olution? If
not, then I don’t see why musl (which Fedora already ships!) would be a
problem. If it does, could the lookups be moved to a separate process?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPG
On 4/22/23 10:13, David Michael wrote:
> On Fri, Apr 21, 2023 at 10:02 PM Demi Marie Obenour
> wrote:
>> On 4/21/23 11:13, David Michael wrote:
>>> Hi,
>>>
>>> Following up on this, Firecracker has been accepted and submitted to
>>> Fedo
glibc instead.
Can they support glibc without either taking on a huge maintenance burden
or weakening the sandbox?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-
kind of thing, but we can't all
> follow the devil list :). If this turns out to be an issue in LLVM
> itself, the bug can always be reassigned to the llvm package if
> necessary.
>
> Fabio
Why does the Rust package not use Rust’s own fork of LLVM?
--
Sincerely,
Demi Mari
ny newer either.
>>
>> Is this still true? I don't think we want to make the Fedora release
>> process contingent on something that requires F33.
>>
>> ```
> $ sudo -i ssh osbs-aarch64-node01.iad2.fedoraproject.org cat
> /etc/system-release
> Fedor
rue? I don't think we want to make the Fedora release
>>>> process contingent on something that requires F33.
>>>
>>> yes, it's still true. Note thats the aarch64 osbs cluster.
>>> The x86_64 one is rhel7.
>>
>> Might it be possi
On 5/8/23 19:09, Neal Gompa wrote:
> On Mon, May 8, 2023 at 7:05 PM Demi Marie Obenour
> wrote:
>>
>> On 5/8/23 18:49, Kevin Fenzi wrote:
>>> On Mon, May 08, 2023 at 09:29:02PM +0100, Sebastian Crane wrote:
>>>> Dear Kevin,
>>>>
>>&g
On 5/9/23 07:53, Stephen Smoogen wrote:
> On Mon, 8 May 2023 at 19:35, Demi Marie Obenour
> wrote:
>
>> On 5/8/23 19:09, Neal Gompa wrote:
>>> On Mon, May 8, 2023 at 7:05 PM Demi Marie Obenour
>> wrote:
>>>>
>>>> On 5/8/23 18:49, Kevin Fenzi
le anyway.
>
> Zbyszek
I don’t think putting more and more in the initramfs is a good
idea. I would much rather have a dm-verity protected partition
for early boot stuff, which then uses pivot_root() to switch to
the main system.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPG
-crypt.
The kernel config used by the Qubes kernel package I use (6.1.28) is
based on Fedora 37’s config, and Marek Marczykowski-Górecki (CCd)
indicated that the same arguments apply to Fedora. Therefore, I am
asking if Fedora should use full kernel preemption by default.
--
Sincerely,
Demi Marie
r. But my $dayjob uses Salt
> for some things, and if it doesn't start working again soon, I'm
> afraid they'll revoke my permission to use Fedora at work. So, any
> help to get this fixed would be greatly appreciated.
Qubes OS also uses Salt. CCing Marek Marczycowski-Górecki
On 5/24/23 08:44, Zdenek Kabelac wrote:
> Dne 20. 05. 23 v 22:43 Demi Marie Obenour napsal(a):
>> I noticed that by default, Qubes OS has voluntary kernel preemption
>> as opposed to full preemption. I found that enabling full preemption
>> (preempt=full on kernel command l
Then we can get rid of any Oracle tests.
>
> Did you ever develop in Java? It doesn't sound like you are even minimally
> familiar with Java. A little expertise would really be beneficial for devel
> mailing list.
Can you explain please?
--
Sincerely,
Demi Marie Obenour (s
cation behaves much more
like one that is written in a native language like C++,
Rust, or Swift. Additionally, AOT-compiled applications
are likely significantly harder to reverse engineer. That
is a bad thing from my perspective, but in the corporate
world it might be desirable.
--
Sincer
Office Flatpak, but be aware that this is
> a sizable block of packages and dependencies and a significant amount of work
> to keep up with.
>
> Matthias
Why is a Flatpak a better choice for LibreOffice?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
_
On 6/1/23 15:59, Christian Schaller wrote:
> On Thu, Jun 1, 2023 at 2:36 PM Demi Marie Obenour
> wrote:
>> Why is a Flatpak a better choice for LibreOffice?
>
> There are a lot of ways to answer this, but from any upstream the advantage
> of Flatpak is that it means package
efox, and OBS
already have to deal with updating bundled dependencies.
> Whatever is not in a rule-conforming rpm, is not correctly packaged,
> in my opinion.
Are you willing to do the packaging work? Asking upstream to create
packages for every distribution is not reasonable.
--
Sinc
t; The Flatpak sandbox does not attempt to guard against kernel bugs -- it
> can't, because it has to allow access to all syscalls that applications
> might reasonably want to use -- so if you don't trust the kernel to be
> secure (including user namespaces), Flatp
On 6/5/23 15:01, Adam Williamson wrote:
> On Mon, 2023-06-05 at 19:51 +0200, Roberto Ragusa wrote:
>> On 6/5/23 19:13, Demi Marie Obenour wrote:
>>
>>> Are you willing to do the packaging work? Asking upstream to create
>>> packages for every distribution is no
s
the solution is a special driver that communicates with the trusted
execution environment (TEE). This meets the “tamperproof” requirement
(quotes because unless it is in a proper secure element it isn’t really
tamperproof), but it means that the OS must use nonstandard methods to
access th
, in the case of Chromium that does
mean using a clang binary built from the same sources as the one Google
provides. Every hour needed to ship a patch is one hour the attackers
have to write and deploy an exploit.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
__
ck ==
>
>
> == Benefit to Fedora ==
>
> Java maintainers will finally have some free time... No kidding -
> maintenance and *certification* of so much supported JDKs on so much
> Fedora versions is brutal. By building once, and repack, we will
> regain cycles to contin
On 12/3/22 22:41, Bojan Smojver via devel wrote:
> 107.0.1 build for
> F37/x86_64: https://copr.fedorainfracloud.org/coprs/bojan/FF/
>
> If you want/need or are obsessive about version numbers, like yours
> truly. ;-)
When will FF107 actually ship in Fedora?
--
Sincerely,
Dem
server-side
>> automation for populating side-tags with updated builds against a
>> package.
>
> But it is not practical given the performance concerns around side tags.
Can those be fixed?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
w
> about --call-graph=dwarf but it doesn't seem to work most of the time.)
That is due to known limitations in perf, IIUC. Hence why at least I was
pushing so heavily to improve perf to not require frame pointers.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.a
spiled in some way. Using a desktop toolkit would be far FAR
better.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code
ou still can't link against openh264 because Fedora can't ship it an
> even have in Koji's buildroot, you can only use dlopen().
Could Fedora ship a shim library that exposed the same API and used
dlopen() internally?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
On 12/18/22 00:19, Neal Gompa wrote:
> On Sun, Dec 18, 2022 at 12:18 AM Demi Marie Obenour
> wrote:
>>
>> On 12/17/22 05:31, Vitaly Zaitsev via devel wrote:
>>> On 17/12/2022 06:29, Bob Hepple wrote:
>>>> Now that we have ffmpeg-free we have an oppo
On 12/18/22 00:24, Neal Gompa wrote:
> On Sun, Dec 18, 2022 at 12:21 AM Demi Marie Obenour
> wrote:
>>
>> On 12/18/22 00:19, Neal Gompa wrote:
>>> On Sun, Dec 18, 2022 at 12:18 AM Demi Marie Obenour
>>> wrote:
>>>>
>>>> On 12/17/22 05:3
== Contingency Plan ==
> * Contingency mechanism:
> ** Probably none (unified kernel images are opt-in for Phase 1).
> ** In case we tried switching the cloud images to unified kernels:
> revert the kickstart config changes.
> * Contingency deadline:
> * Blocks release? No
>
>
On 12/20/22 16:34, Simo Sorce wrote:
> On Tue, 2022-12-20 at 14:56 -0500, Demi Marie Obenour wrote:
>> How do you plan to handle system recovery? For VMs this is much
>> less of a concern, but on bare metal there needs to be a way for
>> a local, authenticated administrator t
my ideas here:
>
> https://0pointer.net/blog/linux-boot-partitions.html
>
> Lennart
Does vfat support atomic rename? Is it possible to atomically upgrade
a bootloader/UKI/etc?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
On 12/21/22 12:17, Lennart Poettering wrote:
> On Mi, 21.12.22 12:12, Demi Marie Obenour (demioben...@gmail.com) wrote:
>
>>> At least for the systemd stuff, we carefully made sure that our access
>>> patterns to the ESP both from sd-boot/sd-stub and from userspace are
&
t;
>> == Dependencies ==
>> No other RPMs depend on this change.
>>
>>
>> == Contingency Plan ==
>>
>> This change depends on whether upstream merges this new default
>> behavior. If upstream does not merged the feature in time, this Change
>>
valuable to know if this, or something else, is needed. I will also
> bring this to the attention of the Open Mainframe Project Linux
> Distributions Working Group, since all of the distros use this
> byte-swapped code.
Fuzzing the X server’s byte-swapping and input validation routines
wo
broken since the very beginning, and it was
> broken by design in the PC world.
>
> Consumer PC equipment is even worse off because of how Microsoft's
> Windows requirements influence how UEFI implementations work.
IMO a much more realistic approach for bare hardware is measured b
hout support from buggy UEFI firmware. Furthermore, measured boot
allows tying e.g. LUKS keys to a combination of the actual OS booted and
a passphrase needed to unlock the TPM. This allows the TPM’s protection
against brute-force attacks to be used.
--
Sincerely,
Demi Marie O
rocess is holding things
> up, doing the best it can to flush. Databases and VM's do come to mind, in
> particular because I routinely run VMs on my laptop with cache mode unsafe.
> If the VM is forcibly quit, it's fine. But if the host is forcibly rebooted
> befo
ent-side. There is nothing in place right now to do this and
>>>> while it's probably possible to automate this somewhat with xcb, you're
>>>> still looking at a huge project. And once it all works, you need to
>>>> ensure it works against malicious inpu
manual contains the documentation for the release and
>> doesn't need any more additional work.
>>
>> The glibc manual contains the documentation for the release and
>> doesn't need any more additional work.
>>
>> The gdb manual contains th
nary distribution of shared libraries highly impractical. That is
> why I think this was a short-sighted design decision.
Cargo features are supposed to be additive, so one can sometimes ship
a single package with the union of all features used by its reverse
dependencies. This must be handle
nd now.
The optimizations enabled by profiling can be much larger than 3-10%.
To be clear, I would prefer a means of profiling that does not cause a
performance penalty for everyone else, but that will take much longer
to create.
--
Sincerely,
Demi M
optimizations enabled by profiling can be much larger than 3-10%."
As the one who made this statement: Profiling can result in very large
gains. I cannot predict what the actual gains will be.
> There needs to be substance behind such predictions if they are going
> to be used as
s and techniques that do not
> require frame pointer recompilation, but whatever.)
Which ones? I would love for them to exist, and I believe there is
work being done in that direction, but I am not aware of any yet.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
_
he entire world.
>
> Kevin Kofler
Absolutely correct.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Co
> unwinder into the kernel is one of the reasons for that and should be
> addressed by a downstream kernel patch, not by pessimizing the entire
> distribution).
Would you be willing to write such a patch and send a PR to include it in
Fedora’s kernel packages?
--
Sincerely,
Demi
data (out of context, for that frame
> alone). Or it could be spelt out that LBR has to be used to recover the
> calling frame. This isn't really something that Fedora can implement in
> a downstream change, though.
What about the new SFrame unwind info?
--
Sincerely,
Demi
moderate when it came to
> unwinding.
Could the vDSO do the unwinding?
> [1] https://sourceware.org/legacy-ml/libc-alpha/2018-03/msg00214.html
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproje
libraries, and therefore provides
complete compatibility with the in-kernel unwinder. It also allows
supporting programs in languages such as Go that do not use any libc.--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@li
holes/missing functionality?
>
> Cheers,
>
> Mark
>
>> [1]
>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/646XXHGEGOKO465LQKWCPPPAZBSW5NWO/
>>
>
> ___
> devel m
es sense but our tools don't really
> help.
>
> Let's take the case of OpenImageIO[1][2], which is why I'm asking this
> question, I only update Rawhide when SONAME is bumped, so if a CVE is only
> fixed in the latest release, then onl
p
up-to-date, but they *work*, and that is important. They also
*massively* reduce the test burden.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@list
On 1/28/23 18:43, Demi Marie Obenour wrote:
> On 1/28/23 18:06, Nico Kadel-Garcia wrote:
>> On Thu, Jan 26, 2023 at 8:31 PM Reon Beon via devel
>> wrote:
>>>
>>> Are there still some outstanding bugs preventing this from happening?
>>
>> Is there any o
On 1/30/23 02:17, Florian Weimer wrote:
> * Demi Marie Obenour:
>
>> What about the new SFrame unwind info?
>
> It has the same limitation as DWARF: there's no mainline kernel
> implementation for profiling or bpftrace.
>
> Thanks,
> Florian
Have you consid
mmon denominator: 1 :)
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/co
g else?
>
> Basically yes.
Not sure if Debian supports armhfp, but in the long term the answer is
going to be to find a distro that cross-compiles everything.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedo
illa.rpmfusion.org/show_bug.cgi?id=6469
>
> Could a reviewer who is familiar with akmod package take a look into it?
>
> Thank you
This is great! That said, are you working on getting this driver
upstreamed, with corresponding working, open userspace?
--
Sincerely,
De
On 2/12/23 22:06, Kate Hsuan wrote:
> Hi,
>
> On Sat, Feb 11, 2023 at 4:54 AM Demi Marie Obenour
> wrote:
>>
>> On 2/10/23 04:24, Kate Hsuan wrote:
>>> Hi,
>>>
>>> Recently, we are working on getting IPU6 MIPI camera to work for the
>>>
hromium-based.
And is kept up to date, unlike QtWebEngine. QtWebEngine is invariably
behind on security patches. I blame Google for not making embedded
Chromium a first-class citizen.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailin
gt;
> F39/F40 and beyond?
> F38 and beyond?
> X-date and all releases?
F38+? Also maybe disable deltarpms in dnf.conf, to reduce attack surface.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.o
> wouldn't leave the other options out of the question.
Can we also disable deltarpms in the F38 repo files? It’s a 1-line change,
trivially revertable, and it measurably reduces the attack surface of DNF.
If no deltarpms are being generated, there is no point in DNF loo
cus on those — and give DeltaRPMs a
>> sad, fond farewell.
>
> Could we do this as a two-step approach? First change the default to
> not use deltas but still allow people to opt-in to it. Then (assuming
> we can track this, which maybe we can't) see how much they'r
it sounds like "remove the step in the release SOP to turn them _on_ for
> the branch at release time" would be the easiest way to go. And the default
> config could be changed in DNF at any time for F38+.
I would like to see the DNF config
continuously, then one should use a more stable
> distribution than Fedora.
>
> Björn Persson
I actually use --security for the *opposite* purpose: to get security
updates from updates-testing. Only problem I can remember having is broken
syntax highlighting
f upgrade" can safely skip it.
>
> Or Fedora could reverse it: Fedora would run a network service which clients
> would send a list of installed packages and the service would return a list of
> affected packages. At the end, ostree od debuginfod
sses: a launcher that does all name lookups, and a sandboxed process that
does everything else.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.f
with you, but
I want to know *why* you believe this, especially since flatpaks consume
additional memory and disk space compared to RPMs.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an
media. The adoption for the
> other media later is planned too, but the exact date will be based on
> feedback and our capacity allowance.
What is the reason for using a web-based UI instead of continuing to use
GTK?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
__
mote installation is not a solution to the memory bloat. It only
pushes the problem to whatever machine the browser runs on, and it
has significant and negative security implications. A solution
here would be ensuring that the web UI uses no more RAM than the
GTK UI that preceded it.
execution exploits have
been found very, _very_ quickly. There may well be times when
attackers can write and use an exploit faster than Red Hat QA can
process an update. For these vulnerabilities waiting on Red Hat QA
is not an option.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
On 7/2/23 19:28, Michael Catanzaro wrote:
> On Sun, Jul 2 2023 at 04:59:39 PM -0400, Demi Marie Obenour
> wrote:
>>>
>> Fedora Flatpaks are also a security disaster: they are shipped in OCI
>> format instead of OSTree format, but they aren’t signed by anyone.
>>
On 7/3/23 03:18, Simon de Vlieger wrote:
> On 7/2/23 23:56, Demi Marie Obenour wrote:
>
>> Remote installation is not a solution to the memory bloat. It only
>> pushes the problem to whatever machine the browser runs on, and it
>> has significant and negative security i
.
I suspect other packages in the Node ecosystem have the same problem.
Would it be possible to ensure that Node packages contain only actual source
code, as in “the preferred form for making modifications” (quote from GNU GPL,
I forget which version)?
--
Sincerely,
Demi Marie Obenour (she/her
On 7/3/23 11:59, Tom Hughes wrote:
> On 03/07/2023 16:41, Demi Marie Obenour wrote:
>
>> Would it be possible to ensure that Node packages contain only actual source
>> code, as in “the preferred form for making modifications” (quote from GNU
>> GPL,
>> I forget w
s that WebKitGTK+ tries quite hard to make this easy.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://
u want to do that? Or would you like me or someone else
>>> to do so?
>>
>> I would love someone else to do so, but if no one else wants to, I can. :)
>
> Well ... has anybody filed a change proposal yet, or should I do that?
>
> Fabio
Do it! Also include deltar
“Enable telemetry (y/n)?” be a mandatory question in the installer,
which the user must answer.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedorap
On 7/6/23 21:17, Michael Catanzaro wrote:
> On Thu, Jul 6 2023 at 07:42:47 PM -0400, Demi Marie Obenour
> wrote:
>> Then make the metrics be neither opt-in nor opt-out. Have
>> “Enable telemetry (y/n)?” be a mandatory question in the
>> installer,
>> which
On 7/6/23 21:17, Michael Catanzaro wrote:
> On Thu, Jul 6 2023 at 07:42:47 PM -0400, Demi Marie Obenour
> wrote:
>> Then make the metrics be neither opt-in nor opt-out. Have
>> “Enable telemetry (y/n)?” be a mandatory question in the
>> installer,
>> which
On 7/7/23 21:14, Naheem Zaffar wrote:
> On Sat, 8 Jul 2023, 01:08 Randy Barlow via devel, <
> devel@lists.fedoraproject.org> wrote:
>
>> On 7/7/23 19:59, Demi Marie Obenour wrote:
>>> That is not consent. The GDPR explicitly states that consent must
>>> be
that the entire metrics set would need to be able to be represented
as a 20-bit integer. In practice, I suspect one would need to fit
the entire set in a 16-bit integer or less, and possibly
_significantly_ less.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
__
gt; products
> from getting the bad reputation, despite some of them reportedly using
> Differential Privacy (!).
I 100% agree with this. Even if it can be done in a way that preserves
user privacy, the risk to Fedora’s reputation is simply not worth it.
--
Sincerely,
Demi Marie Obenour (she/
ics to
>> FESCO:
>> https://discussion.fedoraproject.org/t/unofficial-poll-about-opt-out-metrics-proposal/85494
>
> How is that going to help anything, when some of us are using browsers
> from Fedora repos, that just gets this answer:
Which browser?
--
Sincerely,
Demi Mar
On 7/9/23 19:08, Allan via devel wrote:
> On Sun, 9 Jul 2023 18:54:18 -0400
> Demi Marie Obenour wrote:
>
>> On 7/9/23 18:53, Allan via devel wrote:
>>> On Sun, 09 Jul 2023 06:59:11 +
>>> Mattia Verga via devel wrote:
>>>
>>>> Il 08/07/2
On 7/10/23 02:30, Vitaly Zaitsev via devel wrote:
> On 10/07/2023 02:49, Demi Marie Obenour wrote:
>> QtWebEngine (used by Falkon) was a
>> month or more behind upstream Chromium last I checked.
>
> Qt5QtWebEngine is an extremely vulnerable thing. It still uses Chromium
&g
On 7/11/23 15:45, Jeremy Linton wrote:
> On 7/10/23 13:16, Demi Marie Obenour wrote:
>> On 7/10/23 02:30, Vitaly Zaitsev via devel wrote:
>>> On 10/07/2023 02:49, Demi Marie Obenour wrote:
>>>> QtWebEngine (used by Falkon) was a
>>>> month or mo
On 7/6/23 21:17, Michael Catanzaro wrote:
> On Thu, Jul 6 2023 at 07:42:47 PM -0400, Demi Marie Obenour
> wrote:
>> Then make the metrics be neither opt-in nor opt-out. Have
>> “Enable telemetry (y/n)?” be a mandatory question in the
>> installer,
>> which
ect. Such a proof would probably be worthy of publication
in a peer-reviewed research paper.
Since this Change proposal comes from Red Hat, I have an alternative
to propose: Red Hat can ask its paying corporate customers for
this information, perhaps in exchange for a discount on their
ading rebuilds
is a good idea. That requirement comes from Haskell, OCaml, and Rust, not me,
and so any complaints should be directed there. This subthread is strictly
about changes to Fedora’s build system that make it easier to implement
cascadin
On 7/13/23 11:32, Fabio Valentini wrote:
> On Thu, Jul 13, 2023 at 5:25 PM Demi Marie Obenour
> wrote:
>>
>> On 7/5/23 02:22, Jens-Ulrik Petersen wrote:
>>> I have submitted a Flock proposal to have a common discussion session for
>>> (modern) Language SIGs.
On 7/13/23 11:52, Demi Marie Obenour wrote:
> On 7/13/23 11:32, Fabio Valentini wrote:
>> On Thu, Jul 13, 2023 at 5:25 PM Demi Marie Obenour
>> wrote:
>>>
>>> On 7/5/23 02:22, Jens-Ulrik Petersen wrote:
>>>> I have submitted a Flock proposal to have
dy LFS compatible.
I recommending that the entire distro be compiled with LFS.
The non-LFS ABI is obsolete for exactly this reason.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe se
file creation, libcap, is not fully built
> in LFS mode. Once we fix that, we know that we'll run into issues with
> chkconfig and update-alternatives. It's a never-ending source of bugs.
> It's not a good use of maintainer time.
>
> We can't change the overall dist
On 7/20/23 11:06, Florian Weimer wrote:
> * Demi Marie Obenour:
>
>> On 7/17/23 09:51, Florian Weimer wrote:
>>> * Daniel P. Berrangé:
>>>
>>>>> But that still raises the question - why does it look like this
>>>>> started to happen pr
does and is the only
solution that is decently secure.
There are all sorts of other problems that need to be addressed as well,
such as ensuring that only fuzzed and hardened USB drivers are used.
But the mounting restrictions are the first step.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
__
ightmare.
>
> In the "usability vs security" tradeoff, usability/convenience *always*
> wins unless you're at a place that has armed guards at the door with
> instructions to shoot first.
>
> - Solomon
Then the mount needs to be done in a sandbox, such as a KVM
support any effort to restrict (by default)
> auto-mounting to a smaller set of filesystems that could reasonably be
> expected to be found on removable media (isofs, fat, exfat ...) and shut
> off all the rest to limit the attack surface here.
Dis
On 7/24/23 08:47, Richard W.M. Jones wrote:
> On Sun, Jul 23, 2023 at 11:18:45PM -0400, Demi Marie Obenour wrote:
>> On 7/23/23 12:10, Solomon Peachy via devel wrote:
>>> On Sun, Jul 23, 2023 at 11:25:12AM -0400, Neal Gompa wrote:
>>>>> If the system administrator
fuzzer could never have reached (think: fuzzing metadata and
> then fixing up the checksum so it passes initial validation on read.)
>
> And frankly that is some of my motivation to find an improvement here. A
> small cadre of filesystem developers are near the breaking point tryi
a similar purpose. Similarly, Rust and Android can trim
> "unused" zero entries from the end of &hash_array[nbucket],
> even though buckets[] and hash_array[] should be parallel.
Please report a bug at https://github.com/rust-lang/rust/issues.
--
Sincerely,
Demi Mar
1 - 100 of 298 matches
Mail list logo
