On Friday 22 January 2010 10:25:47 am David Malcolm wrote:
> i.e. it seems to me like it's worth going through the Feature process
> (either as a Feature or an Enhancement), if only to capture the standard
> concerns there and create a URL describing the change; see:
> https://fedoraproject.org/wik
On Friday 22 January 2010 01:30:11 pm Richard Zidlicky wrote:
> > We would want to change the owner write permission bit for all
> > executables. In F-12 we took care of the major directories, this is
> > phase 2 of the same project where we take a bigger step. Phase 1 was
> > proving that the mis
On Friday 22 January 2010 09:54:35 pm Garrett Holmstrom wrote:
> > I don't expect any problems from this change (it can affect only daemons
> > that drop capabilities, and executables owned by other users than root);
> > in the unusual case where making the executeable not writeable did case
> > so
Hello,
I have been running into something on F-12 that is really annoying and was
wondering if anyone else is seeing this. When I use kmail and want to attach a
file that is not in my Documents folder and go up one level to my homedir, it
hangs. I can't do anything with kmail except kill the em
On Saturday 23 January 2010 08:53:08 am Mamoru Tasaka wrote:
> > Is this a defective file system or are a whole bunch of apps needing to
> > be fixed? Also, do other people notice the same thing?
>
> Perhaps this issue:
> https://fedoraproject.org/wiki/Common_F12_bugs#FUSE_mounts_may_hang
> https
On Monday, August 08, 2011 12:23:43 PM Adam Jackson wrote:
> * 2: how do we go about doing it?
> All of this is only an issue because most build systems don't let you
> say different CFLAGS or LDFLAGS for shared libraries and executables.
> Sigh.
>
> So instead, we'll teach gcc to figure it out.
On Tuesday, August 09, 2011 07:51:07 AM Matthew Garrett wrote:
> On Mon, Aug 08, 2011 at 11:16:12PM -0400, Steve Grubb wrote:
> > This list is woefully incomplete. I would advocate a much larger list.
> > For example, sudo is a very important program that we make security
> >
On Tuesday, August 09, 2011 09:20:53 AM Matthew Garrett wrote:
> > Taking RHEL6 through common criteria and FIPS-140, filing dozens of
> > security bugs after studying some problems and sending patches. I am
> > monitoring the FESCO ticket, but I don't monitor fedora-devel all the
> > time because
On Friday, August 19, 2011 03:41:33 AM Tim Waugh wrote:
> On Thu, 2011-08-18 at 16:52 -0600, Orion Poplawski wrote:
> > It's not so much cups start up being slow as discovering network
> > printers. That can take up to a minute I think.
>
> This is true... however, discovered printers are cached s
On Friday, August 19, 2011 10:50:51 AM Richard Hughes wrote:
> On 19 August 2011 13:35, Steve Grubb wrote:
> > All security guidance says turn off or get rid of avahi. We really don't
> > want to require it just to print.
>
> Then "security" is flying in the
On Friday, August 19, 2011 10:38:59 AM Ola Thoresen wrote:
> On 19. aug. 2011 16:00, "Jóhann B. Guðmundsson" wrote:
> > On 08/19/2011 12:35 PM, Steve Grubb wrote:
> >> On Friday, August 19, 2011 03:41:33 AM Tim Waugh wrote:
> >>> On Thu, 2011-08-
On Friday, August 19, 2011 11:24:39 AM Tim Waugh wrote:
> On Fri, 2011-08-19 at 11:03 -0400, Steve Grubb wrote:
> > People running in a LSPP configuration would be horrified
> > to know avahi is now required for printing top secret documents.
>
> Just to clarify: it is not r
On Friday, August 19, 2011 11:12:25 AM Tomasz Torcz wrote:
> On Fri, Aug 19, 2011 at 11:07:45AM -0400, Steve Grubb wrote:
> > On Friday, August 19, 2011 10:38:59 AM Ola Thoresen wrote:
> > > On 19. aug. 2011 16:00, "Jóhann B. Guðmundsson" wrote:
> > > > O
On Friday, August 19, 2011 10:50:01 PM Kevin Kofler wrote:
> Tim Waugh wrote:
> > Oh, I just noticed this:
> >
> > https://fedoraproject.org/wiki/Packaging:Guidelines:Systemd#Socket_activa
> > tion "Since Fedora currently doesn't want any services to do on-demand
> > loading, all socket activated
On Saturday, August 20, 2011 02:17:04 PM Lennart Poettering wrote:
> On Sat, 20.08.11 09:41, Steve Grubb (sgr...@redhat.com) wrote:
> > On Friday, August 19, 2011 10:50:01 PM Kevin Kofler wrote:
> > > Tim Waugh wrote:
> > > > Oh, I just noticed this:
> > > &g
On Sunday, August 21, 2011 05:22:17 PM Genes MailLists wrote:
> On 08/21/2011 05:09 PM, Steve Clark wrote:
> >>> http://0pointer.de/blog/projects/systemd.html
> >>>
> >>> Read the part about "Parallelizing Socket Services". It explains why
> >>> socket actviation is interesting,
> >>
> >> I find
On Sunday, August 21, 2011 08:01:33 PM Rahul Sundaram wrote:
> On 08/22/2011 05:24 AM, Steve Grubb wrote:
> > Imagine an updated xinetd + upstart. Would that not solve the
> > problems, cause less turmoil, and be more secure?
>
> How? Fedora has talked about moving to sy
Hello,
I didn't want to continue this discussion until I have a working F16 setup.
Recently
something got fixed so that install now works...so...
On Tuesday, August 09, 2011 10:39:26 AM Adam Jackson wrote:
> On Tue, 2011-08-09 at 08:47 -0400, Steve Grubb wrote:
> > My main conce
On Monday, August 22, 2011 08:32:57 PM Lennart Poettering wrote:
> On Mon, 22.08.11 17:19, Adam Williamson (awill...@redhat.com) wrote:
> > On Mon, 2011-08-22 at 20:09 -0400, Genes MailLists wrote:
> > > On 08/22/2011 07:07 PM, Adam Williamson wrote:
> > > > On Sun, 2011-08-21 at 17:09 -0400, Steve
Hello,
I do a lot of work on making sure Linux meets various security standards. One
of the
better known security profiles is the DISA STIG. (STIG means Security Technical
Information Guide.) Back in February, there was a big update to it. I have
reviewed it
and sent feedback to get some item
On Sunday 07 March 2010 11:55:11 am Johan Cwiklinski wrote:
> If I change the path in conf.d/BackupPC.conf ; users who have modified
> the .conf file will get a conf.rpmnew file ; that's fine.
> The ones who did not change the .conf file will have it replaced by RPM,
> breaking the apache authentic
On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
> Vulnerability described in CVE-2009-2904
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
> addressed in https://rhn.redhat.com/errata/RHSA-2009-1470.html for
> RHEL. Isn't F11 openssh version also vulnerable?
RHEL5 us
On Saturday 27 March 2010 09:17:55 am Steve Grubb wrote:
> On Friday 26 March 2010 07:25:53 pm Michał Piotrowski wrote:
> > Vulnerability described in CVE-2009-2904
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 was
> > addressed in https://rhn.redhat.com/
On Saturday 27 March 2010 04:17:13 pm Michał Piotrowski wrote:
> > So if you are on 5.2p1-6, you should be OK.
>
> This upgrade should be pushed to updates-testing and updates
>
> yum --enablerepo=updates-testing upgrade openssh
> [..]
> openssh x86_64 5.2p1-5.fc11 update
On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote:
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dump
Hello,
I was curious how many library packages we have that also includes applications
in
them, so I wrote a small shell script:
http://people.redhat.com/sgrubb/security/lib-bin-check
On my F16 installation, it finds around 60 packages that are libraries with
applications. I'd like to ask if
On Sunday, November 20, 2011 10:20:51 AM Josh Boyer wrote:
> On Sun, Nov 20, 2011 at 10:17 AM, Steve Grubb wrote:
> > Hello,
> >
> > I was curious how many library packages we have that also includes
> > applications in them, so I wrote a small shell script:
> &
On Sunday, November 20, 2011 10:26:09 AM Steve Grubb wrote:
> On Sunday, November 20, 2011 10:20:51 AM Josh Boyer wrote:
> > On Sun, Nov 20, 2011 at 10:17 AM, Steve Grubb wrote:
> > > Hello,
> > >
> > > I was curious how many library packages we have that also
On Sunday, November 20, 2011 02:14:09 PM drago01 wrote:
> On Sun, Nov 20, 2011 at 8:03 PM, Kevin Kofler wrote:
> > Steve Grubb wrote:
> >> For example, if a 32 bit library is installed, which application is left
> >> - the 64 or 32 bit one?
> >
> > If you i
On Monday, February 06, 2012 09:31:50 AM Bohuslav Kabrda wrote:
> Ruby 1.9.3 has finally made it into Rawhide, there are still few more
> packages that need to be built, but otherwise the transitions was
> successful.
>
> Please note again, that soname has been bumped to 1.9.1 and license is
> cha
On Saturday, February 11, 2012 11:32:09 AM Toshio Kuratomi wrote:
> On Sat, Feb 11, 2012 at 10:42:53AM -0500, Steve Grubb wrote:
> > On Monday, February 06, 2012 09:31:50 AM Bohuslav Kabrda wrote:
> > > Ruby 1.9.3 has finally made it into Rawhide, there are still few more
> &
On Saturday, February 11, 2012 12:57:40 PM Toshio Kuratomi wrote:
> On Sat, Feb 11, 2012 at 11:41:48AM -0500, Steve Grubb wrote:
> > On Saturday, February 11, 2012 11:32:09 AM Toshio Kuratomi wrote:
> > > On Sat, Feb 11, 2012 at 10:42:53AM -0500, Steve Grubb wrote:
> > &g
On Friday, February 25, 2011 03:13:31 am Matthias Runge wrote:
> - change systems logs owners from root:root mode 600 to root:adm mode
> 640 (or something similar)
So, what would be the implementation of this? How would logcheck or any log
reader
work. Would they be setgid applications or would
On Saturday, July 18, 2015 10:42:43 AM Florian Weimer wrote:
> Let's assume I want to start a service as an ordinary user, but allow to
> bind it to a privileged port. The program implementing the service does
> not manipulate capabilities in any way.
>
> I came up with with this system unit for
On Monday, July 20, 2015 04:27:35 PM Florian Weimer wrote:
> >> The algorithm documented in capabilities(7) suggests that retaining
> >> effective capabilities across an execve system call absolutely requires
> >> file capabilities (the inheritable part).
> >
> >
> >
> > No. You can start off as r
On Monday, July 20, 2015 11:09:39 AM Andrew Lutomirski wrote:
> On Jul 20, 2015 11:05 AM, "Florian Weimer" wrote:
> > On 07/20/2015 05:59 PM, Steve Grubb wrote:
> > > Today, any application that wants to manipulate capabilities needs to be
> > > capability awa
On Monday, July 20, 2015 12:45:28 PM Andrew Lutomirski wrote:
> On Mon, Jul 20, 2015 at 12:26 PM, Steve Grubb wrote:
> > On Monday, July 20, 2015 11:09:39 AM Andrew Lutomirski wrote:
> >> On Jul 20, 2015 11:05 AM, "Florian Weimer" wrote:
> >> > O
On Tuesday, July 21, 2015 01:02:25 AM Reindl Harald wrote:
> Am 20.07.2015 um 23:34 schrieb Steve Grubb:
> > On Monday, July 20, 2015 12:45:28 PM Andrew Lutomirski wrote:
> >> On Mon, Jul 20, 2015 at 12:26 PM, Steve Grubb wrote:
> >>> The real problem with capabili
On Thu, 17 Sep 2015 11:07:37 +0300
Alexander Todorov wrote:
> Can somebody comment on the -fstack-protector-all vs
> -fstack-protector-strong issue ? Do we want to change the default for
> %__global_cflags in /usr/lib/rpm/redhat/macros ?
-all is not needed, -strong is the right balance between s
On Wed, 16 Sep 2015 19:24:02 +0300
Alexander Todorov wrote:
> Including fedora-devel on this topic.
>
> На 12.09.2015 в 08:48, Dominik 'Rathann' Mierzejewski написа:
> >>>
> >>> Question is how to deal with these because they appear to be in
> >>> the hundreds ?
> >>
> >> How many, exactly? We h
On Thu, 17 Sep 2015 13:53:38 +0300
Alexander Todorov wrote:
> На 17.09.2015 в 13:34, Steve Grubb написа:
> > On Thu, 17 Sep 2015 11:07:37 +0300
> > Alexander Todorov wrote:
> >
> >> Can somebody comment on the -fstack-protector-all vs
> >> -fstack-protec
On Sunday, November 02, 2014 06:15:05 PM Lennart Poettering wrote:
> On Fri, 31.10.14 10:04, Andrew Lutomirski (l...@mit.edu) wrote:
> > I filed an FPC ticket: https://fedorahosted.org/fpc/ticket/467
> >
> > Thoughts?
>
> I very much agree with this, but I'd really prefer if we'd list what
> is a
On Friday, June 5, 2020 5:42:36 AM EDT Vít Ondruch wrote:
> Dne 05. 06. 20 v 9:52 Kevin Kofler napsal(a):
>
> > Ben Cotton wrote:
> >
> >> == Summary ==
> >> Fedora has historically forced packages to build with GCC unless the
> >> upstream project for the package only supported Clang/LLVM. This
On Wednesday, July 1, 2020 4:47:51 PM EDT Sergio Belkin wrote:
> The line in the code is :
>
> if(upLogPerror) ::write(2,logbuf,n); \
>
> Regarding to " format not a string literal and no format arguments
> [-Werror=format-security]" message.
> Afaik instructions of kind printf(format,var1,var2,
Hello,
What is the best way to build an official Fedora kernel SRPM with KASAN=y?
TIA,
-Steve
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://d
On Monday, March 26, 2012 03:56:43 PM Chris Murphy wrote:
> Performance:
>
> dd if=/dev/zero ~56MB/s CPU < 10%
> dd if=/dev/urandom~12MB/s CPU 99%
> haveged ~54MB/s CPU < 25%
>
>
> The dd relative values are consistent with kernels
On Monday, April 02, 2012 03:58:12 PM Richard W.M. Jones wrote:
> > * #834 F18 Feature: /tmp on tmpfs -
> >
> > http://fedoraproject.org/wiki/Features/tmp-on-tmpfs (mitr, 17:40:06)
> > * AGREED: tmp-on-tmpfs is accepted (+5 -3) (mitr, 18:12:52)
>
> Actually I think this is a good feature, bu
On Monday, February 10, 2014 11:05:38 AM Andrew Lutomirski wrote:
> On a default Fedora installation, every system call incurs a fair
> amount of overhead due to syscall auditing. This happens despite the
> fact that syscalls aren't actually audited, except as part of AVC
> denials.
>
> The overh
On Monday, February 10, 2014 12:10:27 PM Andrew Lutomirski wrote:
> On Mon, Feb 10, 2014 at 12:06 PM, Steve Grubb wrote:
> > On Monday, February 10, 2014 11:05:38 AM Andrew Lutomirski wrote:
> >> On a default Fedora installation, every system call incurs a fair
> >>
On Monday, February 10, 2014 12:41:08 PM Andrew Lutomirski wrote:
> >> There are, indeed, many ways for me to fix this on my machine. I'm
> >> suggesting that Fedora change the default so that no one has
> >> experiences this overhead by default.
> >
> > There are 3 levels of audit performance de
On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote:
> > I disagree with this assessment. The workstation is exactly where much of
> > these hardening needs to take place. I can't see an installation that
> > wouldn't benefit from this feature.
>
> If there's a default policy that would m
On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote:
> On Fri, Mar 14, 2014 at 02:51:10PM -0400, Steve Grubb wrote:
> > On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote:
> > > If there's a default policy that would make sense for most workstation
> >
Hello,
Not sure if this is bz worthy or just something to mention on a mail
list. I was doing some experimenting on creating SWID tags out of the
rpm database and noticed some inconsistencies. For example:
# rpm -q --queryformat '%{DISTRIBUTION}\n' bash
Fedora Project
# rpm -q --queryformat '%{DI
On Wed, 7 May 2014 19:02:57 +0400
Igor Gnatenko wrote:
> > Not sure if this is bz worthy or just something to mention on a mail
> > list. I was doing some experimenting on creating SWID tags out of
> > the rpm database and noticed some inconsistencies. For example:
> >
> > # rpm -q --queryformat '
On Wed, 7 May 2014 11:53:30 -0500
Dennis Gilmore wrote:
> > Not sure if this is bz worthy or just something to mention on a mail
> > list. I was doing some experimenting on creating SWID tags out of
> > the rpm database and noticed some inconsistencies. For example:
> >
> > # rpm -q --queryformat
On Monday, November 30, 2015 01:50:54 PM Russell Doty wrote:
> Is DNS by itself sufficient, or should we also address other network
> facing capabilities with security impact such as secure time?
The use case for the dnscache_test is to look for evidence of a system trying
to reach a known Comman
Hello,
Something started sending me emails about $SUBJECT. The email says this is due
to my preferences and give an URL. Clicking on that URL leads to a page that
says, "Transaction expired, or cookies not available. Try to login again."
Logging in again leads to no useful page. It simply says
On Wednesday, December 16, 2015 11:44:54 AM Kevin Fenzi wrote:
> On Wed, 16 Dec 2015 10:19:50 -0500
>
> Steve Grubb wrote:
> > Hello,
> >
> > Something started sending me emails about $SUBJECT. The email says
> > this is due to my preferences and give an URL. Cl
On Saturday, November 10, 2012 09:26:26 AM Richard W.M. Jones wrote:
> On Sat, Nov 10, 2012 at 02:33:53AM +0100, Kevin Kofler wrote:
> > Matthew Miller wrote:
> > > Apparently the new version of polkit brings in javascript. The js
> > > package
> > > is 6.5MB. I think anything that uses polkit will
On Monday, November 12, 2012 12:27:52 PM Dan Williams wrote:
> On Sat, 2012-11-10 at 02:33 +0100, Kevin Kofler wrote:
> > Matthew Miller wrote:
> > > Apparently the new version of polkit brings in javascript. The js
> > > package
> > > is 6.5MB. I think anything that uses polkit will depend on it -
On Monday, November 12, 2012 08:15:48 PM Miloslav Trmač wrote:
> On Mon, Nov 12, 2012 at 7:54 PM, Kevin Kofler wrote:
> > Jan Zelený wrote:
> >> Yes, that's the plan. But dnf is still Python. So if we really want to
> >> get Python out of minimal install, there is a room for possible
> >> alternat
On Tuesday, November 13, 2012 12:50:11 PM Alek Paunov wrote:
> Hi Steve,
>
> On 12.11.2012 21:00, Steve Grubb wrote:
> > I think its a bad idea to have too much flexibility for access control
> > systems. They have to be verifiable. If you have to comply to PCI-DSS or
>
On Tuesday, November 13, 2012 09:37:07 AM Steve Grubb wrote:
> For anything with name=value, we normally use the textfilecontent54 which we
> can define a regex to pick out the items of interest. However, with a
> language, you have multiple ways of expressing the same idea. for example
On Tuesday, November 13, 2012 02:07:53 PM Matthias Clasen wrote:
> - Original Message -
>
> > So, talking about specific actions...
> >
> > I have recently had to search all existing polkit policies. This is
> > no longer possible to automate because various packages ship the
> > JavaScr
On Tuesday, November 13, 2012 04:41:12 PM Bill Nottingham wrote:
> Matthew Miller (mat...@fedoraproject.org) said:
> > On Mon, Nov 12, 2012 at 08:07:39PM -0800, Jesse Keating wrote:
> > > Yeah, that's a thing that probably could be done. Bug again I'd
> > > like some input from people who have mad
On Wednesday, November 14, 2012 08:07:25 AM tim.laurid...@gmail.com wrote:
> On Wed, Nov 14, 2012 at 6:53 AM, Ian Pilcher wrote:
> > On 11/13/2012 09:50 PM, Matthias Clasen wrote:
> > > Yes, this was a misunderstanding. What is still supported is the .policy
> >
> > files containing the default p
On Tuesday, November 13, 2012 04:55:50 PM Adam Williamson wrote:
> > So far everything works without, and I think we should endevor to keep
> > that true.
>
> I think this is similar to the firewalld issue in that the basic theory
> here is that, look, NetworkManager is the way, the truth and the
On Thursday, July 11, 2013 10:33:05 AM Vivek Goyal wrote:
> Secondly, there are disagreements upstream w.r.t how locking down
> executable should happen. IMA folks want some functionality behind
> security hooks (as opposed to what I have done). So I am expecting
> that once patches do get merged u
On Friday, July 26, 2013 09:29:41 PM Eric Sandeen wrote:
> On 7/26/13 3:13 PM, Miloslav Trmač wrote:
> > A quick way to check whether your package is likely to be affected, is
> > to look for statfs() or statvfs() calls in C, or the equivalent in
> > your higher-level library / programming language
On Monday, July 29, 2013 01:41:12 PM Chris Murphy wrote:
> On Jul 29, 2013, at 1:05 PM, Steve Grubb wrote:
> > The audit system also cares about space available. We tell people to
> > create a partition specifically for auditing so that we can keep close
> > track on what&
Hi,
The 0.3.11 release of trousers has changed from the CPL license to the 3
clause BSD license.
-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> On Fri, Mar 29, 2013 at 10:43 PM, Richard W.M. Jones
wrote:
> > On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote:
> > > 1. Hardening flags should be turned on (by default) for all packages
> > > which are at comparatively m
On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb wrote:
> > On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> > > "_hardened_build" rpm spec macro can be used to harden a package.
> > >
On Wednesday, April 03, 2013 09:05:18 PM Josh Bressers wrote:
> On Wed, Apr 3, 2013 at 2:05 PM, Steve Grubb wrote:
> > On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> > > On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb wrote:
> > > > On Saturday, Ma
On Wednesday, April 10, 2013 03:55:46 PM Miloslav Trmač wrote:
> Hello all,
> the discussion has somewhat died down... If you have a specific proposal
> for a change in policy, please add it to
> https://fedorahosted.org/fesco/ticket/1104 ; hard data that demonstrate the
> impact, if any, in a sit
On Friday, April 12, 2013 06:44:33 AM Josh Bressers wrote:
> On Thu, Apr 11, 2013 at 12:54 PM, Reindl Harald
wrote:
> > which is exactly the goal ASLR is desigend for
>
> It's designed to make certain types of attacks more difficult. It
> doesn't make them impossible, just much harder.
>
> Here
On Saturday, April 13, 2013 12:19:42 PM Rahul Sundaram wrote:
> On Sat, Apr 13, 2013 at 11:33 AM, Steve Grubb wrote:
> > I don't think there is any need to extend the set of packages that
> > _should_
> > get hardening. The current guidelines are sufficient. What is no
On Saturday, April 13, 2013 08:44:44 PM Richard W.M. Jones wrote:
> On Sat, Apr 13, 2013 at 08:36:53PM +0200, Kevin Kofler wrote:
> > Richard W.M. Jones wrote:
> > > (1) -fstack-protector{,-all} doesn't implement full bounds checking
> > > for every C object.
> >
> > But it prevents (with probabil
On Saturday, April 13, 2013 12:28:04 PM Jerry James wrote:
> > I have not run the script that checks a distribution on F19 yet, so maybe
> > there are more?
> >
> > http://people.redhat.com/sgrubb/files/rpm-chksec
>
> That script reports all .o files (yes, those are sometimes packaged)
> as "exec
On Saturday, April 13, 2013 08:36:53 PM Kevin Kofler wrote:
> > (1) -fstack-protector{,-all} doesn't implement full bounds checking
> > for every C object.
>
> But it prevents (with probability (256^n-1)/256^n, where n is the size of
> the canary in bytes, which for n=4 is approximately .
On Monday, April 15, 2013 09:12:57 AM Richard W.M. Jones wrote:
> which I interpret to mean that after using -fstack-protector-all and
> removing prelink, SELinux would become obsolete because no executable
> can be exploited.
I would say there is a place for SE Linux even if we compiled everythin
Hello,
Every now and then I look at the distribution to see that from an auditing
perspective the OS is nicely behaving in the absence of intrusion. Meaning we
are not getting audit events unnecessarily. One of the typical rules required
by the DISA STIG is to watch for file access being denied
On Friday, June 07, 2013 05:14:30 PM Lennart Poettering wrote:
> On Fri, 07.06.13 09:50, Steve Grubb (sgr...@redhat.com) wrote:
> > Let's look at one of these pule-shm events:
> > # ausearch --start today -k access -f pulse-shm -i --just-one
> >
> > type=PATH m
On Friday, June 07, 2013 05:48:39 PM Lennart Poettering wrote:
> On Fri, 07.06.13 11:44, Steve Grubb (sgr...@redhat.com) wrote:
> > 88 times? Something changed. It didn't used to be this bad. Its doing this
> > over and over on the same file it was denied access on previousl
On Friday, June 07, 2013 06:21:00 PM Lennart Poettering wrote:
> On Fri, 07.06.13 12:09, Steve Grubb (sgr...@redhat.com) wrote:
> > > > > POSIX shared memory doesn't define any useful scheme for automatic
> > > > > removing of shared memory segments from /
On Friday, June 07, 2013 07:29:56 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> > The point is that we are simply throwing ideas off the wall as an aid in
> > finding a way to solve the issue for all.
>
> So why not add a mechanism to permit applications
On Friday, June 07, 2013 08:42:09 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 03:35:28PM -0400, Steve Grubb wrote:
> > So far, the discussion has focused on pulseaudio. But what about the
> > O_NOATIME issue?
>
> Without further analysis, it doesn't tell us m
On Friday, June 07, 2013 05:02:41 PM Colin Walters wrote:
> On Fri, 2013-06-07 at 22:14 +0200, Miloslav Trmač wrote:
> > On Fri, Jun 7, 2013 at 10:05 PM, Colin Walters wrote:
> > > On Fri, 2013-06-07 at 20:42 +0100, Matthew Garrett wrote:
> > >> Without further analysis, it doesn't tell us much. D
On Saturday, June 08, 2013 06:33:11 AM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 07:03:24PM -0600, Stephen John Smoogen wrote:
> > On 7 June 2013 12:29, Matthew Garrett wrote:
> > > So why not add a mechanism to permit applications to indicate that
> > > certain accesses they make should be
On Saturday, June 08, 2013 06:36:38 AM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 05:24:30PM -0400, Steve Grubb wrote:
> > Hmm...sounds like kernel change. But in the meantime, most of the
> > offenders I see seem to have something to do with loading icons
>
> Sounds l
On Saturday, June 08, 2013 09:34:22 AM Steve Grubb wrote:
> Does opening with noatime really make a measurable difference (assuming it
> worked)? I suspect not since what we have now is 2 syscalls. It would
> probably be faster to load icons without trying to set NOATIME.
Answeri
On Saturday, June 08, 2013 09:57:03 AM Doug Ledford wrote:
> Bad test. The first run took the hit for getting the file info into
> page cache, after that, everything was run from cache and you got the
> second result above and the results below. You have to make sure that
> from run to run the ca
On Saturday, June 08, 2013 10:13:45 AM Doug Ledford wrote:
> Yes, but none of these results show the .12s time that your first
> noatime test run showed in your original post. If you are now saying
> that atime is faster than noatime by about .005 to .010s, then these
> results seem to show that.
On Sunday, June 09, 2013 05:56:42 AM Matthew Garrett wrote:
> On Sat, Jun 08, 2013 at 08:28:48PM -0400, Doug Ledford wrote:
> > On 06/08/2013 02:35 PM, Adam Williamson wrote:
> > > Well, you're defining something as 'bad behaviour' fairly arbitrarily -
> > > or at least controversially: not everyon
Hello,
I am going to retire the Prelude Intrusion Detections System in F20. Upstream
has been dead for over 3 years. The only packages that I know that link
against it is pads, audit, and suricata. I own all 3 of those packages, so
this should mostly be a FYI for everyone here.
-Steve
--
deve
Hi,
Did anyone notice all the i686 packages that get pulled in if you try to
upgrade from F18? My system has no i686 packages on it today. But
when I try to upgrade it starts getting i686 dependencies pulled in. It
starts like this:
---> Package mesa-libEGL.x86_64 0:9.2-0.7.20130528.fc18 will b
On Saturday, June 29, 2013 06:15:49 PM Michael Schwendt wrote:
> On Sat, 29 Jun 2013 10:34:09 -0400, Steve Grubb wrote:
> > Did anyone notice all the i686 packages that get pulled in if you try to
> > upgrade from F18? My system has no i686 packages on it today. But
> > whe
On Wednesday, December 12, 2012 01:00:36 AM Paulo César Pereira de Andrade
wrote:
> > A while back I ran my static checker on all of the Python extension
> >
> > modules in Fedora 17:
> > http://fedoraproject.org/wiki/Features/StaticAnalysisOfPythonRefcounts
> >
> > I wrote various scripts to bu
On Friday, February 01, 2013 04:39:17 PM Bill Nottingham wrote:
> Given FIPS paranoia about RNG sources, does this have knock-on effects in
> the FIPS compliance of guests depending on how it's fed in the host?
There is no FIPS problem here. Its more of a common criteria issue. But here
is a litt
Hello,
Yesterday I built a security update for the suricata package, 3.2.1-1:
https://koji.fedoraproject.org/koji/packageinfo?packageID=10021
Any time I try to create the bodhi new release, it finds an older build, 3.2-1.
Typing the version in causes it to say it can't find any package that mat
1 - 100 of 262 matches
Mail list logo
