Fedora Weekly News Issue 125

Thomas Chung tchung at fedoraproject.org
Mon Mar 24 07:15:03 UTC 2008

= Fedora Weekly News Issue 125 =

Welcome to Fedora Weekly News Issue 125 for the week of March 17th, 2008.


In Announcements, we have "Fedora 9 Beta slipped a few days", "Michael
Tiemann's Speech Online"
In Planet Fedora, we have "Fedora University Tour", "FUDCon Boston
2008 at the Red Hat Summit" and "Notacon 5"

We are always looking for more writers to help us deliver timely
information to the Fedora community.


   1. Announcements
         1. Fedora 9 Beta slipped a few days
         2. Michael Tiemann's Speech Online
   2. Planet Fedora
         1. Fedora University Tour
         2. FUDCon Boston 2008 at the Red Hat Summit
         3. Notacon 5
   3. Ambassadors
         1. Media Distribution and GPL Compliance
         2. Fedora 9 Release Day Parties
         3. Ambassadors Needed for Several Events
   4. Advisory Board
         1. Google Summer of Code 2008
   5. Infrastructure
         1. Asterisk and Town Hall meeting
   6. Artwork
         1. Art Team Status
   7. Security Week
         1. Wells Fargo Online Safe-Deposit Box
         2. CERT-FI archive file fuzzing
   8. Security Advisories
         1. Fedora 8 Security Advisories
         2. Fedora 7 Security Advisories
   9. Events and Meetings
         1. Fedora Board Meeting Minutes 2008-03-18
         2. Fedora Engineering Steering Committee Meeting 2008-03-20
         3. Fedora Infrastructure Meeting (Log) 2008-03-20
         4. Fedora Localization/Translation Meeting (Log) 2008-03-18
         5. Fedora Release Engineering Meeting 2008-03-17
         6. Fedora SIG EPEL Report Week 11/2008
         7. Fedora SIG KDE Meeting 2008-03-18
         8. Fedora SIG Store Meeting (Update) 2008-03-19

(Section 1)
== Announcements ==

In this section, we cover announcements from Fedora Project.


Contributing Writer: ThomasChung

=== Fedora 9 Beta slipped a few days ===

JesseKeating announces in fedora-announce-list[1],

"In order to give time for mirrors to sync up the Fedora 9 Beta bits, and
to do some last minute testing, and to avoid releasing beta the day
before a Holiday for a large part of the world, we have decided to delay
the release of Fedora 9 Beta until Tuesday, March 25th."

[1] https://www.redhat.com/archives/fedora-announce-list/2008-March/msg00008.html

=== Michael Tiemann's Speech Online ===

PaulFrields announces in fedora-announce-list[1],

"Part of Michael Tiemann's 'Fedora in the Enterprise' speech from FUDCon
Raleigh 2008 is now available in Ogg Theora format on the Fedora torrent

[1] https://www.redhat.com/archives/fedora-announce-list/2008-March/msg00007.html

(Section 2)
== Planet Fedora ==

In this section, we cover a highlight of Planet Fedora - an
aggregation of blogs from world wide Fedora contributors.


Contributing Writers: ThomasChung

=== Fedora University Tour ===

JackAboutboul blogs[1] on The Red Hat/Fedora 2008 University Tour blog site:

"Just arrived in Pittsburgh after a 5 hour travel ordeal which should
have normally taken no more than 3 hours. Didn't faze me one bit
though, because I'm running on pure adrenaline, PSYCHED for
Carnegie-Mellon in a few hours. CMU faculty, students and staff and
local geeks alike who are interested in being inspired and captivated
please join me as I present "Crash: How a Billion Little Collisions
Define Everything" at 5pm later today in Newell-Simon Hall."

[1] http://fedorauniversity.wordpress.com/2008/03/24/there-he-goes/

=== FUDCon Boston 2008 at the Red Hat Summit ===

PaulFrields points out in his blog[1],

"If you or your employer is springing for attendance at the actual
Summit itself, and you attended a previous Summit, you're eligible for
a special alumni rate. Check your email from the last week and you
should find a note from the Summit organizers with a special
promotional code that will get you a substantial discount. (I just
want to make sure no one misses the chance to save a little cash.) If
you feel you should have received the email and didn't, let me know
and I'll see if I can't get you fixed up."

[1] http://marilyn.frields.org:8080/~paul/wordpress/?p=952

=== Notacon 5 ===

JeffreyTadlock points out in his blog[1],

Fedora has arranged to have a booth at the soon upcoming Notacon 5 in
downtown Cleveland, Ohio. The event is held April 4th through the 6th
and is described as "The Midwest's most unique hacker con and demo
party rolled into one!"

[1] http://jtadlock.wordpress.com/2008/03/21/fedora-at-notacon-5-cleveland-oh/

(Section 3)
== Ambassadors ==

In this section, we cover Fedora Ambassadors Project.


Contributing Writer: JeffreyTadlock

=== Media Distribution and GPL Compliance ===

Fedora Project leader PaulFrields announced[1] guidelines on the
Ambassadors mailing list for staying GPL compliant when distributing
Fedora media at events.  Paul made two main points in the email, the
first being let people know the source code for the binaries on the
CDs/DVDs is readily available at fedoraproject.org.  The second was to
be prepared to provide source on CDs/DVDs for people that want it on
that form of media.  Ambassadors can either make some source DVDs up
prior to an event or be prepared to burn media at the booth if

Fedora Ambassadors should read the announcement in its entirety for
all of the details.

[1] https://www.redhat.com/archives/fedora-ambassadors-list/2008-March/msg00140.html

=== Fedora 9 Release Day Parties ===

FrancescoUgolini invited[1] all Ambassadors to organize a release
party or release event in their area around the time Fedora 9 is
released at the end of April.  These can be informal events with
machines showing off the Fedora 9 release and include discussion
between speakers and the public.  If you are planning such an event
Ambassador's can add it to the Fedora Events page.  If an Ambassador
needs assistance in organizing their release party please contact a
FAmSCo member [3] for guidance.

[1] https://www.redhat.com/archives/fedora-ambassadors-list/2008-March/msg00145.html

[2] http://fedoraproject.org/wiki/FedoraEvents

[3] http://fedoraproject.org/wiki/Ambassadors/SteeringCommittee/

=== Ambassadors Needed for Several Events ===

There are several EMEA events that need an Ambassador to attend listed
on the Fedora Events page [1].  These events include Augsburger
Linux-Infotag in Augsburg, Germany; Grazer Linuxtage in Graz, Austria;
Linux Days in Geneva, Switzerland and Open Source Expo in Karlsruhe,
Germany.  If you can help with any of these events please add your
name to the owner column and contact a FAmSCo member for assistance.

[1] http://fedoraproject.org/wiki/FedoraEvents

[2] http://fedoraproject.org/wiki/Ambassadors/SteeringCommittee/

(Section 4)
== Advisory Board ==

In this section, we cover discussion in Fedora Advisory Board.


Contributing Writer: MichaelLarabel

=== Google Summer of Code 2008 ===

PatrickBarnes has announced that Fedora has been accepted as a
mentoring organization in this summer's Google Summer of Code program
for aspiring open-source student developers[1]. Fedora will be working
along side JBoss and the other Red Hat projects. The list of ideas for
this year's GSoC program can be found on the Fedora Wiki[2].

[1] https://www.redhat.com/archives/fedora-advisory-board/2008-March/msg00129.html

[2] http://fedoraproject.org/wiki/SummerCoding/2008/Ideas

(Section 5)
== Infrastructure ==

This section contains the discussion happening on the


Contributing Writer:  HuzaifaSidhpurwala

=== Asterisk and Town Hall meeting ===

PaulFrields writes[1] on fedora-infrastructure-list

The Fedora Board should be doing another "town hall" style meeting on
Tuesday April 1. In March we postponed plans until then to use
Asterisk and Gstreamer to provide some sort of listening capability
for community members. In the end there was an agreement on the fact
that there should have been a ticket for things, rather than just
asking for things on the list.

[1] https://www.redhat.com/archives/fedora-infrastructure-list/2008-March/msg00122.html

(Section 6)
== Artwork ==

In this section, we cover Fedora Artwork Project.


Contributing Writer: NicuBuculei

=== Art Team Status ===

MairinDuffy send a message to the Fedora Art list[1] with a status
update of the team. She talks about the default theme for Fedora 9,
which was settled for Sulfuric Waves[3], access policy for the Art
group in the Fedora Account System, issues with the release process,
the website banner for the Beta release and a Linux action podcast
interview. NicuBuculei adds[2] to the list two more items: media
(CD/DVD) labels and a release counter for the website.

[1] https://www.redhat.com/archives/fedora-art-list/2008-March/msg00139.html

[2] https://www.redhat.com/archives/fedora-art-list/2008-March/msg00140.html

[3] http://fedoraproject.org/wiki/Artwork/F9Themes/Waves/Round3Final

(Section 7)
== Security Week ==

In this section, we highlight the security stories from the week in Fedora.

Contributing Writer: JoshBressers

=== Wells Fargo Online Safe-Deposit Box ===


It's no secret that even with a brick and mortar bank, you have to
have a certain level of trust with a save-deposit box. But apart from
a dishonest employee, the evildoers will have a rough time getting at
your things. You would expect the bank to have at least, door locks,
security cameras, motion detectors, and a big thick scary vault.

With an online storage system you really don't have all that many
lines of defense. Let's presume the tech guys aren't thieves, and
there are no flaws that could be used to gain access to your account.
That means that the only real way in is to steal your "key". In the
physical world, that might be as difficult as targeting you, knocking
you down in the street, rummaging through your pockets, and finding
the bank key. Then all you have to do is trick the bank into letting
you actually use the stolen key, and taking whatever unusually
important things I have stowed away in my box. In the tech world, I
suspect stealing keys would go something like this:

Send out twelve billion phishing emails. Get some login credentials,
steal their files.

The article mentions RSA tokens, which would help considerably, but
they seem to suggest they are optional. I would be quite hesitant to
put much faith in such a system if it doesn't offer multi factor
authentication. Like most things though, I suspect this is just a case
of making people feel all warm and fuzzy, since they don't really
understand what's going on anyhow.

=== CERT-FI archive file fuzzing ===

CERT-FI published a giant archive of fuzzed files last week.


There are a couple of things that will need to be fixed in Fedora and
RHEL, they are currently being worked on, but this really brings up a
much bigger question. How is this a security advisory? They gave out
an archive of millions of fuzzed files, the vast majority of which
don't even trigger bugs in the software in question.

I think fuzzing is extremely powerful, and is very useful for finding
bugs and security issues. Until now, fuzzing has really focused on the
tools that mangle the data, to produce data with errors and flaws that
will trigger bugs. These tools are a dime a dozen at this point, so
what CERT-FI did wasn't all that useful. It would have been far more
useful had CERT-FI distributed their suite for generating the fuzzed
files, or released a test runner. Currently, the hard part when
fuzzing is actually running the tests. When something fails, it's
helpful to know where and why it happened, and by the very nature of
fuzzing, there will be many failures caused by the same bug.

This also begs the question, what's coming next? Given what I've seen
of fuzzing, I think it's beginning to reach the end of its extreme
usefulness. Once fuzzing stops returning quick and easy results, I
imagine most researchers will move on to something better for finding
their flaws. It's in the best interest of security researchers to
quickly and easily find security issues.

This reminds me of strcpy usage a few years back. There were an
incredible number of security bugs found back when nobody cared about
how they handled strings. Most developers are now quite aware of this
and the strcpy buffer overflows are rather uncommon. Modern compilers
will now even complain about crummy string use. Fuzzing is really just
finding bugs where developers don't verify user input. This is getting
better, and eventually ensuring that user input is sane will likely
just be common knowledge. It shall be interesting to see what clever
researchers come up with next, but until then, keep up the fuzzing.

(Section 8)
== Security Advisories ==

In this section, we cover Security Advisories from fedora-package-announce.


Contributing Writer: ThomasChung

=== Fedora 8 Security Advisories ===

 * asterisk-  -
 * xine-lib-1.1.11-1.fc8  -
 * libsilc-1.0.2-6.fc8  -
 * krb5-1.6.2-14.fc8  -

=== Fedora 7 Security Advisories ===

 * libsilc-1.0.2-6.fc7  -
 * asterisk-  -
 * krb5-1.6.1-9.fc7  -

(Section 9)
== Events and Meetings ==

In this section, we cover event reports and meeting summaries from
various Projects and SIGs.

Contributing Writer: ThomasChung

=== Fedora Board Meeting Minutes 2008-03-18 ===

 * http://fedoraproject.org/wiki/Board/Meetings/2008-03-18

=== Fedora Engineering Steering Committee Meeting 2008-03-20 ===

 * http://fedoraproject.org/wiki/Extras/SteeringCommittee/Meeting-20080320

=== Fedora Infrastructure Meeting (Log) 2008-03-20 ===

 * https://www.redhat.com/archives/fedora-infrastructure-list/2008-March/msg00141.html

=== Fedora Localization/Translation Meeting (Log) 2008-03-18 ===

 * https://www.redhat.com/archives/fedora-trans-list/2008-March/msg00095.html

=== Fedora Release Engineering Meeting 2008-03-17 ===

 * http://fedoraproject.org/wiki/ReleaseEngineering/Meetings/2008-mar-17

=== Fedora SIG EPEL Report Week 11/2008  ===

 * http://fedoraproject.org/wiki/EPEL/Reports/Week11

=== Fedora SIG KDE Meeting 2008-03-18 ===

 * http://fedoraproject.org/wiki/SIGs/KDE/Meetings/2008-03-18

=== Fedora SIG Store Meeting (Update) 2008-03-19 ===

 * https://www.redhat.com/archives/fedora-marketing-list/2008-March/msg00108.html

Thomas Chung

More information about the fedora-announce-list mailing list