Fedora Weekly News Issue 116

Thomas Chung tchung at fedoraproject.org
Mon Jan 21 08:58:29 UTC 2008

= Fedora Weekly News Issue 116 =

Welcome to Fedora Weekly News Issue 116 for the week of January 14th

In Announcement, we have "Cast your vote for the Fedora 9 Codename!"

In Planet Fedora, we have "Looking for a few good hackers!", "Fire in
the Attic, Proof of the Prize", and "PackageKit Interview"

To join or give us your feedback, please visit

   1. Announcements
         1. Cast your vote for the Fedora 9 Codename!
   2. Planet Fedora
         1. Looking for a few good hackers!
         2. Fire in the Attic, Proof of the Prize
         3. PackageKit Interview
   3. Marketing
         1. Red Hat at the crossroads
         2. Video: Alan Cox on community and the enterprise
         3. Fedora 9 and KDE 4.0.0 in distrowatch article
   4. Developments
         1. OpenVPN And NetworkManager
         2. What To Do About Bugs?
         3. Displaying Application Icons In PackageKit
         4. AVC:Denied {trolling} For PID=666 Comm={SELinuxRemove}
         5. System-config-firewall Changes For Fedora 9
         6. Fedora 9 CD ISOs
   5. Documentation
         1. Status of FOP Support in xmlto
         2. Progress on the DUG and AG
   6. Infrastructure
         1. Something up with the bzr browsing in trac
         2. Continuing issues with xen1
   7. Security Week
         1. X Update
         2. More Vulnerability Reporting
         3. Embedded library madness
   8. Security Advisories
         1. Fedora 8 Security Advisories
         2. Fedora 7 Security Advisories
   9. Events and Meetings
         1. Fedora Board Meeting Minutes 2008-01-13
         2. Fedora Ambassadors Meeting 2008-01-17
         3. Fedora Documentation Steering Committee 2008-MM-DD
         4. Fedora Engineering Steering Committee Meeting 2008-MM-DD
         5. Fedora Infrastructure Meeting (Log) 2008-01-17
         6. Fedora Release Engineering Meeting 2008-01-14
         7. Fedora SIG EPEL Meeting Week 03/2008
         8. Fedora SIG KDE Meeting Week 03/2008
         9. Fedora SIG Store Meeting (Log) 2008-01-16

== Announcements ==

In this section, we cover announcements from Fedora Project.

In this issue, we've included all new announcements since last issue.


Contributing Writer: ThomasChung

=== Cast your vote for the Fedora 9 Codename! ===

JoshBoyer announces in fedora-announce-list[1],

"We have several options for the Fedora 9 codename, and you get to help
decide which we use!"

"Voting will end and be tallied at 2008-01-24 23:59:59 UTC"

[1] https://www.redhat.com/archives/fedora-announce-list/2008-January/msg00005.html

== Planet Fedora ==

In this section, we cover a highlight of Planet Fedora - an
aggregation of blogs from world wide Fedora contributors.


Contributing Writers: ThomasChung

=== Looking for a few good hackers! ===

JesseKeating points out in his blog[1],

"Are you looking for that awesome summer job? Tired of spending your
summer listening to your grandma's stories over and over again?
Looking for a challenge, a resume builder, a real world experience, a
chance to try out those flame proof undies? Well do we have something
that might interest you!"

[1] http://jkeating.livejournal.com/52337.html

=== Fire in the Attic, Proof of the Prize ===

JackAboutboul points out in his blog[1],

"That's right! AOL might no longer be the laughing stock of everyone
who has owned a computer since the 80's. Seriously though, AOL has the
potential to be the world's largest identity providers. They have over
63 Million user accounts and have been working on implementing OpenID"

"Now in case that wasn't exciting enough for you, the bombshell came
this morning. AIM is going Jabber! I was absolutely delighted when I
read this. AOL is making positive steps to finally move on and up from
their decade long commitment to being as proprietary as possible and
pissing of numerous people to actually opening up, embracing the age
of open standards and trying to regain some mind share and build

[1] http://feeds.feedburner.com/~r/MadRhetoric/~3/218930583/fire-in-attic-proof-of-prize.html

=== PackageKit Interview ===

JonRoberts points out in his blog[1],

"Woah, it's the 18th of January 2008 - Fedora 9 Alpha is not even out
yet but the first developer interview of the new year is! Thanks to
Robin Norwood and Richard Hughes for giving me some of their time to
talk about PackageKit, the super-cool cross-distribution package
management solution that is already making things suck-less."

[1] http://blog.questionsplease.org/2008/01/18/packagekit-interview/

== Marketing ==

In this section, we cover Fedora Marketing Project.


Contributing Writer: ThomasChung

=== Red Hat at the crossroads ===

RahulSundaram reports in fedora-marketing-list[1],

"Red Hat has managed to walk the line between corporate ambition and
community ethics, resisting the temptation to compromise in deals with
Microsoft and others, and has endeavored to remain honest and true to
its community roots, which it has maintained through its dependence on
the Fedora community."

[1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00132.html

=== Video: Alan Cox on community and the enterprise ===

RahulSundaram reports in fedora-marketing-list[1],

"Interesting and concise descriptions of a lot of things. Alan Cox on his
involvement in the Linux kernel, working for Red Hat, the value of
enterprises, subscription model, staying true to Free software, birth of
Fedora and even more."

[1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00118.html

=== Fedora 9 and KDE 4.0.0 in distrowatch article ===

SebastianVahl reports in fedora-marketing-list[1],

"The Fedora distribution has traditionally been focusing on GNOME as its
preferred desktop environments, but with the increasing community
participation in the project, perhaps we shouldn't be surprised that KDE
4.0.0 is now included in "rawhide" (Fedora's development branch). Not only
that, it also appears to be the default KDE (KDE 3.5.8 is present as well,
but these packages have been renamed to kdebase3, kdelibs3, etc.). Moreover,
the Fedora community has released an installable Fedora live CD containing a
base system from the latest rawhide + KDE 4.0.0 - a good way to evaluate the
progress Fedora has made since the release of version 8. The live CD is
available for download from here: rawhide-KDE4-i686-20080109.4.iso (694MB,

[1] https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00117.html


== Developments ==

In this section, we cover the problems/solutions, people/personalities, and
ups/downs of the endless discussions on Fedora Developments.


Contributing Writer: OisinFeeley

=== OpenVPN And NetworkManager ===

A need to control individual VPN connections led JosVos to post[1]
that Fedora's OpenVPN package currently stops and starts all VPN
interfaces simultaneously using a single init script.  Jos pointed out
that the classic Red Hat way was to support interfaces with
ifup/ifdown scripts, that there had been some groundwork done in 2004
towards this end, and he wondered if there was general interest in
including such methods in Fedora. Although AndrewParker expressed
interest in extending NetworkManager's functionality to include both
this and the (un)mounting of network shares Jos was clear[2] that his
interests excluded NetworkManager and were modestly focused on
individual VPN connection control.

[1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01165.html

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01174.html

RalfErtzinger posted[3] a link to an rpm package of scripts which he
had written[4] to do some of these things on Rawhide and CentOS5.

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01194.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01225.html

Strong agreement that the ability to individually control VPN
interfaces should be part of the OpenVPN package was expressed[5] by
DavidWoodhouse. David added that this functionality should have been a
condition of the initial review of the package. StevenPritchard
explained[6] that at the time of the review it had appeared that
NetworkManager was "going to take over the world" and thus ifup/ifdown
had been neglected. It was observed[7] by DavidHollis that
NetworkManager-openvpn seemed to be stagnating and lacked support for
"tls-auth/tls-remote" among other options. DanWilliams responded[8]
that the proliferation of OpenVPN options meant that adding GUI
dialogs for all of them was impractical.  He suggested that perhaps
allowing custom-option-entries which could later be over-ridden if the
same option were added to the GUI might solve the problem, but worried
that opening up too much would present a security risk: "About the
last thing we want to be doing is executing a root process with random
arguments entered by some trojan that stuffed values into GConf."
DavidHollis expanded[9] on the problems faced by OpenVPN
administrators due to the inability of NetworkManager-openvpn to
import a boilerplate configuration file.

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01279.html

[6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01342.html

[7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01346.html

[8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01354.html

JosVos wrapped[9] things up with the promise to make a proposal based
on the information he had been given, but it should be noted that this
seems likely to be exclusive of NetworkManager functionality.

[9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01349.html

=== What To Do About Bugs? ===

An interesting thread was opened[1] by JesseKeating when he posted a
link to a blog entry detailing frustrations with Ubuntu's bug handling

[1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01870.html

Many good points were made both expressing the problems faced by
maintainers, an excellent example of which was KevinKofler's
description[2] of the KDE workload, and those who have been frustrated
by the manner in which their bugs have been handled.

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01914.html

Of particular note was the discussion[3] of bugs closed as "UPSTREAM"
which saw some maintainers such as SethVidal state[4] that they would
only do this if they had a fix already checked into the upstream
codebase. MatejCepl made[5] a great post which linked to the actual
description of what the "upstream" tag is supposed to mean and promote
yet cautioned that bug reporters should be treated "as
our most valuable asset".

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01900.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01901.html

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01926.html

The whole thread gives a frank and useful insight into some of the
processes which swing into motion once Fedora users summon up the
willpower to grapple with Bugzilla.

=== Displaying Application Icons In PackageKit ===

The buzz of excitement around PackageKit (e.g. JonathanRoberts'
interview[1] of RichardHughes and RobinNorwood) stimulated a
proposal[2] from JakubRusinek (livio) to replace the generic package
icon with the specific icons for each application.

[1] http://lwn.net/Articles/265748/

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01840.html

BillNottingham pointed out[3] that this would bloat the repositories
and increase the download times for users. Jakub suggested[5] that the
hicolor-icon-theme could supply the missing icons and thus avoid users
having to download all icons for all packages but Bill thought[6] that
"updating the hicolor-icon-theme package every time we add a new app
to Fedora, or any time such an app changes its icon, is somewhere
beyond impractical."

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01843.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01847.html

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01847.html

[6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01849.html

A nice summary of the situation was made[7] by JefSpaleta which
suggested that if icon names could be included in the repodata then
when they were present on the system they could be displayed,
otherwise they would use a generic icon.  Jef wondered if it was worth
all the trouble though.

[7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01854.html

After Jakub explained that he thought his proposal would add usability
improvement, making PackageKit similar to Ubuntu's "gnome-app-install"
RobinNorwood agreed[8] with Jakub that there would be some value in
providing application specific icons, but pointed out that the current
use of the icons was to indicate whether the package is installed on
the system.  He added that to implement Jakub's proposal was
non-trivial and required adding an icon field to the package metadata.
RichardHughes agreed and invited[9] Jakub to discuss things further on
the PackageKit mailing list. MartinSourada added[10] encouragement
that the scheme outlined by Jef could be implemented.  Jakub seemed
somewhat discouraged and cautioned[11] that he was not a programmer,
but KevinKofler responded[12] that the feedback should not be taken

[8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01862.html

[9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01867.html

[10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01879.html

[11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01887.html

[12] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01865.html

=== AVC:Denied {trolling} For PID=666 Comm={SELinuxRemove} ===

A call for the removal of SELinux from the Desktop LiveCD spin was
made[1] by ValentTurkovic. Valent argued that SELinux was useful for
servers but that it was a net disadvantage to "ordinary desktop
users". Initial answers took the question at face value, but later
contributions from Valent appeared to be of a slightly goading nature,
suggesting variously that Ubuntu LTS[1a] or SLED[1b] would be better
than Fedora, so perhaps the thread should be read with skepticism.

[1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01573.html

[1a] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01710.html

[1b] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01722.html

DanielBerrange listed[2] the confined system daemons on his laptop as
examples of how SELinux helped "desktops".  StevenSmalley added[3] the
interesting information that "XACE/XSELinux has been merged to the
trunk of xorg", which will allow yet more desktop applications to be
confined. Valent commented that Daniel (and others) could always
choose to use SELinux, but asked for specific examples of the benefits
conferred. Daniel cited[4] the ''hplip'' arbitrary root execution in

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01583.html

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01580.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01583.html

Valent was still not buying the benefits of SELinux for "average home
users" and now counterposed "corporate desktop" users and "fedora [as]
a testing ground for redhat corporate desktop"[5]. Responses from
GilboaDavra, AndrewFarris and others emphasized that it was necessary
to develop protections against viruses now, but Valent doubted[6] the
existence of viruses targeted towards GNU/Linux and suggested that
SELinux should be developed and tested for five years before being
rolled out. Gilboa responded[7] pretty comprehensively to this listing
the network facing services exposed on many desktops and privilege
escalation possibilities as broad categories in which security must

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01585.html

[6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01708.html

[7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01731.html

The discussion went fairly rapidly downhill with Valent citing[8] some
''grsecurity'' propaganda that SELinux is actually a potential
"backdoor waiting to happen". This was debunked[9] by BenjaminKreuter
and KarstenWade[10] who wondered ''In the "fantasy football" of NSA v.
grsecurity team, I wonder who wins?'' A further claim from Valent
that[10a] the interaction of Fluendo codecs and SELinux had been
untested was hotly contested[10b] by BastienNocera who cited the
evidence of the timestamp of the upstream bug filed with Fluendo and
asked Valent to "Please stop lying."

[8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01724.html

[9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01727.html

[10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01784.html

[10a] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01593.html

[10b] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01620.html

RichiPlana noted[11] both the problems Valent had highlighted with
Fluendo gstreamer codecs (see FWN#107 "Fluendo Codecs Violate SELinux
Policies" [12]) and also the necessity for SELinux being used now. He
praised DanWalsh and others for sorting out bugs as they appear.

[11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01633.html

[12] http://fedoraproject.org/wiki/FWN/Issue107#head-29d30b0ee5257a4fb5fe0f9d1ae760d75b7d7aec

There were some interesting asides in the thread, such as JefSpaleta
and KeithSharp's speculation[13] that internet cafes and other
environments with transitory/untrustable users would make use of
virtualization to clone fresh VM instances to each new user. This was
in response to the suggestion that UbuntuLTS would be superior in such
a setting.

[13] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01811.html

Yet more nuggets of information lurked beneath the surface.  DanWalsh
suggested[14] that Valent could use {{{su -c 'setsebool -P
allow_execmod=1'}}} to disable "checking for badly coded shared
libraries". This led to an interesting exchange with OlivierGalibert
who was searching for documentation of the policy types, something
which DavidMalcolm also wondered.  Dan posted[15] some snippets from
''/usr/share/selinux/policy.xml'' which he admitted were not yet in a
manpage. Olivier was also disturbed that programs with dynamic code
generators (as listed[16] by Dan) were all being denied by default and
needed[17] to be explicitly added to the list supplied by Dan.

[14] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01736.html

[15] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01824.html

[16] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01868.html

[17] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01872.html

Later exchanges seemed to cover the same ground in different ways with
various Fedora and Red Hat coders asking[18] for more specific
objections or suggestions and explaining[19] the nature of the
threat[20] which SELinux helps to mitigate and asking[21] that bug
reports be filed so that DanWalsh can fix them.

[18] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01588.html

[19] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01752.html

[20] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01754.html

[21] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01600.html

Final words in the thread were left to DouglasMcClendon who managed to
bring in Bush, Waterboarding, Evolution and other stuff in apparently
some sort of argument about why SELinux should not be enabled on all
spins. This link[22] marks the point at which those who value their
time should stop reading.

[22] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01636.html

=== System-config-firewall Changes For Fedora 9 ===

An announcement[1] by ThomasWoerner of changes in
''system-config-firewall'' advised that the ''--port=<port>:<proto>''
option in ''lokkit'' will no longer automatically start a service
behind the opened port.  Instead it will be necessary to use the new
''--service=<name>'' option. For new firewall configurations the
defaults will be that on a server ''ssh'' is enabled and on a desktop
''ipsec'', ''mdns'' and ''ipp'' are enabled.

[1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01563.html

BastienNocera doubted[2] that IPSec and IPP had much place in a
desktop environment. AdamTkac agreed and added that ''mdns'' seemed
questionable.  TimNiemueller made the case[3] for IPP: a desktop
machine sharing a printer and mDNS: DNS-SD is used by Avahi for
service discovery such as fileshares, VNC and printers. JonStanley
argued[4] that IPSec was necessary by default for VPN clients unless
system-config-firewall made altering the firewall simple.
CallumLerwick added[5] in response to AdamTkac that IPSec was a
distinct protocol on top of IP and thus a stateful firewall would not

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01621.html

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01732.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01741.html

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01745.html

=== Fedora 9 CD ISOs ===

MikeMcGrath forwarded[1] a query from a user that needed Fedora on CD
ISOs as his server lacked a DVD drive. SubhodipBiswas agreed[2] that
this was an issue leading to many Fedora users sticking to older

[1] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01434.html

[2] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01435.html

JesseKeating was able to answer[3] positively that the alpha compose
would generate "split media", which seemed to mean CD ISOs, and also
DVD ISOs. ChrisLumens was glad[4] to see that his hard work was still

[3] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01436.html

[4] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01439.html

RalfCorsepius wondered[5] whether there would be a split "Everything"
as the Fedora ISOs did not cover the upgrade case for machines which
had packages not present on the ISOs. Although Jesse responded
negatively to this Ralf was delighted with JohnReiser's information[6]
that the FedoraUnity project had indeed produced such a spin (and
within four days of the official release too!). Ralf asked[7] whether
FedoraUnity provided the equivalent of a Fedora ''boot.iso''
configured to do a network update from a server with "Everything +
updates" and both JohnCiesla[8] and JesseKeating suggested[9] using
the ''rescue.iso'' for this purpose.

[5] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01523.html

[6] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01537.html

[7] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01538.html

[8] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01543.html

[9] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01545.html

USB sticks were[10] on BennyAmorsen's mind as a useful medium and when
RahulSundaram suggested {{{yum install livecd-tools;
livecd-iso-to-disk <isofile> <devicename>}}} Benny clarified that he
did not want a LiveCD but "the real release". Rahul responded[11] that
LiveCDs were "real" and that regular instalable images were difficult
to convert to bootable USB images. In response to JohnReiser's request
Rahul clarified[12] that the <devicename> was mean to be a DOS-style

[10] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01462.html

[11] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01479.html

[12] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01472.html

Some experiments to attempt to write the installation image to a USB
disk were performed[13] by TillMaas, apparently with some success[14].

[13] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01499.html

[14] https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01504.html

== Documentation ==

In this section, we cover the Fedora Documentation Project.


Contributing Writer: JohnBabich

=== Status of FOP Support in xmlto ===

KarstenWade noted that the rawhide version of xmlto now supports
FOP[1]. This is a long-awaited and important step towards a completely
unencumbered documentation tool chain.

[1 ]http://www.redhat.com/archives/fedora-docs-list/2008-January/msg00142.html

=== Progress on the DUG and AG ===

A meeting was held on Saturday, 19 January at 1400 UTC to discuss
progress on the Fedora Desktop User Guide (DUG) and the Administration
Guide (AG). The goal is to finish both guides for inclusion in the
final release of Fedora 9.

The following is a summary of the meeting's main points:

- The GNOME section of the DUG is almost complete, except for some
minor editing.

- The KDE section of the DUG is fairly complete, but still needs
review to take into account any changes introduced by KDE4.

- The section covering Xfce should be completed for this version of
the DUG, since an official Xfce Live CD is planned for Fedora 9.

- The location of the AG for conversion to Doc``Book XML is
http://fedoraproject.org/wiki/Docs/Drafts/AGBeta. However, listed
pages are still edited in their original location at

- A core group of 3-4 people have committed to early March completion
of the AG. As always, "more hands on deck are more than welcome"[2],
according to VladimirKosovac.

[2] http://www.redhat.com/archives/fedora-docs-list/2008-January/msg00152.html.

== Infrastructure ==

In this section, we cover the Fedora Infrastructure Project.


Contributing Writer:  HuzaifaSidhpurwala

=== Something up with the bzr browsing in trac ===

SethVidal reports [1],

There was a problem with https://fedorahosted.org/preupgrade/browser
and it kept giving a no code to browse error message. It later turned
out to be a configuration problem, which was fixed.

[1] https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00078.html

=== Continuing issues with xen1 ===

MikeMcGrath reports [2],

As with last weeks issue with xen1, there has been similar issue with
xen2. xen2 is recently upgraded to RHEL5, but is now running FC6 as
far as the kernel and the xen libs are concerned. The xen machines are
not running F8 mainly because Fedora 8 is ill suited to this
particular task which, in reality, is just
an appliance/abstraction between our hosts and the hardware.

[2] https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00088.html

== Security Week ==

In this section, we highlight the security stories from the week in Fedora.

Contributing Writer: JoshBressers

=== X Update ===

New versions of X.org were released this week.


The tricky thing with X.org is that it has to run as root, so it gives
a local attacker the potential to compromise the machine.

=== More Vulnerability Reporting ===

A report was made public last week that once again compares the number
of flaws fixed in various things.  I think Mark Cox and Window Snyder
summed things up pretty well regarding those reports:



At this point any intelligent reader should notice that these reports
need to be taken with a grain of salt, and the real story isn't what's
reported, but what one can learn from the data.

=== Embedded library madness ===

Right now there has been a bit of news from a company named Palamida.
They like to point out all the things that contain embedded copies of
various open source projects.


Before 2002 this was a fairly common occurrence within a number of
open source projects, until there were a number of zlib flaws.  This
made most project rethink keeping their own local copies of the source
and using the system copy instead.  This ties in nicely with the above
mentioned vulnerability report.  More vulnerabilities doesn't always
mean less secure.

== Security Advisories ==

In this section, we cover Security Advisories from fedora-package-announce.


Contributing Writer: ThomasChung

=== Fedora 8 Security Advisories ===

 * moodle-1.8.4-1.fc8  -
 * python-paramiko-1.7.1-3.fc8  -
 * xine-lib-  -
 * syslog-ng-2.0.7-1.fc8  -
 * e2fsprogs-1.40.2-12.fc8  -

=== Fedora 7 Security Advisories ===

 * moodle-1.8.4-1.fc7  -
 * python-paramiko-1.7.1-3.fc7  -
 * syslog-ng-2.0.7-1.fc7  -
 * e2fsprogs-1.40.2-3.fc7  -
 * cairo-1.4.14-1.fc7  -

== Events and Meetings ==

In this section, we cover event reports and meeting summaries from
various Projects and SIGs.

Contributing Writer: ThomasChung

=== Fedora Board Meeting Minutes 2008-01-13 ===

 * https://www.redhat.com/archives/fedora-advisory-board/2008-January/msg00175.html

=== Fedora Ambassadors Meeting 2008-01-17 ===

 * https://www.redhat.com/archives/fedora-ambassadors-list/2008-January/msg00154.html
 * https://www.redhat.com/archives/fedora-ambassadors-list/2008-January/msg00145.html

=== Fedora Documentation Steering Committee 2008-MM-DD ===

 * No Report

=== Fedora Engineering Steering Committee Meeting 2008-MM-DD ===

 * No Report

=== Fedora Infrastructure Meeting (Log) 2008-01-17 ===

 * https://www.redhat.com/archives/fedora-infrastructure-list/2008-January/msg00076.html

=== Fedora Release Engineering Meeting 2008-01-14 ===

 * https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01599.html

=== Fedora SIG EPEL Meeting Week 03/2008  ===

 * https://www.redhat.com/archives/epel-devel-list/2008-January/msg00114.html

=== Fedora SIG KDE Meeting Week 03/2008 ===

 * https://www.redhat.com/archives/fedora-devel-list/2008-January/msg01493.html

=== Fedora SIG Store Meeting (Log) 2008-01-16 ===

 * https://www.redhat.com/archives/fedora-marketing-list/2008-January/msg00139.html

Thomas Chung

More information about the fedora-announce-list mailing list