rather the potential for creating a namespace clash between sonames of other libraries that have been built with different ABI versions of the compiler. This would make user-compiled binaries made with older versions of the library fail to link properly to the library, but it would not be possible to detect the error because the soname would be the same. Jakub clarified that what should be done is to talk to upstream for each library about a name change.
LinusWallej, EmmanualSeymann, and AndrewHaley further clarified that rebuilding all these user-compiled programs dependent on a library with a non-stable ABI was The Fedora Way . Linus also suggested that getting the programs into Fedora if they were generally useful would be a good idea and observed that many vendors target RHEL instead because they like the stability of the ABI whereas Fedora will do (within reason) whatever is innovative. Patrice seemed happy with the outcome, but also believed that more documentation about ABI practices was required.
The Great PERL Package Split
In line with the principle of modularizing packages as much as possible, RobinNorwood announced the splitting of development packages out of the main perl package. The current situation is that each current perl package has a "BuildRequires:perl-devel" dependency. This results in users being concerned and confused that they have a "devel" package on their system when they did not request it.
Robin outlined the two main ways of fixing this as discussed on @fedora-perl-devel: 1) fix each package by removing the requires; 2) fix each package and also split out 5, or so, other development related packages and add them to the buildroots. Robin sought feedback from maintainers on their preferred option.
Some early feedback from key project members indicated that such major restructuring would be preferred after the release of F7. Robin, while apologizing for the late timing, pointed out the benefits and relatively low cost as he saw it. MattDomsch wondered how widespread the breakage would be and JasonLTibbitts and ChrisAdams made some estimates, noting that it wasn't only every perl-<somename> package, but at least 100 others . MattMiller and others argued that such breakage would quickly alert the package owner who could then fix it easily. VilleSkyttä and RalfCorsepius raised problems with this fix .
RalfCorsepius and ChrisAdams wondered  about the problem of a package that was generated using autoconf, which would just leave any optional perl dependencies out and build the package without failure, but with reduced functionality. This was agreed to be a corner-case that could be neglected.
JesseKeating and ChrisWeyl  were concerned with the problem of what might be, in effect, a Fedora-centric redefinition of what could be considered to be "core" PERL modules. Jesse's over-riding concern was that anyone wanting to rebuild from shipped SRPMs should be able to do so easily .
Add Option To Experiment With updates-testing To Firstboot?
Following up on a suggestion of DaveJones', ChrisBrown suggested that firstboot be modified to ask users whether they wanted access to the updates-testing packages . WillWoods thought that it would be better to draw attention to, and inform users about, repoman. One of the concerns that Chris sought to address is that updates-testing gets little actual testing. LukeMacken and JackTanner discussed the problem of removing packages from update-testing that had failed community QA; in passing, Luke noted that in future all non-security updates would have to pass through testing, which might help to revitalize it. Luke also drew attention to bodhi, which should make pushing updates easier in the future.
In this section, we cover Fedora Maintainers, the group of people who maintain the software packages in Fedora
How To Handle GPL Exceptions
Starting off the week on the fedora-maintainers-list was a question from a concerned Fedora package reviewer who was unsure how to handle an exception clause in the GPL license . Rahul Sundaram chimed in saying that if the GPL exception restricts the license it may cause problems, but if it's more lax then it should be fine.
Release Notes Freeze For Fedora 7
This week also marked the freeze for the ISO-based release notes. Changes to the release notes now only affect the web-based release notes as the process of converting the release notes from the Wiki to XML has started .
In this section, we cover the Fedora Documentation Project.
FDSCo Meeting Minutes
Both the log and the summary for the 2007-04-15 meeting are available here:
The main topics included updates to the Desktop User Guide for Fedora 7, Fedora 7 Test 4 release notes, some more Google Summer of Code thoughts and also some discussions about the Administration Guide.
Invite a Member
The new Fedora accounts system will have the ability for existing members to invite friends, or others they think would be interested in helping out with Fedora, to join the project. MikeMcGrath requested ideas on the best phrasing for these e-mail invites . PaulWFrields replied with his suggestion of an appropriate message .
Default Home Page Links
There was a proposal that it might be a good idea to include links to some sites related to Free Culture, in a broader sense than software alone, on the default Fedora 7 home page. The original proposal suggested that sites such as Jamendo or Magnatune would be a worthwhile addition . Concerns were raised that this might transform the home page in to an advertising medium, resulting in some users losing faith in the standards of the home page . Perhaps this is an opportunity to define exactly what criteria are required for inclusion in the homepage .
The Virtualization Guide needed updating for Fedora 7 to include information on KVM , which was promptly addressed .
This section, we cover the news surrounding the Fedora Translation (L10n) Project.
PaulFrields posted this message which detailed the changes to xml2po (now xml2po -e). He also mentioned that the number of fuzzy entries appears to be fewer than initially thought.
In this section, we cover Fedora Infrastructure Project.
MikeMcGrath made the email changes discussed last week so that the firstname.lastname@example.org are no longer valid. The change was made because of duplicity and processing problems.
In this section, we cover Fedora Artwork Project.
MatthiasClasen reports that, while investigating the possibility of including SVGs in the Echo package to improve coverage of smaller icons, the size of the echo-icon-theme package increases to 70MB . This lead to the discovery that some of the larger icons suffer from a number of bloat problems revolving around jpeg thumbnails and excess XML tags. A script was written that removes a lot of this bloat reducing the size of some icons considerably: 416K to 18K in one case. There are still some problems with this script, resulting in some icons not rendering correctly, but it is being worked on constantly.
Default Test 4 Icon Theme
As a result of the inclusion of Echo SVGs not being the quick-fix for smaller size coverage that was hoped, MatthiasClasen proposed that Bluecurve/Clearlooks may have to fall back to the default Fedora 7 icon theme . This led to some discussion about possible alternative icon themes for Fedora 7 and Mist appeared as a popular choice ; Mist has now been made the default icon theme for Fedora 7 Test 4 .
In this section, we highlight the security stories from the week in Fedora.
Risk report: Two years of Red Hat Enterprise Linux 4
MarkCox wrote an interesting article looking at the last two years of security flaws in Red Hat Enterprise Linux 4 . The information in this article is interesting to anyone who tracks open source security flaws. There is not a lot of public analysis of open source security flaws. The article does focus on Red Hat Enterprise Linux 4, but the trends represented apply to any Linux distribution.
Macbook hacked at CanSecWest
Apple's OS X is currently gaining attention in the security world . Historically people have considered OS X to be very secure and mostly virus and hack free. This is starting to change as researchers have been paying attention to the Mac lately. Part of this is probably the challenge it presents. Those of us in the Linux world have been enjoying a similar situation. There is little fear of viruses, and as long as one applies security updates, there isn't much fear of being compromised.
There are many people who will argue that the real reason for this is that Linux is more secure by design. I believe it's a combination of things. Historically Linux users have been a bit more savvy, this is starting to change. In the past, the desktop was also very simple. This too is changing. As Gnome and KDE gain functionality, they also gain more security flaws. For example, the fact that the desktop will display a thumbnail of many different file types gives an attacker a doorway into a system. They of course need to convince a user into downloading a file, but as we've seen from many viruses, this is not as hard as it sounds. I hope that various technologies such as SELinux and Exec-Shield will help keep most of the trash away, the human factor cannot be fixed as easily. As long as people are willing to open attachments, and visit random web sites, viruses will exist. As a friend of mine used to say "We're OK until the toaster people start using it." The "toaster people" are the normal people confused by the knob on their toasters :)
In this section, we cover Security Advisories from fedora-package-announce.
Fedora Core 6 Security Advisories
- FEDORA-2007-453: tcp_wrappers-7.6-40.3.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-453
- FEDORA-2007-436: coreutils-5.97-12.5.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-436
- FEDORA-2007-434: hplip-1.7.2-3.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-434
- FEDORA-2007-452: openoffice.org-2.0.4-5.5.22 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-452
- FEDORA-2007-451: scim-tables-0.5.7-2.1.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-451
- FEDORA-2007-442: selinux-policy-2.4.6-57.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-442
- FEDORA-2007-447: openoffice.org-2.0.4-5.5.21 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-447
- FEDORA-2007-428: yum-3.0.6-1.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-428
- FEDORA-2007-444: Fmc-4.6.1a-36.20070124cvs.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-444
- FEDORA-2007-415: php-5.1.6-3.5.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-415
- FEDORA-2007-440: [SECURITY] gstreamer-0.10.11-1.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-440
- FEDORA-2007-383: rhythmbox-0.9.8-2.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-383
- FEDORA-2007-410: tk2-2.10.8-3.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-410
Fedora Core 5 Security Advisories
- FEDORA-2007-455: [SECURITY] php-5.1.6-1.5 - http://fedoraproject.org/wiki/FSA/FC5/FEDORA-2007-455
- FEDORA-2007-454: tcp_wrappers-7.6-40.3.fc5 - http://fedoraproject.org/wiki/FSA/FC5/FEDORA-2007-454
- FEDORA-2007-414: [SECURITY] Image
Magick-22.214.171.124-4.2.1.fc5.8 - http://fedoraproject.org/wiki/FSA/FC5/FEDORA-2007-414
- FEDORA-2007-445: mc-4.6.1a-36.20070124cvs.fc5 - http://fedoraproject.org/wiki/FSA/FC5/FEDORA-2007-445
Events and Meetings
In this section, we cover event reports and meeting summaries from various projects.
Release Engineering Meeting: 2007-04-16
Release Engineering Meeting: 2007-04-19
Packaging Committee Meeting: 2007-04-17
FESCo Meeting Summary for 2007-04-19
Event Report: ICT Week - PETRONAS University of Technology (Malaysia)
Event Report: FISL 8.0 (Brazil)
This document is maintained by the Fedora News Team . Please feel free to contact us to give your feedback. If you'd like to contribute to a future issue of the Fedora Weekly News, please see the Join page to find out how to help.