Re: Possible deprecation/removal of Initial Setup from Fedora

2023-11-21 Thread Marek Marczykowski-Górecki
g (including xenstored, libvirt daemon and few others) and it's very annoying and fragile to do that from inside chroot. So, we do have a use case for Initial Setup. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab signature.asc Description: PGP signature -- ___

Re: DNF5: Checking signatures of packages installed out of a repository?

2023-11-21 Thread Marek Marczykowski-Górecki
ich is a good practice and very easy to do. After all, these > > signatures don't just protect by authenticating the source of the > > package, but they also verify the package integrity to protect against > > file corruption. > > > > Whatever inconvenience there i

Re: F38 proposal: Reproducible builds: Clamp build mtimes to $SOURCE_DATE_EPOCH (System-Wide Change proposal)

2022-11-26 Thread Marek Marczykowski-Górecki
; > > > We've discussed an RPM-specific format upstream. Debian and Arch both > have their own formats that are tailored to their package systems, and > RPM may have one too, eventually. For context, the discussion is here: https://github.c

Re: Suggestion: Use a unified kernel image by default in the future.

2022-07-20 Thread Marek Marczykowski-Górecki
pre-measured safe kernel cmdline (perhaps even hardcoded into kernel binary), while still being able to instruct initrd where to look for the root fs. Of course, initrd would need to be careful about parsing this piece of information (probably having some allowlist of options allowed in this ca

Re: deltarpm usefulness?

2021-08-11 Thread Marek Marczykowski-Górecki
own CA to avoid trusting the whole DigiCert (or other single CA), but personally I think the downsides overweights the benefits And this is just about the connection part, not about integrity of the server itself... BTW, I do hope that signing keys are stored somewhere else. -- Best

deltarpm usefulness?

2021-08-11 Thread Marek Marczykowski-Górecki
n the integrity of the [HTTPS connection to] mirrors.fedoraproject.org server (or any of CAs trusted by the system) - a rather fragile single point of failure. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab signature.asc Description

Re: Reproducible builds

2021-02-05 Thread Marek Marczykowski-Górecki
different packages for different archs). Alternatively, -debuginfo repo, but that feels weird. > But all this is getting a bit ahead. Someone needs to come up with the > contents and tools to make/read/do cool things with them first. :) There is one in progress alrea

Grub2 patches in Fedora

2021-02-05 Thread Marek Marczykowski-Górecki
e not upstream, or just nobody had time to do it? If the latter, can I help with this somehow? -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproj

Re: Fedora 34 Change: DNF/RPM Copy on Write enablement for all variants (System-Wide Change)

2021-02-05 Thread Marek Marczykowski-Górecki
where like "oh, we've found a bug in an update system, so you need to execute this very part that is vulnerable to get it fixed". -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab signature.asc Description: PGP signature _

Re: Xen support dead?

2021-02-05 Thread Marek Marczykowski-Górecki
commits/rawhide > > One would hope that filed bugs would get addressed, then. > But, not here. Fair enuf. Actually, the buggy file (/etc/grub.d/20_linux_xen) belongs to the grub2 package, so the bug is assigned to a wrong package. -- Best Regards, Marek Marczykowski-Górecki Invisible Things

Re: Reproducible builds

2021-02-05 Thread Marek Marczykowski-Górecki
On Thu, Feb 04, 2021 at 10:56:43PM -0500, Neal Gompa wrote: > On Thu, Feb 4, 2021 at 9:23 PM Kevin Fenzi wrote: > > > > On Fri, Feb 05, 2021 at 12:17:28AM +0100, Marek Marczykowski-Górecki wrote: > > > > > > Does it make sense? > > > > That does make

Re: Reproducible builds

2021-02-04 Thread Marek Marczykowski-Górecki
y it is more logical to include in a binary RPM - a build output. In fact, Archlinux does exactly that (in their package format). If it would be in an SRPM, then you'd need to rebuild/modify SRPM _after_ building binary RPMs, which feels wrong... Does it make sense? -- Best Regards, Marek Marczykowsk

Re: Repository metadata signing?

2020-11-03 Thread Marek Marczykowski-Górecki
robosignatory and pungi developers (links to the issues on those in the > infra ticket). I'll look into it. I am vaguely familiar with pungi code, but not so much with robosignatory. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which peop

Re: Fedora Security Team

2020-11-03 Thread Marek Marczykowski-Górecki
.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&product=Fedora&query_format=advanced&short_desc=CVE&short_desc_type=allwordssubstr -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally rea

Re: Repository metadata signing?

2020-11-03 Thread Marek Marczykowski-Górecki
On Tue, Nov 03, 2020 at 12:24:45AM -0500, Neal Gompa wrote: > On Tue, Nov 3, 2020 at 12:16 AM Marek Marczykowski-Górecki > wrote: > > Is it possible to enable the first one, but leave the second to the > > user, until DNF is adjusted for better UX around the keys? That would >

Re: Repository metadata signing?

2020-11-02 Thread Marek Marczykowski-Górecki
). Is there any dnf command similar to `rpm --import`, to preemptively import the key, or the only option is to accept the prompt? I can't find anything about it in dnf's man page... -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in w

Repository metadata signing?

2020-11-02 Thread Marek Marczykowski-Górecki
could reduce damage in case of metalink-hosting server compromise. I don't know much about Fedora infrastructure, but perhaps there is still something I could help with? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A:

Fedora Security Team

2020-11-02 Thread Marek Marczykowski-Górecki
t state for the base system. [1] https://oss-security.openwall.org/wiki/mailing-lists/distros#linux-distribution-security-contacts-list -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-post

Re: Unretire osslsigncode

2019-06-04 Thread Marek Marczykowski-Górecki
On Tue, Jun 04, 2019 at 08:20:50AM -0400, Neal Gompa wrote: > On Tue, Jun 4, 2019 at 8:16 AM Florian Weimer wrote: > > > > * Marek Marczykowski-Górecki: > > > > > I'd like to request unretire osslsigncode[1]. Originally it was retired > > > because of b

Unretire osslsigncode

2019-06-03 Thread Marek Marczykowski-Górecki
de [2] https://github.com/mtrojnar/osslsigncode [3] https://bugzilla.redhat.com/show_bug.cgi?id=1424037#c9 [4] https://koji.fedoraproject.org/koji/taskinfo?taskID=35260552 -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read

Re: CVE-2018-14665 : Xorg X Server Vulnerabilities

2018-11-01 Thread Marek Marczykowski-Górecki
> named Xwayland running as well. This CVE affects the X server named > Xorg. If I understand this CVE correctly, it doesn't matter what X server is running (if any at all). Do matter what setuid-root Xorg binary is installed (or not). -- Best Regards, Marek Marczykowski-Górecki Invisible T

Re: Installation image layout

2018-10-15 Thread Marek Marczykowski-Górecki
t; or "System Wide" Change, or what should specifically be listed in "Scope". If IRC would be more appropriate for such discussion, that's fine for me too. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it

Re: Installation image layout

2018-10-12 Thread Marek Marczykowski-Górecki
On Fri, Oct 12, 2018 at 03:44:38PM -0600, Chris Murphy wrote: > On Fri, Oct 12, 2018 at 4:30 AM, Marek Marczykowski-Górecki > wrote: > > On Thu, Oct 11, 2018 at 09:24:08PM -0600, Chris Murphy wrote: > >> Why does efiboot.img have a 32MiB limit? > > > > Because &qu

Re: Installation image layout

2018-10-12 Thread Marek Marczykowski-Górecki
On Thu, Oct 11, 2018 at 09:24:08PM -0600, Chris Murphy wrote: > On Thu, Oct 11, 2018 at 6:37 PM, Marek Marczykowski-Górecki > wrote: > > Hi all! > > > > I'm new on this list. I work on Qubes OS, where Fedora is used as a base > > distribution. > > > &g

Installation image layout

2018-10-11 Thread Marek Marczykowski-Górecki
1e3e1006013772528078914f491d14c1f [3] https://reproducible-builds.org/specs/source-date-epoch/ -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?