Hi,
In 2013, I worked very briefly on enabling reproducible builds for Fedora,
https://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/
After attending the "Reproducible Builds World Summit" recently, I am
inspired again to help out in getting this done.
https://reproducible-b
On Fri, 9 Jan 2015, Zbigniew Jędrzejewski-Szmek wrote:
> ...
> Microbenchmarks get us only so far, we need to know the impact the
> change makes for the whole system. We won't know that until enough
> packages have been rebuilt.
https://www.alpinelinux.org/about/
"The kernel is patched with grse
On Wed, 7 Jan 2015, Till Maas wrote:
> On Wed, Jan 07, 2015 at 08:30:03AM -0500, Josh Boyer wrote:
>
> > We just went over something very much like this for x86_64 packages
> > with FESCo ticket 1113:
> >
> > https://fedorahosted.org/fesco/ticket/1113
> >
> > Could you perhaps review that and elab
On Thu, 14 Aug 2014, Michael Cronenworth wrote:
> On 08/12/2014 08:26 AM, Dhiru Kholia wrote:
> > Now, I need your feedback and cool ideas to improve this project:-)
>
> You could have saved yourself a few cycles and just used existing tools like
> readelf. Just an FYI before
On Wed, 13 Aug 2014, Jerry James wrote:
> On Tue, Aug 12, 2014 at 7:26 AM, Dhiru Kholia wrote:
> Now, I need your feedback and cool ideas to improve this project :-)
>
> I notice that several packages that I maintain that include assembly
> language files showed up in your resul
On Tue, 12 Aug 2014, Mathieu Bridon wrote:
> On Tue, 2014-08-12 at 15:26 +0200, Dhiru Kholia wrote:
> > Now, I need your feedback and cool ideas to improve this project :-)
>
> So first, this is great!
Thanks :-)
> However, the results.txt is very hard to use in order to chec
Hi,
http://fedoraproject.org/wiki/Packaging:Guidelines#Compiler_flags says
that "Compilers used to build packages must honor the applicable
compiler flags set in the system rpm configuration. Honoring means that
the contents of that variable is used as the basis of the flags actually
used by the c
On 12/04/13 at 07:10pm, Brendan Jones wrote:
> This is just a pain. Can someone explain to me why this is good?
>
> Original Message
> Subject: [Bug 1037125] hydrogen FTBFS if "-Werror=format-security" flag is
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1037125
Hi Brendan,
C
On 12/06/13 at 11:57am, Reindl Harald wrote:
> but what is the plan if this does not work out for a unknown number
> of packages because upstream is not willing or able to "fix it" or
> only in a later release giving that the package is not buildable
> at all
Contingency mechanism: Revert changes
On 11/29/13 at 12:15pm, Richard W.M. Jones wrote:
>
> On Fedora 20 (beta-ish), I did:
>
> for f in /usr/bin/*; do chrpath -l $f ; done | grep RPATH > /tmp/rpaths.txt
>
> I removed from the final list private library RPATHs, which are
> permitted[1]. Here is the final list:
>
> /usr/bin/afm2tfm: RP
On 11/20/13 at 11:16am, David Smith wrote:
> > On 11/20/13 at 09:27pm, Dhiru Kholia wrote:
> > A list of packages which FTBFS is available at,
> >
> > http://people.fedoraproject.org/~halfie/rebuild-logs.txt
>
> Looking at the list, I see several (~17) packages with
On 11/20/13 at 09:27pm, Dhiru Kholia wrote:
> We are working on a proposal to enable "-Werror=format-security"
> compilation flag for all packages in Fedora.
>
> Currently, around 400 packages FTBFS if this flag is enabled.
A list of packages which FTBFS
Hi,
We are working on a proposal to enable "-Werror=format-security"
compilation flag for all packages in Fedora.
Once this flag is enabled, GCC will refuse to compile code that could be
vulnerable to a string format security flaw. For more details, please
see https://fedorahosted.org/fesco/ticke
On 10/17/13 at 03:48pm, Jan Kratochvil wrote:
> Here is another measurement. I do not agree with the initial post's approach
> as (1) It flushes disk cache. That has no meaning for prelink measurement, it
> just adds more fuzziness to the results and it is even unreal representation
> of real wor
On 10/15/13 at 03:21pm, Daniel P. Berrange wrote:
> On Tue, Oct 15, 2013 at 10:14:13AM -0400, Paul Wouters wrote:
> > Please take prelink behind the barn and shoot it. Thanks.
> >
> > ...
> >
> > How can we have this discussion? We have had reports of numbers showing
> > no real gain. We know it af
On 10/15/13 at 05:11pm, Jan Kratochvil wrote:
> On Tue, 15 Oct 2013 16:59:59 +0200, Daniel P. Berrange wrote:
> > I wouldn't read that as saying that prelink is slowing down startup,
> > rather that the benefit of prelink is so small as to be indistinguishable
> > from the background noise.
>
> Tha
On 10/15/13 at 05:30am, Josh Boyer wrote:
> On Tue, Oct 15, 2013 at 5:19 AM, Dhiru Kholia wrote:
> > During the development of "unSPEC" [1] benchmarking suite, I made some
> > interesting observations regarding prelink.
> > ...
> > - For building kernels (usin
Hi,
During the development of "unSPEC" [1] benchmarking suite, I made some
interesting observations regarding prelink.
- Here are some measurements (for LibreOffice [2] loading time in
seconds) done using the "unSPEC" benchmarking suite. These numbers
are repeatable and you are encouraged to
Hi,
I have been working on having Reproducible Builds in Fedora for some
time.
At this point, I think I have something demoable. Ensuring Reproducible
Builds is a big task and I want your feedback, ideas, code and support.
Please see https://github.com/kholia/ReproducibleBuilds for details.
I w
Hi,
In FESCo ticket #1115, it was decided to modify the privilege escalation
policy in order to allow local, active, admin user to update/remove/etc
signed software without requiring a password.
At this point, such an user can do "pkcon install " to install
packages without being prompted for t
Hi,
I have been using Fedora since Fedora Core 1 release. However, today I
decided to stop "lurking" and instead do something useful.
So, I have packaged "pudb" which is a full-screen console-based Python
debugger. I would appreciate a review so that I (and others) can do "yum
install python-pudb
On 07/22/13 at 08:39am, Kevin Fenzi wrote:
> On Mon, 22 Jul 2013 12:39:06 +0300
> Ville Skyttä wrote:
> > I'd like to grep through all specfiles (and preferably also patches
> > and sources in git) for rawhide, this time related to the
> > unversioned docdirs F20 feature, and sometimes for other r
On 06/18/13 at 01:50pm, Josh Bressers wrote:
> > Is java environment the only security flawed software distributed in
> > Fedora by default? I don't think so. Please, correct me if I'm
> > wrong. Does it mean Fedora should drop about 1/3 of packages
> > because they have security bugs? What about
On Fri, Jun 7, 2013 at 2:06 AM, Troy Dawson wrote:
> Is there an official Fedora way for telling is something is hardened
> correctly?
> I'm working on hardening mongodb, and I think I have it right, but I'd
> really like to check.
>
> I was given a couple of scripts, which had dependencies not in
On 04/16/13 at 05:59pm, Tom Lane wrote:
> Pursuant to the recent discussion about using _hardened_build in more
> packages, I tried turning it on in postgresql. I was unpleasantly
> surprised to find that that causes the package's regression tests to
> fail, at least when running a 32-bit build in
On 04/05/13 at 04:16pm, Jakub Jelinek wrote:
> On Fri, Apr 05, 2013 at 07:31:55PM +0530, Dhiru Kholia wrote:
> > I repeated the benchmarks (mentioned in the above bug report) for
> > Firefox 20.0 running on Fedora 18 64-bit.
>
> Firefox as benchmark doesn't look like a
On Sun, Apr 14, 2013 at 12:26 AM, Dhiru Kholia wrote:
> On Sat, Apr 13, 2013 at 11:16 PM, Steve Grubb wrote:
>> On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
>>> Is there a tracker bug? Proven packagers can help
>>
>> I have a tracker bug for issues
On Sat, Apr 13, 2013 at 11:16 PM, Steve Grubb wrote:
> On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
>> Is there a tracker bug? Proven packagers can help
>
> I have a tracker bug for issues identified on the core set of packages that
> would be part of a common criteria certificat
On 04/04/13 at 09:26am, Steve Grubb wrote:
> On Wednesday, April 03, 2013 09:05:18 PM Josh Bressers wrote:
> > On Wed, Apr 3, 2013 at 2:05 PM, Steve Grubb wrote:
> > How much does it (PIE) slow things down? I'm fairly certain you don't have
> > any
> > good data on this point. Dhiru is working ou
On 04/02/13 at 03:04pm, Richard W.M. Jones wrote:
> On Tue, Apr 02, 2013 at 07:15:29PM +0530, Dhiru Kholia wrote:
> > http://dl.dropbox.com/u/1522424/probable-violations-F19.csv
>
> FWIW, the following command produces much better output:
>
>
>
> like this:
>
>
On Tue, Apr 2, 2013 at 11:34 PM, Stephen Gallagher wrote:
> There are currently no tickets in the FESCo Trac instance that require
> discussion tomorrow. After discussion with several other FESCo members
> in #fedora-devel, we agreed to cancel this week's meeting unless
> something urgent comes up
On Tue, Apr 2, 2013 at 6:36 PM, Richard W.M. Jones wrote:
> On Tue, Apr 02, 2013 at 05:51:42PM +0530, Dhiru Kholia wrote:
>> http://dl.dropbox.com/u/1522424/probable-violations-F19.xls
>
> That shows:
>
>
>
> Can you use a non-proprietary format please.
>
h
On Tue, Apr 2, 2013 at 6:36 PM, Richard W.M. Jones wrote:
> On Tue, Apr 02, 2013 at 05:51:42PM +0530, Dhiru Kholia wrote:
>> http://dl.dropbox.com/u/1522424/probable-violations-F19.xls
>
> That shows:
>
>
>
> Can you use a non-proprietary format please.
>
Can you t
On 04/01/13 at 03:05pm, Dhiru Kholia wrote:
> On 04/01/13 at 10:23am, Michael Scherer wrote:
> > Le lundi 01 avril 2013 à 12:29 +0530, Dhiru Kholia a écrit :
> > > It would be great to have some sort of automated method to find if
> > > hardening criteria applies to a pa
On 04/01/13 at 10:23am, Michael Scherer wrote:
> Le lundi 01 avril 2013 à 12:29 +0530, Dhiru Kholia a écrit :
> > What would be a good way to solve this problem in your opinion?
> > (File bugs / Explicitly list such packages / Turn on hardening by default)
>
> I would file
On 03/29/13 at 08:47pm, Björn Persson wrote:
> > 2. An alternate approach is to come up with an expanded list of packages
> > which should be hardened.
>
> Since FESCo maintains a list, I suppose anyone can propose specific
> programs to be added to the list, but it seems pointless to explicitly
>
On Fri, Mar 29, 2013 at 10:43 PM, Richard W.M. Jones wrote:
>
> On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> > 1. Hardening flags should be turned on (by default) for all packages
> > which are at comparatively more risk of being exploited or which meet
>
Hi,
This proposal was originally at https://fedorahosted.org/fesco/ticket/1104
(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)
...
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hard
38 matches
Mail list logo
