- 1 Fedora Weekly News Issue 98
- 1.1 Announcements
- 1.2 Planet Fedora
- 1.3 Ask Fedora
- 1.4 Marketing
- 1.5 Developments
- 1.5.1 RPM Roadmap ... Panu Opens Pandora's Box
- 1.5.2 Package Management Craic[*]
- 1.5.3 Pulseaudio Improving Fedora Sound
- 1.5.4 What Should Appear In Desktop Menus
- 1.5.5 Kmods Deprecated
- 1.5.6 New Yum-updatesd (Rawhide Report 20070725)
- 1.5.7 NOTE: Please publicize any license changes to your packages (CONT.)
- 1.5.8 Extra Packages for Enterprise Linux (EPEL) Now Open
- 1.5.9 Abuse Of Fedora Trademark
- 1.5.10 XFS In Anaconda
- 1.6 Translation
- 1.7 Infrastructure
- 1.8 Artwork
- 1.9 Security Week
- 1.10 Daily Package
- 1.11 Advisories and Updates
- 1.12 Events and Meetings
- 1.12.1 Fedora Board Meeting Minutes 2007-MM-DD
- 1.12.2 Fedora Ambassadors Meeting 2007-07-26
- 1.12.3 Fedora Documentation Steering Committee 2007-MM-DD
- 1.12.4 Fedora Engineering Steering Committee Meeting 2007-07-26
- 1.12.5 Fedora Extra Packages for Enterprise Linux Meeting (Log) 2007-07-26
- 1.12.6 Fedora Infrastructure Meeting (Log) 2007-07-26
- 1.12.7 Fedora Packaging Committee Meeting 2007-MM-DD
- 1.12.8 Fedora Release Engineering Meeting 2007-07-23
- 1.12.9 Fedora Translation Project Meeting (Log) 2007-07-24
Fedora Weekly News Issue 98
Welcome to Fedora Weekly News Issue 98 for the week of July 22nd, 2007. http://fedoraproject.org/wiki/FWN/Issue98
In this week, we have great announcements for Extra Packages for Enterprise Linux (EPEL), 3000 Fedora 7 Installations as well as FESCo Election Results. Also we are launching a special section called 'Ask Fedora' where you can ask questions to Fedora Project.
In Developments, there are more than enough interesting discussions including RPM Roadmap, Fedora Sound System, Desktop Menus, Licensing and more. In Security Week, our Security Response Team reports a dangerous Firefox Flaw. In Daily Package, you'll find reviews of Fedora packages including Incron, eSpeak, Syslog, Seamonkey, BSD-Games.
To join or give us your feedback, please visit http://fedoraproject.org/wiki/NewsProject/Join.
In this section, we cover announcements from various projects.
Contributing Writer: ThomasChung
Extra Packages for Enterprise Linux (EPEL) Now Open
KarstenWade announces in fedora-announce-list ,
"If you use enterprise-class Linux (EL) distributions derived from Fedora, such as Red Hat Enterprise Linux or CentOS, we have something very exciting for you."
"EPEL is a community of package maintainers working from inside of Fedora. Many are the same people who maintain the Fedora version. Yet, there room for new packages and contributors. Currently, around 1000 packages are available, and we've been growing at the rate of several dozen packages every week."
3000 Fedora 7 installations
NayyarAhmad announces in fedora-ambassadors-list ,
"After a long discussions and few presentation, i have convinced Mozambique Ministry of Finance (SISTAFE) to migrate their workstation around the country from MS Windows to Linux (Fedora 7), now they have officially approved the migration country wide and i will supervise this migration, plus will help them in end user training, its the first time in Mozambique that a Govt. department have opt for Linux (Fedora) and in my opinion it has been a big achievement, as after their migration i will be able to speak with other ministries and private firms."
FESCo Election Results
BrianPepple announces in fedora-announce-list ,
"The FESCo election is over, and the members for the 2007/2008 FESCo are (in alphabetical order): ChristopherAillon, JoshBoyer, TomCallaway, KevinFenzi, DennisGilmore, ChristianIseli, JeremyKatz, JesseKeating, BillNottingham, BrianPepple, JasonTibbitts, WarrenTogami, DavidWoodhouse"
In this section, we cover a highlight of Planet Fedora - an aggregation of blogs from world wide Fedora contributors.
Contributing Writers: ThomasChung
Improving package and system management
RahulSundaram points out in his blog ,
"The most important improvement of course is the ongoing development of wevisor , which as the name indicates is a web interface to revisor that lets you do custom spins of Fedora. Kickstart configuration files can be fed into a number of places such as live cd tools, revisor and wevisor and adds a whole lot of customisability to Fedora."
First rpm.org-RPM version released
RolandWolters points out in his blog ,
"Recently the first version of rpm.org ’s RPM tool was released. While it is only a minor version (22.214.171.124) this release is a milestones because it is a coordinated release between the participating distributions."
Beginning this week, we will collect good and useful questions from users for this special section called 'Ask Fedora'.
Contributing Writers: RahulSundaram, ThomasChung, PaulFrields, ChrisTyler
Questions should exclude topics which are best answered through existing mechanisms. This shouldn't be for "my soundcard doesn't work" questions; it should be for big-picture questions of general interest.
Esoteric hardware troubleshooting problems are a deal-killer, but more general help questions like "How do I edit my menus?" or "How do I find source code for <FOO>?" are good targets.
To submit your questions, please use firstname.lastname@example.org and our news team will *try* to find the best answers and post in the following issue.
In this section, we cover Fedora Marketing Project.
Contributing Writer: ThomasChung
Fedora 8 To Integrate OpenJDK
RahulSundaram reports in fedora-marketing-list ,
""One of the most recently added features to the Fedora 8 feature list is IcedTea , which is the open-source version of Java (OpenJDK). The plan is to make IcedTea the default JPackage environment and will replace GCJ. There are Fedora packages for IcedTea already maintained (at ClassPath.org) and the dependencies needed to build IcedTea can already be found in Fedora Rawhide."
A computer in every pot
RahulSundaram reports in fedora-marketing-list ,
"The user interface is called Sugar and not the OS itself but a good article nevertheless. BBC published a couple of articles with more technical information and videos featuring Christopher Blizzard, lead OLPC team in Red Hat."
Fedora stats offer insight into Linux usage
RahulSundaram reports in fedora-marketing-list ,
Joe 'Zonker' Brockmeier talks with Fedora's Max Spevack about some recently released statistics. "The Fedora Project offered a peek under its kimono recently with details about Fedora 7 adoption and other statistics. Fedora 7 has snagged more than 300,000 users since its release at the end of May. While that sounds pretty good, Fedora Core 6 managed to attract more than 400,000 in roughly the same amount of time after its release. We asked Max Spevack, the Fedora project leader, whether the numbers are telling the full story."
In this section, we cover the problems/solutions, people/personalities, and ups/downs of the endless discussions on Fedora Developments.
Contributing Writer: OisinFeeley
RPM Roadmap ... Panu Opens Pandora's Box
A "slightly bored" PanuMatilainen solicited suggestions for how rpm could be improved. Panu was concerned that non-subscribers to @rpm-maint should get an opportunity to point out deficiencies which could be corrected now that 4.4.x was branched to maintenance mode and it was time to plan the next major release. The result was a thoughtful thread which largely failed to deliver the evil which Panu feared.
The issue of multilib support was first raised by "Dragoran", who thought that "arch requires and provides" should be automatic unless the packager manually intervened. TomCallaway (spot) was strongly in agreement. DavidWoodhouse followed up later by referencing the tracker bugzilla entry which shows the extensive thought and discussion he has put into the issue of multilib support.
DimiPaun posted an extensive list of suggestions including version-control of meta-information to allow admins to pinpoint specific changes due to package updates and the provision of more fine-grained transaction information to external tools. The issue of transactions was also raised separately by MatthiasClasen who requested "a working %posttrans". This prompted requests as to what he found broken, and lead to JeremyKatz explaining that multiple, small transactions were preferable to fewer, large ones due to their robustness in the face of power failure and that once this was achieved there was little advantage of "%posttrans" after "%post". ColinWalters linked to the Stateless Client approach to avoiding power failure problems. Dimi argued that Jeremy might be right about the power-failure scenario, but that for all others multiple transactions would diminish the atomicity and integrity of rpm's workings. SethVidal didn't precisely disagree but seemed to consider that Jeremy's scheme would provide more of the granularity of information that Dimi wanted.
Responding to Dimi's point OwenTaylor returned to the stateless-client model emphasizing that it was important to make system transactions as ACID as possible and not necessarily rpm transactions. Dimi agreed that this was a non-trivial problem and suggested that LVM's snapshot capabilities could help out.
JeffSpaleta wanted some way of marking packages which were installed explicitly (rather than automatically to satisfy dependencies). "Topher" suggested reference counting, prompting Jef to wonder what would be counted and to restate the problem from a dependency-tree perspective. SethVidal was in agreement with Jef that avoiding an external database was prudent, but was cautious about how long it would take to implement labelling such packages.
A sarcastic response from RobertScheck argued that most of what Panu and others were talking about was either already in the rpm5 fork or else planned to be in it. Robert asked for clarification on a couple of points, including MatthiasClasen's wish for smart directory handling. Matthias specified that he thought a package should own all directories it creates or else explicitly require a package which creates a directory which it uses.
There many other interesting suggestions and also some great incidental information about rpm usage. In this category BrunoWolff wished that there were some way of extending the length of rpm's argument list leading JeremyKatz and BillCrawford to point out that hidden away in the manpage is the info that a manifest list (which can include globs) can be used instead of a specific package name.
Similarly MikeChamber's musing about a way to recover from the accidental removal of essential rpm libraries led ManuelWolfshant to point to the "--repackage" option which the manpages say can be used in conjunction with an erase. RobertScheck's claim that rpm5 had a special rollback feature that did this spurred Panu to respond that the "--repackage" option was ancient.
Package Management Craic[*]
In an independently initiated discussion which overlapped with many of the issues discussed in another thread covered here (FWN#98 "RPM Roadmap ... Panu Opens Pandora's Box") RichardHughes asked for comments on one of his recent blog postings. Richard argued that software install and updating tools were prone to information loss, were user-unfriendly, were hard to maintain, and that Ubuntu was at the head of an inferior pack. Richard's main thrust seemed to be to make package management a D-BUS integrated system service and to make the various dependency solvers backends, leading to separation out of the GUI or other interfaces.
An enthusiastic affirmation from "Dragoran" on fixing the problem of "hung" progress-bars in the US by making the API asynchronous was initially squashed by JeremyKatz as rpm/sqlite wouldn't play well with multithreading. DavidZeuthen clarified that multithreading wasn't necessary for an asynchronous API or proposed by Richard.
BillNottingham reminded the list that a similar discussion had been had before with regard to "yum-updatesd" and the choices roughly boiled down to making yum-updatesd so simple that it would not even check the currently installed packages, or extending it to a being a package-manager which could run unprivileged. Bill thought that latter would be a yum/rpm specific version of what Richard was proposing. He noted that the goal of making it work with .debs or other packaging specifications didn't seem interesting to him. SethVidal was highly skeptical[4a] that working to get a common API between the different packager formats was possible, noted the huge amount of coding that would be required and pointed out that rescue-mode would be complicated. Richard had specific rebuttals[4b] of these points and also discussed with Bill the amount of startup time that would be occasioned by his approach.
In specific response to Bill's lack of interest in a common API MatthiasClasen thought that escaping the ghettoization of distro-specific tools to a common upsteam was important and RichardHughes confirmed that the goal of making it simple for users to try new software was important. Bill wondered whether packages as opposed to "mugshot-style distributed apps" were what Richard really had in mind.
SethVidal was also unhappy with having to use D-BUS on webservers (due to what he claimed was its impact on RAM and unnecessary extra complication). ColinWalters disputed the RAM usage claim and DavidZeuthen thought that there would be nothing making Seth install the proposed D-BUS activated simple package management interface. He emphasized "simple".
Offering some mugshot originating code ColinWalters was another enthusiast.
[*] Craic is the healthy Hibernian version of "crack", denoting fun, discussion and general insanity. See http://en.wikipedia.org/wiki/Crack_(craic)
Pulseaudio Improving Fedora Sound
There was a happy conclusion to a thread on the state of sound and audio in Fedora which had been opened by a frustrated DimiPaun. Recounting a series of failures of ALSA since FC6, which were apparently due to kernel updates Dimi concluded that such flakiness with very standard hardware was unacceptable.
TomBrinkman thought that @fedora-devel wasn't the place for such support questions and pointed out that Googling indicated that updating ALSA might work. In response to this and to JosefBacik's request for specific details Dimi explained that it wasn't easy to pin down which kernel caused the problem and that he felt there was a general,underlying malaise in the development process. Dimi expanded on particular flakiness among what he regarded as essential desktop functionality which had become worse in his opinion.
A polite response from HansdeGoede asked for Dimi to substitute high-quality feedback (in the form of filing bugs) instead of inflammatory emails which no one would look at later. RahulSundaram similarly asked whether Dimi had filed bug reports and Dimi answered that he had done so to no effect and that this revealed a process problem which would result in a deluge of useless bug reports were Rahul's advice to be followed. A great response from JosefBacik regretted the problem but suggested that as Fedora merely packages upstream and could benefit from Dimi filing reports against the test-release of F8 so that ICH8 (the culpable sound hardware) would work in F8, Josef also suggested that a more slow-moving distro (e.g. RHEL, CentOS) might carry fewer frustrations.
"Nodata" wanted to look at the actual bugs, so Dimi provided the bugzilla entry and expanded on his point that an apparent cycle of reporting bugs, spending time on them and then being told to report the bugs upstream was being repeated and that it was too great a burden on users.
To complicate the issue "MarkG" and HenkBreimer reported that the apparently same hardware worked fine for them with F7.
A post by "Kelly" recommending the advantages of PulseAudio appeared to provide hope for the positive resolution of this problem. Confirmation of this as a solution was provided when Rahul pointed out that PulseAudio was the default daemon in Fedora8. Kelly helpfully added that s/he had a package which redirected the Adobe Flash through PulseAudio.
Finally, Rahul asked Dimi to try some potted commands to update ALSA and to let him know if it fixed the sound problem.
What Should Appear In Desktop Menus
The debate over whether applications' .desktop files should be setting ShowOnlyIn (see FWN#97 "ShowOnlyIn Another GNOME Conspiracy Unmasked" ) continued to yield disagreement. "Nodata" held out SuSE's "disastrous clutter" as the likely result of bowing to ChristopherStone's desire to make all applications show up in the menu. Chris refused to set foot on this slippery slope and asked again why shouldn't an application which he chose to install show up in the menu?
So far this was a rehash of already covered ground and positions, but JefSpaleta and MattMiller trod a middle course between complete menu mayhem and a straightjacketed system which prevent users from adding icons to their menus as they wished.
Chris didn't think much thought was going into the default menu choices as evidenced by the fact that someone using Xfce (instead of GNOME or KDE) would not see applications like Kate or Banshee show up in their menu. BillNottingham riposted that it also woouldn't make sense to show kreversi and iagno in both GNOME and KDE and wished for a DoNotShowIn in addition to OnlyShowIn. VilleSkyttä drew everyone's attention to NotShowIn.
It seemed that Chris was still in high dudgeon and JesseKeating tried to refocus the discussion on the problem of shared systems and the need to avoid the application menu becoming contaminated with applications installed by users who preferred different desktop environments. Jesse thought the solution was to teach the Xfce equivalent of gnome-menu to ignore the ShowOnlyIn entries in .desktop files.
JonathanUnderwood recalled the old days when there was a KDE submenu in the GNOME menu but "nodata" thought the user experience of having to know about this and hunt around for applications would be unpleasant and it would be better to just provide KDE apps for KDE users and GNOME apps for GNOME users. Chris thought this was "so dumb it makes Microsoft engineers look like friggin' geniuses", but later backed off from the personal element in this remark.
In closing arguments JesseKeating drew Chris's attention again to the problem of multiuser systems and developed the point further when requested.
The discussion seemed to peter out with Chris and Jesse agreeing on the previously stated ideal of working toward making gnome-menu and equivalents able to override ShowOnlyIn.
MarkG was shown by ChristopherStone how to remove the problematic lines from .desktop # desktop-file-install --remove-only-show-in GNOME /usr/share/applications/gnome-banshee.desktop and ChristopherAillon provided a expansion on the idea.
After an invitation from BrianPepple to add items to the agenda for the FESCo meeting an interesting thread developed from HansdeGoede's request for clarity on the "current somewhat grey state of kmods". His proximate reason for this was that ParagN's experience suggested to him that kmods were unlikely to find favour in Fedora because they were not upstream. FlorianLaRoche felt that kmods were worth the pain and also was keen on seeing the gspca kmods supported in Fedora. (See FWN#).
An argument for the straight-out deprecation of kmods in Fedora was made by DavidWoodhouse who thought that instead those using them should be given CVS commit access to maintain patches to the kernel which could be trivially enabled/disabled. A partial disagreement was registered by ThorstenLeemhuis who lobbied for deprecation in the F8 Everything spin and update-proper repository, but the creation of a replacement test repository which would make kmods available to those that needed them. Thorsten argued that there were developers not as comfortable with kernel development as David (or HansdeGoede) who nevertheless produced kmods which were useful to users. Thorsten also thought that some code which had a high probablility of not making it into the upstream (kernel) had a value for select users.
Adding his voice to David's desire to avoid troublesome kernel code was JesseKeating who thought that the overhead imposed on yum/rpm was too high. Thorsten replied to David's statement that "If we don't want it Fedora's kernel RPM, then we don't want it in Fedora at all" with a reiteration of the idea that users may want lots of things that the distro doesn't so a "play" area with clear warning signs should allow them to shoot themselves in the foot if they so desire.
Thorsten also conceded that David had a strong position, but linked the discussion to one happening within the FAB about who comprises Fedora's target audience and suggested that allowing a safe area for experimentation would have benefits in terms of stimulating and retaining interest among people that may later become Fedora developers or maintainers.
HansdeGoede was broadly approving of David's position, not least because it avoided having to delay kernel security updates while waiting for kmods to be fixed. After some discussion JesseKeating's worries that this would result in more frequent kernel updates were dispelled after David outlined how he saw the process playing out in updates and rawhide.
In a related thread RalfCorsepius reported a bizarre result from updating which resulted in an apparently older kmod being installed. Posts by SethVidal suggested that this was due to the proper yum plugin for kmods being absent .
New Yum-updatesd (Rawhide Report 20070725)
A heads-up was called by JeremyKatz drawing attention to a completely re-worked yum-updatesd (see "RPM Roadmap ... Panu Opens Pandora's Box" in this same FWN issue). Jeremy noted that it had been split into a two parts: a small DBUS-enabled daemon and a forked memory process which is unthreaded.
HansdeGoede wanted to know if this fixed his number one reason for not running yum-updatesd: that yum would fail if yum-updatesd was checking for updates. Hans suggested some ways of working around this problem. Jeremy responded that this could still be a problem, but that it was mitigated somewhat by the fact that the process holding a lock on the database would now die-off quickly as it would not get "hung up in thread-land".
In response to Jeremy's rebuttals Hans continued to press some further suggested changes concerning the detection of a collision between the two processes and the response to it.
NOTE: Please publicize any license changes to your packages (CONT.)
JefSpaleta agreed with ThorstenLeemhuis that automatic checking of package licenses with upstream would help ease maintainer load in the simple cases of entire codebases migrating to GPLv3 from a previous license. RalfCorsepius reiterated his assertions that it would not help codebases migrating from license:FOOx to license:BARy, or packages pointing to websites, and furthermore would require a large bureaucracy which would drive away contributors. AndyGreen responded that these cases would be flagged as problems requiring human intervention. Ralf remained unconvinced and invited the Board and the "dark forces" around it to do so without Ralf's help. This drew a certain amount of derision and disbelief and led to the revelation of SethVidal as a self-confessed pusher of the changes to which Ralf objects. Seth wondered how exactly the process he was a part of could be construed as evidence of dark forces and explained that t Ralf replied with a list of "mushrooming" committees trying to "push volunteering contributors around".
While expressing envy of Ralf's imagination NilsPhilippsen drew attention to the distinction between labour-saving automation (of license checking) and bureaucracy.
Further dispuation saw JesseKeating stating that until the FSF figured out how to resolve the incompatibility between GPLv2 and GPLv3 the relicensed GNU toolchain couldn't be allowed in the distribution. Ralf recommended that he check out a discussion on the subject on the GCC list and Jesse replied that he was aware of it and that it underscored the need for Fedora to be on top of any and all license changes.
ArjanvandeVen corrected Jesse's statement of the problem, noting that co-existence of GPLv2 and GPLv3 packages was no problem, but rather in making derived works. In turn, JakubJelinek corrected this statement, saying that LGPLv3 was the problem and not GPLv3. A further clarification came from TomasMraz who stated the constraint as merely we just have to ensure that we don't link any gplv2 only program to such library. Such as we have to ensure that we don't link any gpl program to openssl library and so on.
At this point RalfEtzinger posted a list of packages which appeared to contravene this principle, again underscoring the need for this sort of information. FabioComolli posted a useful link to MarkMcLoughlin's useful notes on the GPL and OpenSSL exemption. ChrisAdams provided some package specific information and noted that these were "good example[s] of why license changes need to be clearly announced and researched."
JeffSpaleta argued that the absolutely best people to be the "we" of "we need to ensure that we don't link any gpl program to openssl library and so on" are the package maintainers as they are the experts in the libraries they maintain. ArjanVanDeVen suggested that tools could help parsing the "License" tag for mistakes and JesseKeating agreed and pointed out that the FPC had been working on a syntax for the tags to enable this (see also FWN#97 "Allo Allo Wot's This 'Ere License?" .)
Extra Packages for Enterprise Linux (EPEL) Now Open
KarstenWade announced that the Extras Packages for Enterprise Linux (EPEL) repository was now open. This is of particular interest to anyone currently rebuilding packages from Fedora to use on one of the RHEL-derivatives such as CentOS, Scientific Linux or even on RHEL itself.
Apart from the obvious advantages to those of us maintaing such systems there is also a unique opportunity for those in academia to gain experience in curating enterprise applications for a large user base.
Abuse Of Fedora Trademark
A sharp-eyed HansdeGoede spotted an announcement in LWN (Linux Weekly Net) of a piece of software which called itself "EasyFedora" used a proprietary license. Hans was pretty sure that this was abusing the "Fedora" trademark.
"Nicolas"(kwizart) noted that a thread in FedoraForum requested the author to release under a non-proprietary license, but JesseKeating pointed out that regardless of the license the author had no right to use Fedora(TM) in the name of his software.
A possible further problem was identified by KevinKofler who suggested that unless the developer had a commercial Qt license then he was also violating the GPL!
A helpful TimLauridsen supplied the information about how to report trademark violations to the Fedora Project which prompted AlainPortal to ask whether this was overkill and it would be better to just write to the developer and ask him to remove the offending wording. "Dragoran" thought this was a good approach, but RahulSundaram argued that "legal" would handle it politely and were the appropriate people to do so.
XFS In Anaconda
A developer at Fermilab (DanYocum) requested the enabling of the XFS filesystem in anaconda (the installer). Dan attested to the succesful inclusion of XFS upstream in the kernel, the realworld experience of successful installs and circa 1 Petabyte of running disks at Fermilab.
JesseKeating asked how SELinux support was these days and why he couldn't boot from XFS. EricSandeen confessed that errors in FC6 with regard to SELinux could be blamed on him, but that they seemed to be fixed now after a trivial error had been corrected. Eric noted that booting from XFS in SuSE worked fine and suggested that a since resolved GRUB error may have been responsible for corruption in both ext3 and xfs. Finally Eric admitted that it wasn't possible to install GRUB to an XFS partition but the MBR worked fine.
In response to Eric's questioning Jesse provided the information that anaconda consistently choked on XFS for him and Eric wondered whether GRUB was to blame still and how hard it would be to create a test anaconda. Jesse thought it wouldn't be too difficult and pointed to exactly how this could be done.
This section, we cover the news surrounding the Fedora Translation (L10n) Project.
Contributing Writer: JasonMatthewTaylor
F7 Release Notes Update
PaulFrields mentioned here that an update of the release notes package is on the horizon. There are a few locales that need fixes, as of 28-Jul-07 they were el es fi pa pt_BR sr uk zh_CN.
In this section, we cover the Fedora Infrastructure Project.
Contributing Writer: JasonMatthewTaylor
MikeMcGrath has put some documentation up on how to sponsor, how to get a sponsor and what the different groups are and what they do. Additions and clarifications are always welcome.
In this section, we cover Fedora Artwork Project.
Contributing Writer: JonathanRoberts
Echo Icons Moved
LuyaTshimbalanga wrote to the list suggesting that it might be a good idea to move the Echo icons to a host other than the wiki . This will result in faster upload speeds, making it easier for contributors to make improvements to existing icons and to create new ones. As well as improving speeds, this should allow the use of a revision control system, rather than relying on the current echo-pull script.
A ticket was opened with the Fedora infrastructure team, and work is underway to move the Echo icon theme to hosted.fedoraproject.org , and will use the Git revision control system. Currently the Echo icons are hosted at luya.fedorapeople.org/images/echo .
Nodoka Engine 0.5 Released
The Nodoka theme engine has released its 0.5 version, including a significant number of updates .
Fedora 8 Theme Decisions
MairinDuffy has sent a message informing the Art team that they have been given the authority to determine the final artwork and themes for Fedora 8. While this is great news, there are now decisions for the team to make, including which theme engine and icon theme to use as default in Fedora 8 .
In this section, we highlight the security stories from the week in Fedora.
Contributing Writer: JoshBressers
Dangerous Firefox Flaw
This week there has been a fair amount of talk regarding a new Firefox flaw that can allow a web site to execute arbitrary commands as the user running Firefox. Window Snyder has more information about this here .
It turns out that the issue here is how Firefox launches helper applications. Specifically, how Firefox launches helper applications in Windows. In the Linux version of Firefox, when a helper is launched Firefox will do a forkexec of the binary. This basically means that the way the arguments are passed to the helper are well understood. In the windows world, this is not well understood and has led to confusion and a rather dangerous security flaw. What's happening is basically that the URL is handed to a special Windows function that builds the argument list, then launches the URL handler. This is a perfect example of why relying on closed source solutions are a problem. Nobody actually understood this problem for several days, and even now how can it be proven the Firefox fix will be correct? Without the ability to view the source, or adhere to standards, application writers are at a serious disadvantage. It is very likely that there are countless other applications that suffer from this same bug, but since they lack the attention Firefox has, the bug will never be fixed. IE even suffers from this flaw, which Microsoft claims isn't really a security bug.
It's easy to say that open source has significant security advantages, but situations like this make it hard to believe any argument in favor of a closed system.
In this section, we recap the packages that have been highlighted as a Fedora Daily Package. We're looking for suggestions for packages to feature -- please suggest your favorites using the Suggest a Package box on the right-hand side of the Fedora Daily Package home page .
Contributing Writer: ChrisTyler
Incron - Execute commands based on filesystem activity
Productive Mondays highlight a timesaving tool. This Monday we covered Incron :
"Incron is a new tool modeled after cron which executes commands when a filesystem event occurs. Without polling, Incron can watch a specific file or an entire directory for new files, file writes, closures, deletions, or other activity."
eSpeak - Voice synthesizer
Artsy Tuesdays highlight a graphics, video, or sound application. This Tuesday eSpeak was featured:
"eSpeak is a speech synthesis package which provides an alternative to the better-know Festival synthesizer."
Wednesday Why: Syslog
The Wednesday Why article took a look at Fedora's syslog configuration:
"The /var/log directory contains a number of different log files. Many of these logs are generated by syslogd, which accepts log messages from programs and routes them to log files, the screen, and remote log monitors."
Seamonkey - Mozilla suite
GUI Thursdays highlight software that provides, enhances, or effectively uses a GUI interface. This Thursday , Seamonkey was discussed:
BSD-Games: Text games
Friday Fun highlights fun, interesting, and amusing programs. This Friday , we took a look at BSD-Games :
"In the 70's and 80's, many Unix systems came with several dozen text-based games and amusements... if you're feeling nostalgic or if you've never encountered these classic games, it's worth checking out the bsd-games package."
Advisories and Updates
In this section, we cover Security Advisories and Package Updates from fedora-package-announce.
Contributing Writer: ThomasChung
Fedora 7 Security Advisories
- [SECURITY] bind-9.4.1-7.P1.fc7 - http://fedoraproject.org/wiki/FSA/F7/FEDORA-2007-1247
- [SECURITY] drupal-5.2-1.fc7 - http://fedoraproject.org/wiki/FSA/F7/FEDORA-2007-1295
- [SECURITY] lighttpd-1.4.16-1.fc7 - http://fedoraproject.org/wiki/FSA/F7/FEDORA-2007-1299
Fedora Core 6 Security Advisories
- [SECURITY] bind-9.3.4-7.P1.fc6 - http://fedoraproject.org/wiki/FSA/FC6/FEDORA-2007-647
Events and Meetings
In this section, we cover event reports and meeting summaries from various projects.
Contributing Writer: ThomasChung
Fedora Board Meeting Minutes 2007-MM-DD
Fedora Ambassadors Meeting 2007-07-26
Fedora Documentation Steering Committee 2007-MM-DD
- No Report
Fedora Engineering Steering Committee Meeting 2007-07-26
Fedora Extra Packages for Enterprise Linux Meeting (Log) 2007-07-26
Fedora Infrastructure Meeting (Log) 2007-07-26
Fedora Packaging Committee Meeting 2007-MM-DD
- No Report