From Fedora Project Wiki

< FWN‎ | Beats

Line 7: Line 7:
Contributing Writer: [[User:Ush|Oisin Feeley]]
Contributing Writer: [[User:Ush|Oisin Feeley]]


=== Fedora Intrusion Update ===
=== What Happened Last Summer ===


[[User:Pfrields|Paul W. Frields]] broke radio silence to provide<ref>http://www.redhat.com/archives/fedora-announce-list/2009-March/msg00010.html</ref> a detailed explanation of last August's (2008-08-12) security problem. Briefly, a <code>Fedora Project</code> systems administrator used a pass-phraseless SSH key. This was copied from the administrator's machine and used to gain access to Fedora infrastructure. Subsequently trojaned versions of <code>OpenSSH</code> and <code>rpm</code> were built and deployed on Fedora infrastructure. The investigation concludes that these packages were detected and removed before any <code>rpms</code> were built with them or distributed to Fedora users.  The full, detailed communication includes a time-line.
[[User:Pfrields|Paul W. Frields]] broke radio silence to provide<ref>http://www.redhat.com/archives/fedora-announce-list/2009-March/msg00010.html</ref> a detailed explanation of last August's (2008-08-12) security problem. Briefly, a <code>Fedora Project</code> systems administrator used a pass-phraseless SSH key. This was copied from the administrator's machine and used to gain access to Fedora infrastructure. Subsequently trojaned versions of <code>OpenSSH</code> and <code>rpm</code> were built and deployed on Fedora infrastructure. The investigation concludes that these packages were detected and removed before any <code>rpms</code> were built with them or distributed to Fedora users.  The full, detailed communication includes a time-line.

Revision as of 15:20, 30 March 2009

Developments

In this section the people, personalities and debates on the @fedora-devel mailing list are summarized.

Contributing Writer: Oisin Feeley

What Happened Last Summer

Paul W. Frields broke radio silence to provide[1] a detailed explanation of last August's (2008-08-12) security problem. Briefly, a Fedora Project systems administrator used a pass-phraseless SSH key. This was copied from the administrator's machine and used to gain access to Fedora infrastructure. Subsequently trojaned versions of OpenSSH and rpm were built and deployed on Fedora infrastructure. The investigation concludes that these packages were detected and removed before any rpms were built with them or distributed to Fedora users. The full, detailed communication includes a time-line.

Emacs Cabal Disables Xorg Ctrl-Alt-Backspace

Much work has been done on the Fedora 11 release notes[2] to advise users of significant changes. A thread started[3] by Gerry Reno to question the disabling of Ctrl-Alt-Backspace as a key combination to kill the X server shows that these beta release notes are an important means to notify prospective users of new features of the operating system. Gerry was among many contributors to the thread that preferred to keep the traditional functionality enabled. This change was an upstream Xorg decision apparently taken to prevent users from accidentally killing their X servers. Although there had previously been extensive discussion (reported in FWN#162[4]) and a nice, hot flamewar on the upstream lists[5] the change seemed to take many by surprise. This prompted[6] accusations that "[...] big changes like this need to be advertised extensively instead of just quietly slipped in."

Roland McGrath suggested[7] ways in which xorg.conf could be changed using a kickstart post-scriptlet but preferred that such choices would be pushed into the users' "keyboard shortcut" preferences. Gerry raised[8] the issue of the use of the Ctrl-Alt-Backspace combination being essential to virtual machine management.

Another dissatisfied user was Arthur Pemberton. He requested[9] discussion of why such large changes as disabling Ctrl-Alt-Backspace, removing Xorg.conf in favor of auto-detection, and others had been made without what he considered to be enough discussion. Response to this line of questioning suggested[10] variously that the change had been made "secretly" upstream in order to appease an emacs-using cabal, and that Fedora had adopted the changes solely because Ubuntu had done so. This latter accusation was disputed[11] by Matthew Garrett. The emacs angle seems to come from the fact that the emacs key-combinations "Ctrl-Alt-End" and "Ctrl-Alt-\" are, with certain keyboard layouts, a danger to fumble-fingered users. Arthur pointed[12] to an added complication in a use case in which booting with the monitor powered off requires restarting the X server.

Felix Miata mentioned[13] that OpenSuSE's solution was to require that the Ctrl-Alt-Backspace sequence be struck twice before it took effect. This was also suggested[14] by Gerry during a thread in which Matthew Garrett and Matthias Clasen explained that the Terminate_Server symbol could be bound to any desired key-binding through XKB maps.

Ahmed Kamal suggested[15]: "To anyone wanting to kill X when it hangs, why not login through a VC and `pkill X' .. Just like any process, why do we have to have magic keys!" Similarly Adam Jackson challenged[16] the assertion that it would be possible to use the key combination to deal with faulty drivers.

ZFS-based Upgrades

Neal Becker posted[17] a link to an interesting way to use the capabilities of the ZFS filesystem to take snapshots of the system and provide a safe, stable way to upgrade. Seth Vidal seemed[18] sanguine that this would be relatively easy with a YUM-based system.

Repoview Temporarily Bust in Fedora 10

After a report from Uwe Kiewel that he could not create a repoview for Fedora 10 Everything Seth Vidal posted[19] that there was a fix available in rawhide but it had not got into Fedora 10 yet. Konstantin Ryabitsev (Icon) built the updated packages and Josh Boyer posted[20] that they would be available very shortly.

LGPL Qt-4.5 in Fedora 10 and Fedora 9

KevinKofler announced[21] updates of Qt-4.5 for Fedora 10 and Fedora 9. He detailed the advantages of this backwards-compatible update and suggested that maintainers of Qt-4-based packages do some quick checks to ensure that there would be no snags.

  1. http://www.redhat.com/archives/fedora-announce-list/2009-March/msg00010.html
  2. http://fedoraproject.org/wiki/Fedora_11_Beta_release_notes
  3. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01682.html
  4. http://fedoraproject.org/wiki/FWN/Issue162#Fedora_11_Alpha_Released
  5. http://lists.freedesktop.org/archives/xorg/2008-September/038786.html
  6. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01705.html
  7. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01691.html
  8. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01697.html
  9. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01770.html
  10. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01791.html
  11. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01888.html
  12. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01732.html
  13. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01820.html
  14. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01804.html
  15. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01708.html
  16. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01989.html
  17. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01597.html
  18. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01599.html
  19. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01585.html
  20. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01648.html
  21. http://www.redhat.com/archives/fedora-devel-list/2009-March/msg01696.html