= Fedora Weekly News Issue 116 = Welcome to Fedora Weekly News Issue 116 for the week of January 14th http://fedoraproject.org/wiki/FWN/Issue116 In Announcement, we have "Cast your vote for the Fedora 9 Codename!" In Planet Fedora, we have "Looking for a few good hackers!", "Fire in the Attic, Proof of the Prize", and "PackageKit Interview" To join or give us your feedback, please visit http://fedoraproject.org/wiki/NewsProject/Join. 1. Announcements 1. Cast your vote for the Fedora 9 Codename! 2. Planet Fedora 1. Looking for a few good hackers! 2. Fire in the Attic, Proof of the Prize 3. PackageKit Interview 3. Marketing 1. Red Hat at the crossroads 2. Video: Alan Cox on community and the enterprise 3. Fedora 9 and KDE 4.0.0 in distrowatch article 4. Developments 1. OpenVPN And NetworkManager 2. What To Do About Bugs? 3. Displaying Application Icons In PackageKit 4. AVC:Denied {trolling} For PID=666 Comm={SELinuxRemove} 5. System-config-firewall Changes For Fedora 9 6. Fedora 9 CD ISOs 5. Documentation 1. Status of FOP Support in xmlto 2. Progress on the DUG and AG 6. Infrastructure 1. Something up with the bzr browsing in trac 2. Continuing issues with xen1 7. Security Week 1. X Update 2. More Vulnerability Reporting 3. Embedded library madness 8. Security Advisories 1. Fedora 8 Security Advisories 2. Fedora 7 Security Advisories 9. Events and Meetings 1. Fedora Board Meeting Minutes 2008-01-13 2. Fedora Ambassadors Meeting 2008-01-17 3. Fedora Documentation Steering Committee 2008-MM-DD 4. Fedora Engineering Steering Committee Meeting 2008-MM-DD 5. Fedora Infrastructure Meeting (Log) 2008-01-17 6. Fedora Release Engineering Meeting 2008-01-14 7. Fedora SIG EPEL Meeting Week 03/2008 8. Fedora SIG KDE Meeting Week 03/2008 9. Fedora SIG Store Meeting (Log) 2008-01-16 [[Anchor(Announcements)]] == Announcements == In this section, we cover announcements from Fedora Project. In this issue, we've included all new announcements since last issue. https://www.redhat.com/mailman/listinfo/fedora-announce-list Contributing Writer: ThomasChung === Cast your vote for the Fedora 9 Codename! === JoshBoyer announces in fedora-announce-list[1], "We have several options for the Fedora 9 codename, and you get to help decide which we use!" "Voting will end and be tallied at 2008-01-24 23:59:59 UTC" [1] https://www.redhat.com/archives/fedora-announce-list/2008-January/msg00005.html [[Anchor(PlanetFedora)]] == Planet Fedora == In this section, we cover a highlight of Planet Fedora - an aggregation of blogs from world wide Fedora contributors. http://fedoraproject.org/wiki/Planet Contributing Writers: ThomasChung === Looking for a few good hackers! === JesseKeating points out in his blog[1], "Are you looking for that awesome summer job? Tired of spending your summer listening to your grandma's stories over and over again? Looking for a challenge, a resume builder, a real world experience, a chance to try out those flame proof undies? Well do we have something that might interest you!" [1] http://jkeating.livejournal.com/52337.html === Fire in the Attic, Proof of the Prize === JackAboutboul points out in his blog[1], "That's right! AOL might no longer be the laughing stock of everyone who has owned a computer since the 80's. Seriously though, AOL has the potential to be the world's largest identity providers. They have over 63 Million user accounts and have been working on implementing OpenID" "Now in case that wasn't exciting enough for you, the bombshell came this morning. AIM is going Jabber! I was absolutely delighted when I read this. AOL is making positive steps to finally move on and up from their decade long commitment to being as proprietary as possible and pissing of numerous people to actually opening up, embracing the age of open standards and trying to regain some mind share and build community." [1] http://feeds.feedburner.com/~r/MadRhetoric/~3/218930583/fire-in-attic-proof-of-prize.html === PackageKit Interview === JonRoberts points out in his blog[1], "Woah, it's the 18th of January 2008 - Fedora 9 Alpha is not even out yet but the first developer interview of the new year is! Thanks to Robin Norwood and Richard Hughes for giving me some of their time to talk about PackageKit, the super-cool cross-distribution package management solution that is already making things suck-less." [1] http://blog.questionsplease.org/2008/01/18/packagekit-interview/ [[Anchor(Marketing)]] == Marketing == In this section, we cover Fedora Marketing Project. http://fedoraproject.org/wiki/Marketing Contributing Writer: ThomasChung === Red Hat at the crossroads === RahulSundaram reports in fedora-marketing-list[1], "Red Hat has managed to walk the line between corporate ambition and community ethics, resisting the temptation to compromise in deals with Microsoft and others, and has endeavored to remain honest and true to its community roots, which it has maintained through its dependence on the Fedora community." [1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00132.html === Video: Alan Cox on community and the enterprise === RahulSundaram reports in fedora-marketing-list[1], "Interesting and concise descriptions of a lot of things. Alan Cox on his involvement in the Linux kernel, working for Red Hat, the value of enterprises, subscription model, staying true to Free software, birth of Fedora and even more." [1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00118.html === Fedora 9 and KDE 4.0.0 in distrowatch article === SebastianVahl reports in fedora-marketing-list[1], "The Fedora distribution has traditionally been focusing on GNOME as its preferred desktop environments, but with the increasing community participation in the project, perhaps we shouldn't be surprised that KDE 4.0.0 is now included in "rawhide" (Fedora's development branch). Not only that, it also appears to be the default KDE (KDE 3.5.8 is present as well, but these packages have been renamed to kdebase3, kdelibs3, etc.). Moreover, the Fedora community has released an installable Fedora live CD containing a base system from the latest rawhide + KDE 4.0.0 - a good way to evaluate the progress Fedora has made since the release of version 8. The live CD is available for download from here: rawhide-KDE4-i686-20080109.4.iso (694MB, SHA1)." [1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00117.html [[Anchor(Developments)]] == Developments == In this section, we cover the problems/solutions, people/personalities, and ups/downs of the endless discussions on Fedora Developments. http://www.redhat.com/mailman/listinfo/fedora-devel-list Contributing Writer: OisinFeeley === OpenVPN And NetworkManager === A need to control individual VPN connections led JosVos to post[1] that Fedora's OpenVPN package currently stops and starts all VPN interfaces simultaneously using a single init script. Jos pointed out that the classic Red Hat way was to support interfaces with ifup/ifdown scripts, that there had been some groundwork done in 2004 towards this end, and he wondered if there was general interest in including such methods in Fedora. Although AndrewParker expressed interest in extending NetworkManager's functionality to include both this and the (un)mounting of network shares Jos was clear[2] that his interests excluded NetworkManager and were modestly focused on individual VPN connection control. [1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01165.html [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01174.html RalfErtzinger posted[3] a link to an rpm package of scripts which he had written[4] to do some of these things on Rawhide and CentOS5. [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01194.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01225.html Strong agreement that the ability to individually control VPN interfaces should be part of the OpenVPN package was expressed[5] by DavidWoodhouse. David added that this functionality should have been a condition of the initial review of the package. StevenPritchard explained[6] that at the time of the review it had appeared that NetworkManager was "going to take over the world" and thus ifup/ifdown had been neglected. It was observed[7] by DavidHollis that NetworkManager-openvpn seemed to be stagnating and lacked support for "tls-auth/tls-remote" among other options. DanWilliams responded[8] that the proliferation of OpenVPN options meant that adding GUI dialogs for all of them was impractical. He suggested that perhaps allowing custom-option-entries which could later be over-ridden if the same option were added to the GUI might solve the problem, but worried that opening up too much would present a security risk: "About the last thing we want to be doing is executing a root process with random arguments entered by some trojan that stuffed values into GConf." DavidHollis expanded[9] on the problems faced by OpenVPN administrators due to the inability of NetworkManager-openvpn to import a boilerplate configuration file. [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01279.html [6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01342.html [7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01346.html [8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01354.html JosVos wrapped[9] things up with the promise to make a proposal based on the information he had been given, but it should be noted that this seems likely to be exclusive of NetworkManager functionality. [9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01349.html === What To Do About Bugs? === An interesting thread was opened[1] by JesseKeating when he posted a link to a blog entry detailing frustrations with Ubuntu's bug handling policy. [1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01870.html Many good points were made both expressing the problems faced by maintainers, an excellent example of which was KevinKofler's description[2] of the KDE workload, and those who have been frustrated by the manner in which their bugs have been handled. [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01914.html Of particular note was the discussion[3] of bugs closed as "UPSTREAM" which saw some maintainers such as SethVidal state[4] that they would only do this if they had a fix already checked into the upstream codebase. MatejCepl made[5] a great post which linked to the actual description of what the "upstream" tag is supposed to mean and promote yet cautioned that bug reporters should be treated "as our most valuable asset". [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01900.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01901.html [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01926.html The whole thread gives a frank and useful insight into some of the processes which swing into motion once Fedora users summon up the willpower to grapple with Bugzilla. === Displaying Application Icons In PackageKit === The buzz of excitement around PackageKit (e.g. JonathanRoberts' interview[1] of RichardHughes and RobinNorwood) stimulated a proposal[2] from JakubRusinek (livio) to replace the generic package icon with the specific icons for each application. [1] http://lwn.net/Articles/265748/ [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01840.html BillNottingham pointed out[3] that this would bloat the repositories and increase the download times for users. Jakub suggested[5] that the hicolor-icon-theme could supply the missing icons and thus avoid users having to download all icons for all packages but Bill thought[6] that "updating the hicolor-icon-theme package every time we add a new app to Fedora, or any time such an app changes its icon, is somewhere beyond impractical." [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01843.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01847.html [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01847.html [6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01849.html A nice summary of the situation was made[7] by JefSpaleta which suggested that if icon names could be included in the repodata then when they were present on the system they could be displayed, otherwise they would use a generic icon. Jef wondered if it was worth all the trouble though. [7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01854.html After Jakub explained that he thought his proposal would add usability improvement, making PackageKit similar to Ubuntu's "gnome-app-install" RobinNorwood agreed[8] with Jakub that there would be some value in providing application specific icons, but pointed out that the current use of the icons was to indicate whether the package is installed on the system. He added that to implement Jakub's proposal was non-trivial and required adding an icon field to the package metadata. RichardHughes agreed and invited[9] Jakub to discuss things further on the PackageKit mailing list. MartinSourada added[10] encouragement that the scheme outlined by Jef could be implemented. Jakub seemed somewhat discouraged and cautioned[11] that he was not a programmer, but KevinKofler responded[12] that the feedback should not be taken personally. [8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01862.html [9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01867.html [10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01879.html [11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01887.html [12] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01865.html === AVC:Denied {trolling} For PID=666 Comm={SELinuxRemove} === A call for the removal of SELinux from the Desktop LiveCD spin was made[1] by ValentTurkovic. Valent argued that SELinux was useful for servers but that it was a net disadvantage to "ordinary desktop users". Initial answers took the question at face value, but later contributions from Valent appeared to be of a slightly goading nature, suggesting variously that Ubuntu LTS[1a] or SLED[1b] would be better than Fedora, so perhaps the thread should be read with skepticism. [1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01573.html [1a] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01710.html [1b] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01722.html DanielBerrange listed[2] the confined system daemons on his laptop as examples of how SELinux helped "desktops". StevenSmalley added[3] the interesting information that "XACE/XSELinux has been merged to the trunk of xorg", which will allow yet more desktop applications to be confined. Valent commented that Daniel (and others) could always choose to use SELinux, but asked for specific examples of the benefits conferred. Daniel cited[4] the ''hplip'' arbitrary root execution in response. [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01583.html [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01580.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01583.html Valent was still not buying the benefits of SELinux for "average home users" and now counterposed "corporate desktop" users and "fedora [as] a testing ground for redhat corporate desktop"[5]. Responses from GilboaDavra, AndrewFarris and others emphasized that it was necessary to develop protections against viruses now, but Valent doubted[6] the existence of viruses targeted towards GNU/Linux and suggested that SELinux should be developed and tested for five years before being rolled out. Gilboa responded[7] pretty comprehensively to this listing the network facing services exposed on many desktops and privilege escalation possibilities as broad categories in which security must improve. [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01585.html [6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01708.html [7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01731.html The discussion went fairly rapidly downhill with Valent citing[8] some ''grsecurity'' propaganda that SELinux is actually a potential "backdoor waiting to happen". This was debunked[9] by BenjaminKreuter and KarstenWade[10] who wondered ''In the "fantasy football" of NSA v. grsecurity team, I wonder who wins?'' A further claim from Valent that[10a] the interaction of Fluendo codecs and SELinux had been untested was hotly contested[10b] by BastienNocera who cited the evidence of the timestamp of the upstream bug filed with Fluendo and asked Valent to "Please stop lying." [8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01724.html [9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01727.html [10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01784.html [10a] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01593.html [10b] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01620.html RichiPlana noted[11] both the problems Valent had highlighted with Fluendo gstreamer codecs (see FWN#107 "Fluendo Codecs Violate SELinux Policies" [12]) and also the necessity for SELinux being used now. He praised DanWalsh and others for sorting out bugs as they appear. [11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01633.html [12] http://fedoraproject.org/wiki/FWN/Issue107#head-29d30b0ee5257a4fb5fe0f9d1ae760d75b7d7aec There were some interesting asides in the thread, such as JefSpaleta and KeithSharp's speculation[13] that internet cafes and other environments with transitory/untrustable users would make use of virtualization to clone fresh VM instances to each new user. This was in response to the suggestion that UbuntuLTS would be superior in such a setting. [13] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01811.html Yet more nuggets of information lurked beneath the surface. DanWalsh suggested[14] that Valent could use {{{su -c 'setsebool -P allow_execmod=1'}}} to disable "checking for badly coded shared libraries". This led to an interesting exchange with OlivierGalibert who was searching for documentation of the policy types, something which DavidMalcolm also wondered. Dan posted[15] some snippets from ''/usr/share/selinux/policy.xml'' which he admitted were not yet in a manpage. Olivier was also disturbed that programs with dynamic code generators (as listed[16] by Dan) were all being denied by default and needed[17] to be explicitly added to the list supplied by Dan. [14] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01736.html [15] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01824.html [16] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01868.html [17] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01872.html Later exchanges seemed to cover the same ground in different ways with various Fedora and Red Hat coders asking[18] for more specific objections or suggestions and explaining[19] the nature of the threat[20] which SELinux helps to mitigate and asking[21] that bug reports be filed so that DanWalsh can fix them. [18] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01588.html [19] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01752.html [20] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01754.html [21] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01600.html Final words in the thread were left to DouglasMcClendon who managed to bring in Bush, Waterboarding, Evolution and other stuff in apparently some sort of argument about why SELinux should not be enabled on all spins. This link[22] marks the point at which those who value their time should stop reading. [22] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01636.html === System-config-firewall Changes For Fedora 9 === An announcement[1] by ThomasWoerner of changes in ''system-config-firewall'' advised that the ''--port=<port>:<proto>'' option in ''lokkit'' will no longer automatically start a service behind the opened port. Instead it will be necessary to use the new ''--service=<name>'' option. For new firewall configurations the defaults will be that on a server ''ssh'' is enabled and on a desktop ''ipsec'', ''mdns'' and ''ipp'' are enabled. [1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01563.html BastienNocera doubted[2] that IPSec and IPP had much place in a desktop environment. AdamTkac agreed and added that ''mdns'' seemed questionable. TimNiemueller made the case[3] for IPP: a desktop machine sharing a printer and mDNS: DNS-SD is used by Avahi for service discovery such as fileshares, VNC and printers. JonStanley argued[4] that IPSec was necessary by default for VPN clients unless system-config-firewall made altering the firewall simple. CallumLerwick added[5] in response to AdamTkac that IPSec was a distinct protocol on top of IP and thus a stateful firewall would not suffice. [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01621.html [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01732.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01741.html [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01745.html === Fedora 9 CD ISOs === MikeMcGrath forwarded[1] a query from a user that needed Fedora on CD ISOs as his server lacked a DVD drive. SubhodipBiswas agreed[2] that this was an issue leading to many Fedora users sticking to older releases. [1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01434.html [2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01435.html JesseKeating was able to answer[3] positively that the alpha compose would generate "split media", which seemed to mean CD ISOs, and also DVD ISOs. ChrisLumens was glad[4] to see that his hard work was still useful. [3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01436.html [4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01439.html RalfCorsepius wondered[5] whether there would be a split "Everything" as the Fedora ISOs did not cover the upgrade case for machines which had packages not present on the ISOs. Although Jesse responded negatively to this Ralf was delighted with JohnReiser's information[6] that the FedoraUnity project had indeed produced such a spin (and within four days of the official release too!). Ralf asked[7] whether FedoraUnity provided the equivalent of a Fedora ''boot.iso'' configured to do a network update from a server with "Everything + updates" and both JohnCiesla[8] and JesseKeating suggested[9] using the ''rescue.iso'' for this purpose. [5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01523.html [6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01537.html [7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01538.html [8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01543.html [9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01545.html USB sticks were[10] on BennyAmorsen's mind as a useful medium and when RahulSundaram suggested {{{yum install livecd-tools; livecd-iso-to-disk <isofile> <devicename>}}} Benny clarified that he did not want a LiveCD but "the real release". Rahul responded[11] that LiveCDs were "real" and that regular instalable images were difficult to convert to bootable USB images. In response to JohnReiser's request Rahul clarified[12] that the <devicename> was mean to be a DOS-style partition. [10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01462.html [11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01479.html [12] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01472.html Some experiments to attempt to write the installation image to a USB disk were performed[13] by TillMaas, apparently with some success[14]. [13] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01499.html [14] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01504.html [[Anchor(Documentation)]] == Documentation == In this section, we cover the Fedora Documentation Project. http://fedoraproject.org/wiki/DocsProject Contributing Writer: JohnBabich === Status of FOP Support in xmlto === KarstenWade noted that the rawhide version of xmlto now supports FOP[1]. This is a long-awaited and important step towards a completely unencumbered documentation tool chain. [1 ]http://www.redhat.com/archives/fedora-docs-list/2008-January/msg00142.html === Progress on the DUG and AG === A meeting was held on Saturday, 19 January at 1400 UTC to discuss progress on the Fedora Desktop User Guide (DUG) and the Administration Guide (AG). The goal is to finish both guides for inclusion in the final release of Fedora 9. The following is a summary of the meeting's main points: - The GNOME section of the DUG is almost complete, except for some minor editing. - The KDE section of the DUG is fairly complete, but still needs review to take into account any changes introduced by KDE4. - The section covering Xfce should be completed for this version of the DUG, since an official Xfce Live CD is planned for Fedora 9. - The location of the AG for conversion to Doc``Book XML is http://fedoraproject.org/wiki/Docs/Drafts/AGBeta. However, listed pages are still edited in their original location at http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide. - A core group of 3-4 people have committed to early March completion of the AG. As always, "more hands on deck are more than welcome"[2], according to VladimirKosovac. [2] http://www.redhat.com/archives/fedora-docs-list/2008-January/msg00152.html. [[Anchor(Infrastructure)]] == Infrastructure == In this section, we cover the Fedora Infrastructure Project. http://fedoraproject.org/wiki/Infrastructure Contributing Writer: HuzaifaSidhpurwala === Something up with the bzr browsing in trac === SethVidal reports [1], There was a problem with https://fedorahosted.org/preupgrade/browser and it kept giving a no code to browse error message. It later turned out to be a configuration problem, which was fixed. [1] https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00078.html === Continuing issues with xen1 === MikeMcGrath reports [2], As with last weeks issue with xen1, there has been similar issue with xen2. xen2 is recently upgraded to RHEL5, but is now running FC6 as far as the kernel and the xen libs are concerned. The xen machines are not running F8 mainly because Fedora 8 is ill suited to this particular task which, in reality, is just an appliance/abstraction between our hosts and the hardware. [2] https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00088.html [[Anchor(SecurityWeek)]] == Security Week == In this section, we highlight the security stories from the week in Fedora. Contributing Writer: JoshBressers === X Update === New versions of X.org were released this week. http://lists.freedesktop.org/archives/xorg/2008-January/031918.html The tricky thing with X.org is that it has to run as root, so it gives a local attacker the potential to compromise the machine. === More Vulnerability Reporting === A report was made public last week that once again compares the number of flaws fixed in various things. I think Mark Cox and Window Snyder summed things up pretty well regarding those reports: http://blog.mozilla.com/security/2008/01/17/read-past-the-headlines-firefox-is-fixed-faster/ http://www.awe.com/mark/blog/200801161200.html At this point any intelligent reader should notice that these reports need to be taken with a grain of salt, and the real story isn't what's reported, but what one can learn from the data. === Embedded library madness === Right now there has been a bit of news from a company named Palamida. They like to point out all the things that contain embedded copies of various open source projects. http://www.linuxinsider.com/rsstory/61202.html Before 2002 this was a fairly common occurrence within a number of open source projects, until there were a number of zlib flaws. This made most project rethink keeping their own local copies of the source and using the system copy instead. This ties in nicely with the above mentioned vulnerability report. More vulnerabilities doesn't always mean less secure. [[Anchor(SecurityAdvisories)]] == Security Advisories == In this section, we cover Security Advisories from fedora-package-announce. https://www.redhat.com/mailman/listinfo/fedora-package-announce Contributing Writer: ThomasChung === Fedora 8 Security Advisories === * moodle-1.8.4-1.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00509.html * python-paramiko-1.7.1-3.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html * xine-lib-1.1.9.1-1.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00592.html * syslog-ng-2.0.7-1.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00606.html * e2fsprogs-1.40.2-12.fc8 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00618.html === Fedora 7 Security Advisories === * moodle-1.8.4-1.fc7 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00519.html * python-paramiko-1.7.1-3.fc7 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html * syslog-ng-2.0.7-1.fc7 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00610.html * e2fsprogs-1.40.2-3.fc7 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00629.html * cairo-1.4.14-1.fc7 - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00630.html [[Anchor(EventsMeetings)]] == Events and Meetings == In this section, we cover event reports and meeting summaries from various Projects and SIGs. Contributing Writer: ThomasChung === Fedora Board Meeting Minutes 2008-01-13 === * https://www.redhat.com/archives/fedora-advisory-board/2008-January/msg00175.html === Fedora Ambassadors Meeting 2008-01-17 === * https://www.redhat.com/archives/fedora-ambassadors-list/2008-January/msg00154.html * https://www.redhat.com/archives/fedora-ambassadors-list/2008-January/msg00145.html === Fedora Documentation Steering Committee 2008-MM-DD === * No Report === Fedora Engineering Steering Committee Meeting 2008-MM-DD === * No Report === Fedora Infrastructure Meeting (Log) 2008-01-17 === * https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00076.html === Fedora Release Engineering Meeting 2008-01-14 === * https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01599.html === Fedora SIG EPEL Meeting Week 03/2008 === * https://www.redhat.com/archives/epel-devel-list/2008-January/msg00114.html === Fedora SIG KDE Meeting Week 03/2008 === * https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01493.html === Fedora SIG Store Meeting (Log) 2008-01-16 === * https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00139.html -- Thomas Chung http://fedoraproject.org/wiki/ThomasChung -- fedora-announce-list mailing list fedora-announce-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-announce-list