From tfox at redhat.com Wed Dec 1 02:44:22 2004 From: tfox at redhat.com (Tammy Fox) Date: Tue, 30 Nov 2004 21:44:22 -0500 Subject: Adding boilerplate errata/CVS instructions In-Reply-To: <1100897360.16858.14.camel@erato.phig.org> References: <1100728757.3803.16.camel@cassandra.boston.redhat.com> <1100738345.3619.3758.camel@erato.phig.org> <1100810707.3803.52.camel@cassandra.boston.redhat.com> <1100823990.3619.5323.camel@erato.phig.org> <1100825658.3803.90.camel@cassandra.boston.redhat.com> <1100897360.16858.14.camel@erato.phig.org> Message-ID: <20041201024422.GS32566@redhat.com> On Fri, Nov 19, 2004 at 12:49:20PM -0800, Karsten Wade wrote: > On Thu, 2004-11-18 at 16:54, David Malcolm wrote: > > On Thu, 2004-11-18 at 16:26 -0800, Karsten Wade wrote: > > > > cd /home/kwade/Documents/projects/fedora/fedora-docs/selinux-apache/ > > > nsgmls -wxml -s /home/kwade/lib/psgmlx-0.5/lib/xml.dcl > > > selinux-apache-en.xml > > > nsgmls:/home/kwade/lib/psgmlx-0.5/lib/xml.dcl:1:W: SGML declaration was > > > not implied > > > > > > SGML validation finished at Thu Nov 18 16:24:42 > > > > > > FWIW, that's the way it normally appears when I validate (in Emacs using > > > C-c C-v). > > > > OK, great; good idea. Is xmllint happy with such a setup? If so, then > > the ABOUT-DOC-EN probably _should_ get added to the main entities file. > > As far as I can tell, it works fine. I just ran xmllint against it > (without options), with only FEDORA-ENTITIES-EN and the various > PUBLISHED-HTML-URL etc. defined in a document, and it validates, builds, > and does not error. > > > > > > > Any thoughts/rewrites? Perhaps the heading should read "About This > > > > > > Document" instead? > > > > > > > > > > Yes, that is more of an accurate title. Changed that in the attachment. > > > > > > > > Perhaps the file should have a different name; perhaps > > > > "about-this-document-en.xml" ? > > > > > > How about about-doc-en.xml? > > Yes, that's much better. > > > > Maybe even "about-fedora-doc-en.xml", to make it clear that this relates > > to a Fedora doc? (as opposed to RHEL) > > No need, everything is separate ... although it is not improper, and is > certainly future proofing. Do as you wish, since I'm wishy-washy. :) > Since it is already part of a module called fedora-docs, adding fedora to the filename is redundant. > > Can I go ahead and commit this (assuming I have access rights)? Or > > should someone else on the list comment first? I'm just a lowly desktop > > developer :-) > > Nah, youse a riter, now. > > I suggest you file a bug (RFE) against fedora-docs (tfox will get it, > she has write perms and the buck-stops-here for stuff like what goes in > fedora-docs/common), attach a patch to fedora-entities-en.xml, attach > the about{-fedora}-doc-en.xml file. We'll also need to fix the > fedora-docs/example-tutorial to include the new entity call(s) and > sample definitions for the 4 entities required by > I saw your RFE. I think it is a great idea, like the name "About this Document," and like the name about-doc-en.xml as the filename. However, I think it would be better as a separate sect1 either at the beginning or the end of the document. Tips are supposed to be shorter pieces of information called out to help the reader accomplish a task. I've seen many other documents with an About this Document section, and they have always been separate sections. Having a separate section also allows us to have a common place for the "Acknowledgements" and "Revision History" sections under this sect1 as sect2s. Thoughts? Tammy > - Karsten > -- > Karsten Wade, RHCE, Tech Writer > a lemon is just a melon in disguise > http://people.redhat.com/kwade/ > gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 > > -- > fedora-docs-list mailing list > fedora-docs-list at redhat.com > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list -- From tfox at redhat.com Wed Dec 1 02:46:17 2004 From: tfox at redhat.com (Tammy Fox) Date: Tue, 30 Nov 2004 21:46:17 -0500 Subject: Release notes on project website In-Reply-To: <1101567713.13309.2.camel@bettie.internal.frields.org> References: <1101567713.13309.2.camel@bettie.internal.frields.org> Message-ID: <20041201024615.GT32566@redhat.com> On Sat, Nov 27, 2004 at 10:01:52AM -0500, Paul W. Frields wrote: > On Fri, 2004-11-26 at 23:50 -0500, William M. Quarles wrote: > > Considering that some people might still want to download Fedora Core 1 > > (i.e. since those paying attention might have noticed that the 2.4 > > kernel still performs better than 2.6), I think that it would be a good > > idea to have the release notes for Fedora Core 1 on the website, even if > > only for historical purposes. Red Hat always left old documentation for > > Red Hat Linux up on their website, and I don't see why The Fedora > > Project should behave any differently. > > Tammy, do you have any insight into this? Is the documentation for FC1 > perhaps better suited to reside at the Legacy Project along with other > upkeep? And would it then "vanish" when FC1 is abandoned by the Legacy > Project? > > OK, that's enough questions for one morning. :-) > Bill and I talked about this, and we decided that the Fedora website would contain the release notes for all releases until they move into Legacy. So, yes, the Legacy Project site is the proper place for the FC1 release notes. Regards, Tammy From blcjr2 at gmail.com Thu Dec 16 16:33:19 2004 From: blcjr2 at gmail.com (Basil Copeland) Date: Thu, 16 Dec 2004 10:33:19 -0600 Subject: Project Status? Message-ID: <986aa8a2041216083381a12a3@mail.gmail.com> I just joined the list, though I've read through some of the archives. Will there ever be any documentation for Fedora comparable to the "Red Hat Linux Manuals" found here: http://www.redhat.com/docs/manuals/linux/ Is there any reason why this material could not, or should not, be updated for Fedora by the community (e.g. copyright?). I still find myself using the RH9 "manuals" a lot, even for Fedora. If permissable, I would help out in updating selected portions of this documentation, in areas where I possess some measure of competency. Basil Copeland From rahulsundaram at yahoo.co.in Thu Dec 16 17:28:33 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Thu, 16 Dec 2004 09:28:33 -0800 (PST) Subject: Project Status? In-Reply-To: <986aa8a2041216083381a12a3@mail.gmail.com> Message-ID: <20041216172833.63659.qmail@web8506.mail.in.yahoo.com> Hi > Is there any reason why this material could not, or > should not, be > updated for Fedora by the community (e.g. > copyright?). yes. Licensing issues. the redhat docs are under OPL license while Fedora docs are under GNU FDL ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com From s.ellis at fastmail.co.uk Fri Dec 17 12:44:27 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Fri, 17 Dec 2004 12:44:27 +0000 Subject: Project Status? In-Reply-To: <986aa8a2041216083381a12a3@mail.gmail.com> References: <986aa8a2041216083381a12a3@mail.gmail.com> Message-ID: <1103287467.6901.211009507@webmail.messagingengine.com> On Thu, 16 Dec 2004 10:33:19 -0600, "Basil Copeland" said: > I just joined the list, though I've read through some of the archives. > > Will there ever be any documentation for Fedora comparable to the "Red > Hat Linux Manuals" found here: > > http://www.redhat.com/docs/manuals/linux/ > > Is there any reason why this material could not, or should not, be > updated for Fedora by the community (e.g. copyright?). Caveat: I don't represent anybody other than myself. As Rahul says the official RH documentation is under OPL, and the impression I get from discussion on this list is that new documents have to be written in order for the licencing to be "clean". I've written most of an Installation Guide, and any help/suggestions/contributions are very welcome - there are several areas that need work. Should have a new version out shortly, but the older version is available here: http://www.se.clara.net/fedora/fedora-install-guide-en/index.html You can also put forward suggestions, patches etc. for the released Fedora documentation (or write your own). Full project information is at: http://fedora.redhat.com/projects/docs/ The Documentation Guide is very helpful on the process, but you don't need to have mastered the technical aspects before you can start. Plunge forward :) -- Stuart Ellis s.ellis at fastmail.co.uk From rahulsundaram at yahoo.co.in Fri Dec 17 18:41:00 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Fri, 17 Dec 2004 10:41:00 -0800 (PST) Subject: Project Status? In-Reply-To: <1103287467.6901.211009507@webmail.messagingengine.com> Message-ID: <20041217184100.36673.qmail@web8508.mail.in.yahoo.com> Hi > I've written most of an Installation Guide, and any > help/suggestions/contributions are very welcome - > there are several > areas that need work. Should have a new version out > shortly, but the > older version is available here: > > http://www.se.clara.net/fedora/fedora-install-guide-en/index.html > can you try pushing for inclusion of these docs as quickly as you and revise it periodically rather than waiting for it be made perfect. It would be helpful to point point these docs to many people outside this list and get feedback from the users and revise it accordingly... ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more. http://celebrity.mail.yahoo.com From s.ellis at fastmail.co.uk Mon Dec 20 23:13:34 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Mon, 20 Dec 2004 23:13:34 +0000 Subject: Installation Guide 0.4 Message-ID: <1103584414.17741.211204289@webmail.messagingengine.com> DocBook: http://www.se.clara.net/fedora/fedora-install-guide-0.4.0.tar.gz HTML: http://www.se.clara.net/fedora/fedora-install-guide-en/index.html - Emacs-ification of source files. - Rewrote Introduction. - Lots and lots of small alterations. -- Stuart Ellis s.ellis at fastmail.co.uk From s.ellis at fastmail.co.uk Tue Dec 21 00:45:34 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Tue, 21 Dec 2004 00:45:34 +0000 Subject: Project Status? In-Reply-To: <20041217184100.36673.qmail@web8508.mail.in.yahoo.com> References: <20041217184100.36673.qmail@web8508.mail.in.yahoo.com> Message-ID: <1103589934.24337.211205102@webmail.messagingengine.com> On Fri, 17 Dec 2004 10:41:00 -0800 (PST), "Rahul Sundaram" said: > Hi > > > I've written most of an Installation Guide, and any > > help/suggestions/contributions are very welcome - > > there are several > > areas that need work. Should have a new version out > > shortly, but the > > older version is available here: > > > > > http://www.se.clara.net/fedora/fedora-install-guide-en/index.html > > > > can you try pushing for inclusion of these docs as > quickly as you and revise it periodically rather than > waiting for it be made perfect. It may now be at the point where it could be pushed if the missing sections were written or dropped. It doesn't cover every feature (nothing on VNC, PPC etc.), but I think that the text is a workable base. The next stage is probably to decide whether or not the draft is fundamentally sound, and what to do about these sections if the draft is essentially OK. > It would be helpful to point point these docs to many > people outside this list and get feedback from the > users and revise it accordingly... This is really a policy decision - whether or not draft documents should be advertised for review outside this list. The process summary implies that this should be done through the project infrastructure (mailing list, Bugzilla etc.). -- Stuart Ellis s.ellis at fastmail.co.uk From rahulsundaram at yahoo.co.in Tue Dec 21 00:26:03 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Mon, 20 Dec 2004 16:26:03 -0800 (PST) Subject: Installation Guide 0.4 In-Reply-To: <1103584414.17741.211204289@webmail.messagingengine.com> Message-ID: <20041221002603.38443.qmail@web8508.mail.in.yahoo.com> --- Stuart Ellis wrote: > > DocBook: > http://www.se.clara.net/fedora/fedora-install-guide-0.4.0.tar.gz > > HTML: > http://www.se.clara.net/fedora/fedora-install-guide-en/index.html You might want to write a more cheerful and less technical introduction End users typically might not under what open source or 64/32 bit systems means. Try throwing around words like user friendly, full blown office,suites, games and stuff if you are targetting newbies esp desktop users 2. Before You Begin Might consider adding a note explaining the differences between these architectures and how they are supposed to identify which ones to download one of the FAQ's is the minimum amount of cd's required cd's to complete the installation. so you can mention that a personal desktop only requires that first two cds and that you can use the minimum boot iso image to do a http/ftp installation here potential questions to answer what does dhcp mean?. how do I identify whether my network is using dhcp? It might be worth moving this para to the section on network installation that follows 2.1. Installation on a Network I suspect that more people install fedora on their home systems and not on a network. consider moving this section to the pages where you explain the network setup options Chapter 1. Beginning the Installation "Fedora Core does not support installation from diskettes." I am not everyone would understand the term "diskettes" here. The explanation seems too technical and assumes that everyone would know what an RPM means for example.. Try this approach 1) Explain how to download and what to download and check the md5sum to verify that the download has been successful 2) How to write a CD image using to the disk 3) What are the types of installation and how to choose amoung them 4) what is the inventory of itmems that the end user is expected to know? 5) How do I allocate space and partition my system. whatis the recommended sizes. Would the installer be able to resize it? The installation guide should give the critical information is small easy to understand steps right at the start and explain the more technical points at the relavant sections. Currently the flow reads more like a reference 1.3. Booting from the Network using PXE what is PXE? Chapter 2. Upgrading Over An Existing System Would upgrading save my configuration and data? Is upgrading recommended over a clean installation? "2.1.1. Upgrading Boot Loader Configuration" explain that Fedora uses GRUB(Grand unified boot loader) as the default one. dont mention LILO prominently. Just add a note. its depreciated and likely to confuse the users reading it as to the differences and the choice Chapter 6. Network Configuration a short note on what DHCP means technically would be nice.. 6.1. Network Devices' "clickEdit" should have a space between the words. an example of sample configuration information should be added 6.2. Computer Hostname Home users typically need not worry about setting up a meaninful name and can choose one arbitrarily. it is also possible to change the hostname after the installation. reassure them of this 6.3. Miscellaneous Settings whats a DNS?. technical note 7.2. SELinux SE stands for Security Enhanced. link to selinux faq Chapter 10. Set Root Password Windows users will typically understand "administrator" better than "special user" "You have the opportunity to create a user account for yourself during the initial boot process." how about this: "You have the oppurtunity to create a non administrative user account for normal tasks towards the end of the installation process" the warning should also advise users against choosing easily identifiable personal information like a phone number of girl friend of the week as the password Chapter 12. About to Install the warning should also add that the users should press cancel or reboot? button to stop the installation if they dont want to continue I will send my feedback on the appendix later ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From rahulsundaram at yahoo.co.in Tue Dec 21 01:29:59 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Mon, 20 Dec 2004 17:29:59 -0800 (PST) Subject: Project Status? In-Reply-To: <1103589934.24337.211205102@webmail.messagingengine.com> Message-ID: <20041221012959.53425.qmail@web8509.mail.in.yahoo.com> Hi The next stage is probably to decide whether > or not the draft is > fundamentally sound, and what to do about these > sections if the draft is > essentially OK. I believe it is. > > This is really a policy decision - whether or not > draft documents should > be advertised for review outside this list. The > process summary implies > that this should be done through the project > infrastructure (mailing > list, Bugzilla etc.). I dont consider it a policy decision. It shouldnt be. You are going to get more feedback from people outside this list at one point or the other. It is also important that you listen to those feedback from end users and revise your document to suit them better. The question is whether you publish the doc now and wait for feedback or actively push this doc to the user list *now*. the earlier you do it its better in IMHO ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From s.ellis at fastmail.co.uk Tue Dec 21 22:25:41 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Tue, 21 Dec 2004 22:25:41 +0000 Subject: Project Status? In-Reply-To: <20041221012959.53425.qmail@web8509.mail.in.yahoo.com> References: <20041221012959.53425.qmail@web8509.mail.in.yahoo.com> Message-ID: <1103667941.24875.211281272@webmail.messagingengine.com> On Mon, 20 Dec 2004 17:29:59 -0800 (PST), "Rahul Sundaram" said: > > > This is really a policy decision - whether or not > > draft documents should > > be advertised for review outside this list. The > > process summary implies > > that this should be done through the project > > infrastructure (mailing > > list, Bugzilla etc.). > > > I dont consider it a policy decision. It shouldnt be. > You are going to get more feedback from people outside > this list at one point or the other. It is also > important that you listen to those feedback from end > users and revise your document to suit them better. > The question is whether you publish the doc now and > wait for feedback or actively push this doc to the > user list *now*. the earlier you do it its better in > IMHO Sorry if that was a little curt - not enough sleep. The point that I was trying to make was that there is a process for releasing documents, which has been decided by the editors. There has to be, because releasing something as a Fedora document means that it is the official item. So I can't put this out for review as a draft FDP Installation Guide unless it is decided that it can go out outside of the normal route. I expect the text to change a great deal as people use it and give feedback, and as Fedora keeps growing and changing. At the moment I'm trying to put together as much of an Installation Guide v1 as I can, so that it can go through the FDP process and get released to users. FWIW, the original template was the Table of Contents put in CVS by Tammy Fox, but I've deviated from this to match the current Fedora installation process. There are copies of the original and revised ToCs in the tarball. After version 1 it may deviate some more - I know that there is at least one more chapter I would like in (on what to do after you've installed Fedora), and other people might want to do different things. -- Stuart Ellis s.ellis at fastmail.co.uk From rahulsundaram at yahoo.co.in Tue Dec 21 22:29:48 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Tue, 21 Dec 2004 14:29:48 -0800 (PST) Subject: Project Status? In-Reply-To: <1103667941.24875.211281272@webmail.messagingengine.com> Message-ID: <20041221222948.84767.qmail@web8504.mail.in.yahoo.com> Hi So I can't put this out for review as a draft > FDP Installation > Guide unless it is decided that it can go out > outside of the normal > route. Its your document. the decision rests with you. I dont see anyone opposing asking others for reviewing the document outside this list. do you have any docs suggesting that you arent supposed to do this? ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From kwade at redhat.com Wed Dec 22 02:51:32 2004 From: kwade at redhat.com (Karsten Wade) Date: Tue, 21 Dec 2004 18:51:32 -0800 Subject: Project Status? In-Reply-To: <1103667941.24875.211281272@webmail.messagingengine.com> References: <20041221012959.53425.qmail@web8509.mail.in.yahoo.com> <1103667941.24875.211281272@webmail.messagingengine.com> Message-ID: <1103683892.3686.55.camel@erato.phig.org> On Tue, 2004-12-21 at 22:25 +0000, Stuart Ellis wrote: > On Mon, 20 Dec 2004 17:29:59 -0800 (PST), "Rahul Sundaram" > said: > > > > > This is really a policy decision - whether or not > > > draft documents should > > > be advertised for review outside this list. The > > > process summary implies > > > that this should be done through the project > > > infrastructure (mailing > > > list, Bugzilla etc.). > > > > > > I dont consider it a policy decision. It shouldnt be. > > You are going to get more feedback from people outside > > this list at one point or the other. It is also > > important that you listen to those feedback from end > > users and revise your document to suit them better. > > The question is whether you publish the doc now and > > wait for feedback or actively push this doc to the > > user list *now*. the earlier you do it its better in > > IMHO > > Sorry if that was a little curt - not enough sleep. The point that I > was trying to make was that there is a process for releasing documents, > which has been decided by the editors. There has to be, because > releasing something as a Fedora document means that it is the official > item. So I can't put this out for review as a draft FDP Installation > Guide unless it is decided that it can go out outside of the normal > route. I think there was a bit of a hole in the process, left unintentionally vacant for this long. Sorry that wasn't cleaned up to make this part of the process more official. The process should include room for beta documentation to be tested. There is an entity in common/fedora-entities.xml , and the contents of draftnotice-en.xml are: DRAFT This is a draft version of the document. It is subject to change at any time and may not have been tested for technical accuracy yet. If you find any errors, please report them via Bugzilla in bug &BUG-NUM;. Put that at the very top of the very first
or (i.e., intro.xml). Make sure there is a &BUG-NUM; for people to file against. You can now post this on your own website and distribute the URL, with big, loud exclamations that it is a testing/draft document, so if it breaks, the user gets to keep the pieces, etc. Stuart -- thanks so much for your hard work on this. Sorry I've been absent of late, I'm nose down in finishing documentation for RHEL 4. I definitely think you should reveal this document as a beta when you are ready to. A post on fedora-list should get you plenty of testers. :) - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Wed Dec 22 02:56:23 2004 From: kwade at redhat.com (Karsten Wade) Date: Tue, 21 Dec 2004 18:56:23 -0800 Subject: Adding boilerplate errata/CVS instructions In-Reply-To: <20041201024422.GS32566@redhat.com> References: <1100728757.3803.16.camel@cassandra.boston.redhat.com> <1100738345.3619.3758.camel@erato.phig.org> <1100810707.3803.52.camel@cassandra.boston.redhat.com> <1100823990.3619.5323.camel@erato.phig.org> <1100825658.3803.90.camel@cassandra.boston.redhat.com> <1100897360.16858.14.camel@erato.phig.org> <20041201024422.GS32566@redhat.com> Message-ID: <1103684183.3686.59.camel@erato.phig.org> On Tue, 2004-11-30 at 21:44 -0500, Tammy Fox wrote: > I saw your RFE. I think it is a great idea, like the name "About this > Document," and like the name about-doc-en.xml as the filename. > > However, I think it would be better as a separate sect1 either at the > beginning or the end of the document. Tips are supposed to be shorter > pieces of information called out to help the reader accomplish a task. > > I've seen many other documents with an About this Document section, > and they have always been separate sections. > > Having a separate section also allows us to have a common place for > the "Acknowledgements" and "Revision History" sections under this > sect1 as sect2s. > > Thoughts? My brain is unfreezing a bit here ... I recall that in fact Mark Johnson did a draft that included an Introduction with much of such information of ... let's see ... http://people.redhat.com/mjohnson/docs/fedora/docbook-emacs- quickstart/index.html#about We could include the CVS bit as a section within this section. - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From kwade at redhat.com Wed Dec 22 03:03:12 2004 From: kwade at redhat.com (Karsten Wade) Date: Tue, 21 Dec 2004 19:03:12 -0800 Subject: status from kwade@redhat.com Message-ID: <1103684593.3686.68.camel@erato.phig.org> Speaking strictly for myself here, although I think this applies to many others. As many of you know, the Engineering team at Red Hat is in the final stages of the next release of Enterprise Linux. I'm deep into the particularities of SELinux just as others are working on their own content. I apologize for not being present on list/in project lately. This situation will continue for a little while longer, for myself at least. However, if you are looking for a response from me for any reason, I am always camping on #fedora-docs on irc.freenode.net. Drop your question and hang around (or give your email address), I'll read it eventually. Several of us continue to have interest in tweaking the toolchain. There are many docs to be written, and a few in the works to be edited. There may even be a few in the queue to get posted to fedora.redhat.com/docs. We appreciate your patience, keep the good work coming, and thanks for hanging in there with us. cheers - Karsten -- Karsten Wade, RHCE, Sr. Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 From paul at frields.com Wed Dec 22 15:11:43 2004 From: paul at frields.com (Paul W. Frields) Date: Wed, 22 Dec 2004 10:11:43 -0500 Subject: status from kwade@redhat.com In-Reply-To: <1103684593.3686.68.camel@erato.phig.org> References: <1103684593.3686.68.camel@erato.phig.org> Message-ID: <1103728303.13271.7.camel@localhost.localdomain> On Tue, 2004-12-21 at 19:03 -0800, Karsten Wade wrote: > Speaking strictly for myself here, although I think this applies to many > others. ^^^^^^^ Unfortunately, I'm not one of them since I'm not an @redhat guy; therefore, I can't plead anything but "other commitments." Since my job isn't Linux related per se, it doesn't cut me any time for Fedora -- that comes out of my personal time with my wife and children, and/or my band. There are probably plenty of people in the same boat, so this isn't much of an excuse. Nevertheless, I am present and available for editing as always. I am also writing the partitioning chapter for the Installation Guide as promised, it's just taken longer to get started than I expected. (Stuart, I'll send you an XML patch shortly, I just want a little bit of substance in there before I send it. Expect something by the weekend.) Happy holidays to everyone, and I'm looking forward to a great 2005 for the FDP. -- Paul W. Frields, RHCE From s.ellis at fastmail.co.uk Wed Dec 22 16:49:45 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Wed, 22 Dec 2004 16:49:45 +0000 Subject: Project Status? In-Reply-To: <1103683892.3686.55.camel@erato.phig.org> References: <20041221012959.53425.qmail@web8509.mail.in.yahoo.com> <1103667941.24875.211281272@webmail.messagingengine.com> <1103683892.3686.55.camel@erato.phig.org> Message-ID: <1103734185.16892.211334422@webmail.messagingengine.com> On Tue, 21 Dec 2004 18:51:32 -0800, "Karsten Wade" said: > > I think there was a bit of a hole in the process, left unintentionally > vacant for this long. Sorry that wasn't cleaned up to make this part of > the process more official. Thanks. I didn't feel that I could release something onto a public forum with FDP on it, without some indication that you were happy with betas going out. I'm going to be away for Christmas, and I'll get things together for a test release in the new year. -- Stuart Ellis s.ellis at fastmail.co.uk From s.ellis at fastmail.co.uk Wed Dec 22 18:19:30 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Wed, 22 Dec 2004 18:19:30 +0000 Subject: Installation Guide 0.4 In-Reply-To: <20041221002603.38443.qmail@web8508.mail.in.yahoo.com> References: <20041221002603.38443.qmail@web8508.mail.in.yahoo.com> Message-ID: <1103739570.24679.211335216@webmail.messagingengine.com> Since I'll be way for a while, it'll be some time before I can work through the comments and update the text. Thanks for (as always) a detailed set of feedback. On Mon, 20 Dec 2004 16:26:03 -0800 (PST), "Rahul Sundaram" said: > > You might want to write a more cheerful and less > technical introduction Definitely. I've written the Introduction twice and still don't like it much - it lacks energy. I came to the conclusion that much of the problem was focus - it has to clearly state what Fedora Core is and why the reader should be interested enough to spend two hours installing and setting it up. > End users typically might not under what open source > or 64/32 bit systems means. Try throwing around words > like user friendly, full blown office,suites, games > and stuff if you are targetting newbies esp desktop > users When I thought about the the target audience I actually came to a different view. I admit this that this is entirely based on my experience and may be totally wrong, but FWIW here were my assumptions, in no particular order: - The main audience for FC are people interested in IT. They may be enthusiasts, students or professionals. The last group include people involved in science and research but not necessarily trained in IT, although they use it heavily (I was surprised by the number of people involved in research and academia on the development list). - We can safely assume some knowledge of Windows, but this is tricky because Windows enables people to do some technically complex things without being aware of the underlying technology. Linux tends to demand understanding before you can get things to work... - We can't assume any knowledge of UNIX or Linux, even though a lot of people now have a little. Since a lot of Linux users are learning piecemeal, rather than through academic courses or job-releated training, you can't assume that a user will know any specific piece of information that isn't in the document. - So the user will assume that any new thing that they aren't familiar will work like Windows. - Computers, routers etc. are cheap enough that (in Europe anyway) anyone who wants a network will have one. A lot of the queries on LinuxQuestions relate to networks, and in many cases home networks. Interestingly this means that DHCP and network connectivity are nearly everywhere, stand-alone computers and static IPs are exceptional rather than the default. - We can't make assumptions about hardware. As well as non x86 architectures, it's cheap enough to build a computer with multiple NICs, RAID etc. that a home machine can look like a corporate server if the user wants. There's enough surplus boxes around now that it might actually *be* an ex-corporate server. - Since people also use Fedora for testing, development or just teaching themselves, the network may look like a corporate network as well, and may actually be a corporate or academic network (dorms, research and teaching labs etc.). This is why the Introduction has a note about not installing on an existing network without talking to the administrators... - The balance of the questions etc. that I've seen suggest that Linux is primarily being used as a server, development platform or as a hobby. The primary desktop is probably still Windows, though this now seems to be shifting. - We can't assume where they got FC from. In the UK newsagents stock dozens of magazines, and in a large town there will be Linux magazines in the computing section. Also Linux books in the bookshops. Most of these include discs with Linux distributions. The Government-sponsored academic network (JANet) maintains public mirrors of education-related software that are dominated by Linux. These are hit very heavily for days when new releases come out. I've probably forgotten some. It'll be very interesting to see from the list feedback what the main areas of interest actually are. -- Stuart Ellis s.ellis at fastmail.co.uk From s.ellis at fastmail.co.uk Wed Dec 22 18:27:08 2004 From: s.ellis at fastmail.co.uk (Stuart Ellis) Date: Wed, 22 Dec 2004 18:27:08 +0000 Subject: status from kwade@redhat.com In-Reply-To: <1103728303.13271.7.camel@localhost.localdomain> References: <1103684593.3686.68.camel@erato.phig.org> <1103728303.13271.7.camel@localhost.localdomain> Message-ID: <1103740028.25356.211341595@webmail.messagingengine.com> On Wed, 22 Dec 2004 10:11:43 -0500, "Paul W. Frields" said: > > I am also writing the partitioning chapter for the Installation Guide as > promised, it's just taken longer to get started than I expected. > (Stuart, I'll send you an XML patch shortly, I just want a little bit of > substance in there before I send it. Expect something by the weekend.) Thanks. It looks like it will be a complicated bit of work, and I don't feel able to do it justice. Please don't feel pushed - I'll be off-line for most of the next two weeks. -- Stuart Ellis s.ellis at fastmail.co.uk From paul at frields.com Wed Dec 22 18:40:39 2004 From: paul at frields.com (Paul W. Frields) Date: Wed, 22 Dec 2004 13:40:39 -0500 Subject: status from kwade@redhat.com In-Reply-To: <1103740028.25356.211341595@webmail.messagingengine.com> References: <1103684593.3686.68.camel@erato.phig.org> <1103728303.13271.7.camel@localhost.localdomain> <1103740028.25356.211341595@webmail.messagingengine.com> Message-ID: <1103740840.14650.1.camel@localhost.localdomain> On Wed, 2004-12-22 at 18:27 +0000, Stuart Ellis wrote: > > I am also writing the partitioning chapter for the Installation Guide as > > promised, it's just taken longer to get started than I expected. > > (Stuart, I'll send you an XML patch shortly, I just want a little bit of > > substance in there before I send it. Expect something by the weekend.) > > Thanks. It looks like it will be a complicated bit of work, and I don't > feel able to do it justice. Please don't feel pushed - I'll be off-line > for most of the next two weeks. Great. It is complicated, mostly in that I have to walk a fine line between being informative and providing Too Much Information. We want people to understand why things are the way they are, but not if that requires a mountain of technobabble. Finding the middle ground is difficult but (I think) doable. -- Paul W. Frields, RHCE From rahulsundaram at yahoo.co.in Wed Dec 22 18:57:29 2004 From: rahulsundaram at yahoo.co.in (Rahul Sundaram) Date: Wed, 22 Dec 2004 10:57:29 -0800 (PST) Subject: Installation Guide 0.4 In-Reply-To: <1103739570.24679.211335216@webmail.messagingengine.com> Message-ID: <20041222185729.59068.qmail@web8501.mail.in.yahoo.com> --- Stuart Ellis wrote: > > Since I'll be way for a while, it'll be some time > before I can work > through the comments and update the text. Thanks > for (as always) a > detailed set of feedback. You are welcome. Try getting this doc updated and reviewed by a good number of people during the test cycle and well polished and ready for FC4. > Definitely. I've written the Introduction twice and > still don't like it > much - it lacks energy. I came to the conclusion > that much of the > problem was focus - it has to clearly state what > Fedora Core is and why > the reader should be interested enough to spend two > hours installing > and setting it up. I found the gentoo guide pretty good reading and focussed for the set of users it was aiming for. Take a look > > - The main audience for FC are people interested in > IT. They may be > enthusiasts, students or professionals. Well many users consider it a redhat linux replacement and they continue to use it that way. > > - We can safely assume some knowledge of Windows, > but this is tricky > because Windows enables people to do some > technically complex things > without being aware of the underlying technology. > Linux tends to demand > understanding before you can get things to work... I doubt you can safely assume anything at all. I have seen a good number of people coming in from traditional unix systems with only heresay knowledge about Windows > - Computers, routers etc. are cheap enough that (in > Europe anyway) > anyone who wants a network will have one. A lot of > the queries on > LinuxQuestions relate to networks, and in many cases > home networks. > Interestingly this means that DHCP and network > connectivity are nearly > everywhere, stand-alone computers and static IPs are > exceptional rather > than the default. As a frequent posted to Linuxquestions.org I have found this to be true but please do add short notes explaining what DHCP and stuff means wherever applicable in the installation guide > - The balance of the questions etc. that I've seen > suggest that Linux is > primarily being used as a server, development > platform or as a hobby. > The primary desktop is probably still Windows, > though this now seems to > be shifting. We have shifted recently several of our office desktops from Windows to Fedora. I am using Fedora rawhide as my primary desktop! > > I've probably forgotten some. It'll be very > interesting to see from the > list feedback what the main areas of interest > actually are. Now we are talking ===== Regards Rahul Sundaram __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail From sopwith at redhat.com Wed Dec 22 20:12:58 2004 From: sopwith at redhat.com (Elliot Lee) Date: Wed, 22 Dec 2004 15:12:58 -0500 Subject: Fedora Project Mailing Lists reminder Message-ID: This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to -request at redhat.com (replace with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events. To stay aware of news, subscribe to this list. fedora-list - For users of releases. If you want help with a problem installing or using , this is the list for you. fedora-test-list - For testers of test releases. If you would like to discuss experiences using TEST releases, this is the list for you. fedora-devel-list - For developers, developers, developers. If you are interested in helping create releases, this is the list for you. fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-tools-list - For discussions about the toolchain (gcc, gdb, etc...) within Fedora fedora-patches-list - For submitting patches to Fedora maintainers, and used in line with BugWeek fedora-legacy-announce - For announcements about the Fedora Legacy Project fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-marketing-list - For discussions about marketing and expanding the Fedora user base fedora-de-list - For discussions about Fedora in the German language fedora-es-list - For discussions about Fedora in the Spanish language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw From tuxxer at cox.net Thu Dec 23 02:53:01 2004 From: tuxxer at cox.net (tuxxer) Date: Wed, 22 Dec 2004 18:53:01 -0800 Subject: Hardening Doc Update Message-ID: <1103770382.22961.2.camel@bach> Ok guys, sorry I've been gone for so long. It seems others have been out as well. Anyhow, I've finished the hardening doc, and would like to get some feedback: glaring omissions, errors, etc. I have to try to remember what my bug number is (it HAS been a while), and once I get some feedback, I'll post it up there so it can hopefully go to editing. Check out the html version at http://members.cox.net/tuxxer/ . -Charlie -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From paul at frields.com Thu Dec 23 21:57:42 2004 From: paul at frields.com (Paul W. Frields) Date: Thu, 23 Dec 2004 16:57:42 -0500 Subject: Hardening Doc Update In-Reply-To: <1103770382.22961.2.camel@bach> References: <1103770382.22961.2.camel@bach> Message-ID: <1103839062.13847.1.camel@bettie.internal.frields.org> On Wed, 2004-12-22 at 18:53 -0800, tuxxer wrote: > Ok guys, sorry I've been gone for so long. It seems others have been > out as well. Anyhow, I've finished the hardening doc, and would like to > get some feedback: glaring omissions, errors, etc. I have to try to > remember what my bug number is (it HAS been a while), and once I get > some feedback, I'll post it up there so it can hopefully go to editing. > > Check out the html version at http://members.cox.net/tuxxer/ . Hi Charlie, Thanks for the link. Here are some preliminary suggestions that you could address before editorial: 1. Give us a link to the XML so we can check for tagging issues. 2. Remove prompts from your sections. Also, pursuant to prior threads, make sure your screen sections look like this, all flush left. (Emacs unfortunately doesn't do this automatically, but you can override throughout.) run command see this result That will remove some of the extraneous whitespace around the top and bottom of your command examples. 3. You have a section on disabling/locking user accounts, but don't mention that some of these users are not installed unless the packages that use them (e.g. mysql-server, httpd) are installed. It's probably worth a small section (or at least a ) to talk about package selection during installation. 4. Don't use periods after titles. 5. In 3.1.4, your crontab entry is wrong; you actually have too many time fields (there's only five). Plus, the way it's written, you're running that script every minute from 12:00 a.m. to 12:59 a.m. You want: 0 0 * * * /SCRIPTS/security/harden/check_files.sh 6. In 3.2, the command "umask" only changes the umask for the current session. You would have to edit /etc/bashrc to do that, but it's already done for users with UID <= 99 and users whose UID == their GID. In addition /etc/rc.d/init.d/functions uses a umask of 022. A umask of 002 for non-privileged users provides administrators the ability to share documents to groups more easily (the idea is what Red Hat calls "User Private Groups"). Make sure you understand exactly when and why this change should be made, and note the possible effects for real administrators. Since users in Fedora only get default membership in their own private group, having a default umask of 002 presents much less risk than it would with a default membership in, say, a global "all users" group. 7. Also in chapter 3, you mention tripwire, et al., but don't note anything about the rpm -V function. 8. Why nothing on password hardening, since this is the most common security problem in the world? How about something on using PAM rules to enforce more stringent password requirements? 9. You may want to bracket the whole article in some way to point out that it doesn't address SELinux at all... which I realize is a whole different can of worms. An eventual Fedora Security Guide would have to incorporate not just this hardening info after some fashion, but also a mountain of information about setting up and administering an SELinux system. Just some thoughts.... -- Paul W. Frields, RHCE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tuxxer at cox.net Fri Dec 24 03:34:39 2004 From: tuxxer at cox.net (tuxxer) Date: Thu, 23 Dec 2004 19:34:39 -0800 Subject: Hardening Doc Update In-Reply-To: <1103839062.13847.1.camel@bettie.internal.frields.org> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> Message-ID: <1103859279.22961.8.camel@bach> On Thu, 2004-12-23 at 16:57 -0500, Paul W. Frields wrote: > On Wed, 2004-12-22 at 18:53 -0800, tuxxer wrote: > > Ok guys, sorry I've been gone for so long. It seems others have been > > out as well. Anyhow, I've finished the hardening doc, and would like to > > get some feedback: glaring omissions, errors, etc. I have to try to > > remember what my bug number is (it HAS been a while), and once I get > > some feedback, I'll post it up there so it can hopefully go to editing. > > > > Check out the html version at http://members.cox.net/tuxxer/ . > > Hi Charlie, > > Thanks for the link. Here are some preliminary suggestions that you > could address before editorial: > > 1. Give us a link to the XML so we can check for tagging issues. > > 2. Remove prompts from your sections. Also, pursuant to prior > threads, make sure your screen sections look like this, all flush left. > (Emacs unfortunately doesn't do this automatically, but you can override > throughout.) > > > run command > see this result > > > That will remove some of the extraneous whitespace around the top and > bottom of your command examples. > > 3. You have a section on disabling/locking user accounts, but don't > mention that some of these users are not installed unless the packages > that use them (e.g. mysql-server, httpd) are installed. It's probably > worth a small section (or at least a ) to talk about package > selection during installation. > > 4. Don't use periods after titles. > > 5. In 3.1.4, your crontab entry is wrong; you actually have too many > time fields (there's only five). Plus, the way it's written, you're > running that script every minute from 12:00 a.m. to 12:59 a.m. You want: > > 0 0 * * * /SCRIPTS/security/harden/check_files.sh > > 6. In 3.2, the command "umask" only changes the umask for the current > session. You would have to edit /etc/bashrc to do that, but it's already > done for users with UID <= 99 and users whose UID == their GID. In > addition /etc/rc.d/init.d/functions uses a umask of 022. > A umask of 002 for non-privileged users provides administrators the > ability to share documents to groups more easily (the idea is what Red > Hat calls "User Private Groups"). Make sure you understand exactly when > and why this change should be made, and note the possible effects for > real administrators. Since users in Fedora only get default membership > in their own private group, having a default umask of 002 presents much > less risk than it would with a default membership in, say, a global "all > users" group. > > 7. Also in chapter 3, you mention tripwire, et al., but don't note > anything about the rpm -V function. > > 8. Why nothing on password hardening, since this is the most common > security problem in the world? How about something on using PAM rules to > enforce more stringent password requirements? > > 9. You may want to bracket the whole article in some way to point out > that it doesn't address SELinux at all... which I realize is a whole > different can of worms. An eventual Fedora Security Guide would have to > incorporate not just this hardening info after some fashion, but also a > mountain of information about setting up and administering an SELinux > system. > > Just some thoughts.... > > -- > fedora-docs-list mailing list > fedora-docs-list at redhat.com > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list Thanks for the tips Paul. Right off the bat, I tried to put all of my documents into a single, monolithic document so it would be easier to download. But something got screwy in the process. Now whenever I try 'make html' I get errors similar to the following: /home/charlie/fedora-docs/fedora-docs/hardening/fedora-hardening-guide- whole-en.xml:888: element listitem: validity error : Element listitem content does not follow the DTD, expecting (a bunch of other XML tags) Doesn't really make much sense, since I haven't changed anything, other than combining my docs all into one file. Any thoughts? I've posted the xml file at the link below: http://members.cox.net/tuxxer/fedora-hardening-guide-whole-en.xml Thanks. -Charlie PS I'm working on some of the other things, but I thought this would be an easy one, till I ran into problems. ;-) -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From paul at frields.com Fri Dec 24 03:42:29 2004 From: paul at frields.com (Paul W. Frields) Date: Thu, 23 Dec 2004 22:42:29 -0500 Subject: Hardening Doc Update In-Reply-To: <1103859279.22961.8.camel@bach> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> <1103859279.22961.8.camel@bach> Message-ID: <1103859749.14174.1.camel@bettie.internal.frields.org> [...snip...] > Thanks for the tips Paul. Right off the bat, I tried to put all of my > documents into a single, monolithic document so it would be easier to > download. But something got screwy in the process. Now whenever I try > 'make html' I get errors similar to the following: > > /home/charlie/fedora-docs/fedora-docs/hardening/fedora-hardening-guide- > whole-en.xml:888: element listitem: validity error : Element listitem > content does not follow the DTD, expecting (a bunch of other XML tags) > > Doesn't really make much sense, since I haven't changed anything, other > than combining my docs all into one file. Any thoughts? Try enclosing your inside a . Does that help? -- Paul W. Frields, RHCE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tuxxer at cox.net Fri Dec 24 03:57:52 2004 From: tuxxer at cox.net (tuxxer) Date: Thu, 23 Dec 2004 19:57:52 -0800 Subject: Hardening Doc Update In-Reply-To: <1103859749.14174.1.camel@bettie.internal.frields.org> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> <1103859279.22961.8.camel@bach> <1103859749.14174.1.camel@bettie.internal.frields.org> Message-ID: <1103860672.22961.11.camel@bach> On Thu, 2004-12-23 at 22:42 -0500, Paul W. Frields wrote: > [...snip...] > > Thanks for the tips Paul. Right off the bat, I tried to put all of my > > documents into a single, monolithic document so it would be easier to > > download. But something got screwy in the process. Now whenever I try > > 'make html' I get errors similar to the following: > > > > /home/charlie/fedora-docs/fedora-docs/hardening/fedora-hardening-guide- > > whole-en.xml:888: element listitem: validity error : Element listitem > > content does not follow the DTD, expecting (a bunch of other XML tags) > > > > Doesn't really make much sense, since I haven't changed anything, other > > than combining my docs all into one file. Any thoughts? > > Try enclosing your inside a . Does that help? > > -- > fedora-docs-list mailing list > fedora-docs-list at redhat.com > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list Yup, that was it. I just figured it out. I had many itemizedlists that didn't have the inside them. Just fixed it and got a 'make html' successfully. I'll be updating the XML file on the site shortly. Thanks. -- -tuxxer gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tuxxer at cox.net Fri Dec 24 05:42:43 2004 From: tuxxer at cox.net (tuxxer) Date: Thu, 23 Dec 2004 21:42:43 -0800 Subject: Hardening Doc Update In-Reply-To: <1103839062.13847.1.camel@bettie.internal.frields.org> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> Message-ID: <1103866963.22961.36.camel@bach> On Thu, 2004-12-23 at 16:57 -0500, Paul W. Frields wrote: > On Wed, 2004-12-22 at 18:53 -0800, tuxxer wrote: > > Ok guys, sorry I've been gone for so long. It seems others have been > > out as well. Anyhow, I've finished the hardening doc, and would like to > > get some feedback: glaring omissions, errors, etc. I have to try to > > remember what my bug number is (it HAS been a while), and once I get > > some feedback, I'll post it up there so it can hopefully go to editing. > > > > Check out the html version at http://members.cox.net/tuxxer/ . > > Hi Charlie, > > Thanks for the link. Here are some preliminary suggestions that you > could address before editorial: > > 1. Give us a link to the XML so we can check for tagging issues. Done. ( http://members.cox.net/tuxxer/fedora-hardening-guide-whole-en.xml ) > > 2. Remove prompts from your sections. Also, pursuant to prior > threads, make sure your screen sections look like this, all flush left. > (Emacs unfortunately doesn't do this automatically, but you can override > throughout.) > > > run command > see this result > > > That will remove some of the extraneous whitespace around the top and > bottom of your command examples. I checked, and I didn't see anything DIDN'T look like you suggested. Do you have a specific part that looks "off" that you can point me to? > > 3. You have a section on disabling/locking user accounts, but don't > mention that some of these users are not installed unless the packages > that use them (e.g. mysql-server, httpd) are installed. It's probably > worth a small section (or at least a ) to talk about package > selection during installation. Not a bad idea. I thought that this should be something more for the Installation Guide, but I think that is still in progress. But I might be able to mention something here and then reference the Install Guide for more detail or something. > > 4. Don't use periods after titles. Done. > > 5. In 3.1.4, your crontab entry is wrong; you actually have too many > time fields (there's only five). Plus, the way it's written, you're > running that script every minute from 12:00 a.m. to 12:59 a.m. You want: > > 0 0 * * * /SCRIPTS/security/harden/check_files.sh Fixed. That must have just been a typo. > > 6. In 3.2, the command "umask" only changes the umask for the current > session. You would have to edit /etc/bashrc to do that, but it's already > done for users with UID <= 99 and users whose UID == their GID. In > addition /etc/rc.d/init.d/functions uses a umask of 022. > A umask of 002 for non-privileged users provides administrators the > ability to share documents to groups more easily (the idea is what Red > Hat calls "User Private Groups"). Make sure you understand exactly when > and why this change should be made, and note the possible effects for > real administrators. Since users in Fedora only get default membership > in their own private group, having a default umask of 002 presents much > less risk than it would with a default membership in, say, a global "all > users" group. > Definitely something to consider. I tend to be more of a Solaris guy, just out of occupational hazard. That may be changing shortly, but has yet to come to fruition. Anyhow, my experience tends to become somewhat "habitual" at times. Would you recommend omitting that section entirely? Or only mentioning that the default settings are sufficient? > 7. Also in chapter 3, you mention tripwire, et al., but don't note > anything about the rpm -V function. > The 'rpm -V' function has a slightly smaller scope than I was going for, since you can only verify packages, AND only those that were installed with rpm. But it may be worth a bullet. ;-) > 8. Why nothing on password hardening, since this is the most common > security problem in the world? How about something on using PAM rules to > enforce more stringent password requirements? I'm familiar with tools such as 'npasswd' and 'apasswd' which try to crack your password, but those aren't part of Fedora, and are usually more directed to unices which use the crypt method of password encryption (as opposed to DES which is used by FC3). I was trying to stick to the tools that would be available from the Fedora install. I have noticed that the 'passwd' utility in FC3 does do some password checking, but I'm not sure to what length. PAM rules is definitely something that might be worthwhile to mention, but it's something I'm, unfortunately, not that familiar with. Time to do some research! ;-) > > 9. You may want to bracket the whole article in some way to point out > that it doesn't address SELinux at all... which I realize is a whole > different can of worms. An eventual Fedora Security Guide would have to > incorporate not just this hardening info after some fashion, but also a > mountain of information about setting up and administering an SELinux > system. > Good point, especially since this document should be ported to FC3 now. And, correct me if I'm wrong, but isn't SELinux enabled by default in FC3? Anyway, I agree. If there is to be a more comprehensive "Security Guide" (which I would certainly be willing to work on), this document would only be an introduction. Maybe this could be covered by a disclaimer, of sorts, in the Document Scope section. > Just some thoughts.... And they are ALWAYS appreciated! I never claim to be the pentultimate source on linux or linux security, and I'm learning more and more every day. There is a learning curve with this documentation method, and insight from those that have been here a while is always valuable. > > -- > fedora-docs-list mailing list > fedora-docs-list at redhat.com > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list -- -tuxxer gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From paul at frields.com Fri Dec 24 14:49:13 2004 From: paul at frields.com (Paul W. Frields) Date: Fri, 24 Dec 2004 09:49:13 -0500 Subject: Hardening Doc Update In-Reply-To: <1103866963.22961.36.camel@bach> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> <1103866963.22961.36.camel@bach> Message-ID: <1103899753.15185.14.camel@bettie.internal.frields.org> On Thu, 2004-12-23 at 21:42 -0800, tuxxer wrote: > > 2. Remove prompts from your sections. Also, pursuant to prior > > threads, make sure your screen sections look like this, all flush left. > > (Emacs unfortunately doesn't do this automatically, but you can override > > throughout.) > > > > > > run command > > see this result > > > > > > That will remove some of the extraneous whitespace around the top and > > bottom of your command examples. > > I checked, and I didn't see anything DIDN'T look like you suggested. Do > you have a specific part that looks "off" that you can point me to? Yes, go to the very first one: yum check-update This should instead be formatted like this: yum check-update Try this and look at the difference. After several commands the vertical space can really add up, so if people print your document this will save some trees. [...snip...] > > 3. You have a section on disabling/locking user accounts, but don't > > mention that some of these users are not installed unless the packages > > that use them (e.g. mysql-server, httpd) are installed. It's probably > > worth a small section (or at least a ) to talk about package > > selection during installation. > > Not a bad idea. I thought that this should be something more for the > Installation Guide, but I think that is still in progress. But I might > be able to mention something here and then reference the Install Guide > for more detail or something. Right on. [...snip...] > > 6. In 3.2, the command "umask" only changes the umask for the current > > session. You would have to edit /etc/bashrc to do that, but it's already > > done for users with UID <= 99 and users whose UID == their GID. In > > addition /etc/rc.d/init.d/functions uses a umask of 022. > > A umask of 002 for non-privileged users provides administrators the > > ability to share documents to groups more easily (the idea is what Red > > Hat calls "User Private Groups"). Make sure you understand exactly when > > and why this change should be made, and note the possible effects for > > real administrators. Since users in Fedora only get default membership > > in their own private group, having a default umask of 002 presents much > > less risk than it would with a default membership in, say, a global "all > > users" group. > > > > Definitely something to consider. I tend to be more of a Solaris guy, > just out of occupational hazard. That may be changing shortly, but has > yet to come to fruition. Anyhow, my experience tends to become somewhat > "habitual" at times. Would you recommend omitting that section > entirely? Or only mentioning that the default settings are sufficient? I think it would be worth explaining how this works in Fedora (as opposed to other UNIX-family systems), so people aren't worried needlessly about specific security factors. But, as the point of your tutorial is to harden the system, you don't want to discourage people from being paranoid. :-) > > 7. Also in chapter 3, you mention tripwire, et al., but don't note > > anything about the rpm -V function. > > > > The 'rpm -V' function has a slightly smaller scope than I was going for, > since you can only verify packages, AND only those that were installed > with rpm. But it may be worth a bullet. ;-) Of course, using RPM has specific security concerns as well. If a reader is worried about security, they should only be installing software that they can trust is not compromised. Any tutorial on hardening should be *discouraging* people from just getting tarballs and building from them, *unless* those tarballs are cryptographically signed by a trusted party. (Note that comparing an MD5 or SHA-1 checksum isn't automatically helpful, unless the document providing the checksum is itself cryptographically signed by a trusted party.) RPMs don't automatically mean better security unless you trust the vendor who provides them to (a) check their content, and (b) certify to you they have done so. Only RPM packages signed by a trusted party should be installed and used. Note also that for all these factors, "trusted party" != "the Web site that comes up in my Web browser." > > 8. Why nothing on password hardening, since this is the most common > > security problem in the world? How about something on using PAM rules to > > enforce more stringent password requirements? > > I'm familiar with tools such as 'npasswd' and 'apasswd' which try to > crack your password, but those aren't part of Fedora, and are usually > more directed to unices which use the crypt method of password > encryption (as opposed to DES which is used by FC3). I was trying to > stick to the tools that would be available from the Fedora install. I > have noticed that the 'passwd' utility in FC3 does do some password > checking, but I'm not sure to what length. This information is available in the PAM documentation, specifically /usr/share/doc/pam-*/txts/README.pam_cracklib . > PAM rules is definitely something that might be worthwhile to mention, > but it's something I'm, unfortunately, not that familiar with. Time to > do some research! ;-) Does a body good! > > 9. You may want to bracket the whole article in some way to point out > > that it doesn't address SELinux at all... which I realize is a whole > > different can of worms. An eventual Fedora Security Guide would have to > > incorporate not just this hardening info after some fashion, but also a > > mountain of information about setting up and administering an SELinux > > system. > > > > Good point, especially since this document should be ported to FC3 now. > And, correct me if I'm wrong, but isn't SELinux enabled by default in > FC3? Anyway, I agree. If there is to be a more comprehensive "Security > Guide" (which I would certainly be willing to work on), this document > would only be an introduction. Maybe this could be covered by a > disclaimer, of sorts, in the Document Scope section. > > > Just some thoughts.... > > And they are ALWAYS appreciated! I never claim to be the pentultimate > source on linux or linux security, and I'm learning more and more every > day. There is a learning curve with this documentation method, and > insight from those that have been here a while is always valuable. FC3 is SELinux-enabled. Wait! I hear Karsten's footsteps outside the door. Hide! QUICK! :-D Thanks for your continued hard work, it's much appreciated! -- Paul W. Frields, RHCE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tuxxer at cox.net Fri Dec 24 17:20:40 2004 From: tuxxer at cox.net (tuxxer) Date: Fri, 24 Dec 2004 09:20:40 -0800 Subject: Hardening Doc Update In-Reply-To: <1103899753.15185.14.camel@bettie.internal.frields.org> References: <1103770382.22961.2.camel@bach> <1103839062.13847.1.camel@bettie.internal.frields.org> <1103866963.22961.36.camel@bach> <1103899753.15185.14.camel@bettie.internal.frields.org> Message-ID: <1103908840.22961.41.camel@bach> On Fri, 2004-12-24 at 09:49 -0500, Paul W. Frields wrote: > On Thu, 2004-12-23 at 21:42 -0800, tuxxer wrote: [...snip...] > > > > I checked, and I didn't see anything DIDN'T look like you suggested. Do > > you have a specific part that looks "off" that you can point me to? > > Yes, go to the very first one: > > > > yum check-update > > > > This should instead be formatted like this: > > > yum check-update > > Gotcha. I think I misinterpreted what you said initially. [...snip...] > > I think it would be worth explaining how this works in Fedora (as > opposed to other UNIX-family systems), so people aren't worried > needlessly about specific security factors. But, as the point of your > tutorial is to harden the system, you don't want to discourage people > from being paranoid. :-) > > > > 7. Also in chapter 3, you mention tripwire, et al., but don't note > > > anything about the rpm -V function. > > > > > > > The 'rpm -V' function has a slightly smaller scope than I was going for, > > since you can only verify packages, AND only those that were installed > > with rpm. But it may be worth a bullet. ;-) > > Of course, using RPM has specific security concerns as well. If a reader > is worried about security, they should only be installing software that > they can trust is not compromised. Any tutorial on hardening should be > *discouraging* people from just getting tarballs and building from them, > *unless* those tarballs are cryptographically signed by a trusted party. > (Note that comparing an MD5 or SHA-1 checksum isn't automatically > helpful, unless the document providing the checksum is itself > cryptographically signed by a trusted party.) RPMs don't automatically > mean better security unless you trust the vendor who provides them to > (a) check their content, and (b) certify to you they have done so. Only > RPM packages signed by a trusted party should be installed and used. > > Note also that for all these factors, "trusted party" != "the Web site > that comes up in my Web browser." True. Defense in depth. ;-) I was trying to stay away from mentioning installing anything from source (tarball) as it would stray away from the core install. But everyone installs "other" software, so it's a good point to mention. [...snip...] > > > > > Just some thoughts.... > > > > And they are ALWAYS appreciated! I never claim to be the pentultimate > > source on linux or linux security, and I'm learning more and more every > > day. There is a learning curve with this documentation method, and > > insight from those that have been here a while is always valuable. > > FC3 is SELinux-enabled. Wait! I hear Karsten's footsteps outside the > door. Hide! QUICK! :-D > > Thanks for your continued hard work, it's much appreciated! Thanks. Should have some more updates soon. > > -- > fedora-docs-list mailing list > fedora-docs-list at redhat.com > To unsubscribe: > http://www.redhat.com/mailman/listinfo/fedora-docs-list -- -tuxxer gpg: 57EB F948 76AE 25BC E340 EFA9 FAF6 E1AC F1E1 1EA1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: