From florin at andrei.myip.org Sun Oct 1 03:16:09 2006 From: florin at andrei.myip.org (Florin Andrei) Date: Sat, 30 Sep 2006 20:16:09 -0700 Subject: openssl updates In-Reply-To: <20060930191341.GA23297@mail.harddata.com> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> Message-ID: <1159672569.2405.4.camel@localhost.localdomain> On Sat, 2006-09-30 at 13:13 -0600, Michal Jaegermann wrote: > On Sat, Sep 30, 2006 at 10:47:34AM -0700, Florin Andrei wrote: > > > I'd like to generate updated OpenSSL RPM packages for Fedora 4 and > > > hopefully post it to Fedora Legacy > > At least for openssl-0.9.7f this is already done and I posted > where to find it (ftp://ftp.harddata.com/pub/Legacy_srpms/). Actually, I was able to rebuild the src.rpm from that location on a FC4 system, but I had issues when trying to install the binary due to conflicts between 32 bit and 64 bit OpenSSL packages (it's an AMD64 machine). It's probably trivial to work around, but I've little experience with x86_64 distributions. > > The correct way to patch > > the recent openssl CVEs is to add the patches from RHEL4 srpm > > That source rpm available above was done by adding to > openssl-0.9.7f-7.10.src.rpm later patches from RHEL4. Awesome. > > (however the current CVE-2006-2940 patch is broken because the > > 'goto err;' in dh_key patch must be replaced with 'return -1;'). > > You mean on line 185 in a patched crypto/dh/dh_key.c? Looking at > this code you are definitely right. So, if your packages include the bug, could you post a fixed version please? > The other way to fix it would > be to explicitely initialize ctx to NULL due to a way in which > BN_CTX_end() and BN_CTX_free() operate. But in such case probably > all released updates for RHEL and FC5 and rawhide are affected too > even if compiled binaries do pass through a series of checks. Is > there any bugzilla report for that? I don't know. -- Florin Andrei http://florin.myip.org/ From michal at harddata.com Sun Oct 1 04:50:46 2006 From: michal at harddata.com (Michal Jaegermann) Date: Sat, 30 Sep 2006 22:50:46 -0600 Subject: openssl updates In-Reply-To: <1159672569.2405.4.camel@localhost.localdomain> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> Message-ID: <20061001045046.GA31108@mail.harddata.com> On Sat, Sep 30, 2006 at 08:16:09PM -0700, Florin Andrei wrote: > > Actually, I was able to rebuild the src.rpm from that location on a FC4 > system, but I had issues when trying to install the binary due to > conflicts between 32 bit and 64 bit OpenSSL packages (it's an AMD64 > machine). You cannot update an i386 (or compatible arch like i686) package with x86_64 package or vice-versa. If you have already installed both (multilib situation) then you have to do both updates in one transaction. Something like rpm -Fvh openssl*{686,x86_64}.rpm Otherwise you will get conflicts. You can use also 'localinstall' request in yum with something like the above but then use a configuration which turns of gpgcheck for packages not signed with any of installed keys. The easiest way to check architectures of already installed packages will be with something like grep openssl /var/log/rpmpkgs as /etc/cron.daily/rpm script, which writes that log, is already using a format with an %{arch} tag in it. > It's probably trivial to work around, but I've little > experience with x86_64 distributions. See above. > > You mean on line 185 in a patched crypto/dh/dh_key.c? Looking at > > this code you are definitely right. > > So, if your packages include the bug, could you post a fixed version > please? I already did. If you see openssl-0.9.7f-7.10.3mj.src.rpm then this has that change (which is easy to check in %changelog). > > Is there any bugzilla report for that? > > I don't know. Ok then, does Tomas Mraz is aware about the issue? :-) Michal From florin at andrei.myip.org Sun Oct 1 05:48:32 2006 From: florin at andrei.myip.org (Florin Andrei) Date: Sat, 30 Sep 2006 22:48:32 -0700 Subject: openssl updates In-Reply-To: <20061001045046.GA31108@mail.harddata.com> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> <20061001045046.GA31108@mail.harddata.com> Message-ID: <1159681712.2998.3.camel@rivendell.home.local> On Sat, 2006-09-30 at 22:50 -0600, Michal Jaegermann wrote: > You cannot update an i386 (or compatible arch like i686) package > with x86_64 package or vice-versa. If you have already installed > both (multilib situation) then you have to do both updates in > one transaction. Something like > > rpm -Fvh openssl*{686,x86_64}.rpm > > Otherwise you will get conflicts. The i686 package is already installed (although I don't think anything is actually using it). If I try to remove it, that's rejected based on a list of dependencies longer than my arm. If I try to build an i686 package on the x86_64 system I get: # rpmbuild --rebuild --target=i686 openssl-0.9.7f-7.10.3mj.src.rpm [snip] /usr/bin/ld: warning: i386 architecture of input file `libcrypto.a(krb5_asn.o)' is incompatible with i386:x86-64 output libcrypto.a(bn_word.o)(.text+0x6c): In function `BN_mod_word': /usr/src/redhat/BUILD/openssl-0.9.7f/crypto/bn/bn_word.c:79: undefined reference to `__umoddi3' libcrypto.a(b_print.o)(.text+0x22d): In function `fmtint': /usr/src/redhat/BUILD/openssl-0.9.7f/crypto/bio/b_print.c:512: undefined reference to `__umoddi3' libcrypto.a(b_print.o)(.text +0x25d):/usr/src/redhat/BUILD/openssl-0.9.7f/crypto/bio/b_print.c:515: undefined reference to `__udivdi3' collect2: ld returned 1 exit status make[3]: *** [do_gnu-shared] Error 1 -- Florin Andrei http://florin.myip.org/ From sheltren at cs.ucsb.edu Sun Oct 1 11:46:37 2006 From: sheltren at cs.ucsb.edu (Jeff Sheltren) Date: Sun, 1 Oct 2006 07:46:37 -0400 Subject: openssl updates In-Reply-To: <1159681712.2998.3.camel@rivendell.home.local> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> <20061001045046.GA31108@mail.harddata.com> <1159681712.2998.3.camel@rivendell.home.local> Message-ID: On Oct 1, 2006, at 1:48 AM, Florin Andrei wrote: > > If I try to build an i686 package on the x86_64 system I get: Mock is your friend :) http://fedoraproject.org/wiki/Legacy/Mock Using an x86_64 system, you can build for i386 or x86_64 for just about any redhat/fedora distribution. It takes a bit of time to get it setup, but if you build lots of packages, it makes your life much easier. I build all my packages under mock, and all Fedora Legacy and Fedora Extras packages are built using it as well. I believe Fedora Core is using something similar as well. -Jeff From michal at harddata.com Sun Oct 1 13:22:42 2006 From: michal at harddata.com (Michal Jaegermann) Date: Sun, 1 Oct 2006 07:22:42 -0600 Subject: openssl updates In-Reply-To: <1159681712.2998.3.camel@rivendell.home.local> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> <20061001045046.GA31108@mail.harddata.com> <1159681712.2998.3.camel@rivendell.home.local> Message-ID: <20061001132242.GA15801@mail.harddata.com> On Sat, Sep 30, 2006 at 10:48:32PM -0700, Florin Andrei wrote: > On Sat, 2006-09-30 at 22:50 -0600, Michal Jaegermann wrote: > > > If you have already installed > > both (multilib situation) then you have to do both updates in > > one transaction. > > The i686 package is already installed (although I don't think anything > is actually using it). If I try to remove it, that's rejected based on a > list of dependencies longer than my arm. That would mean that something is using it. :-) Possibly in an indirect way. > > If I try to build an i686 package on the x86_64 system I get: > > # rpmbuild --rebuild --target=i686 openssl-0.9.7f-7.10.3mj.src.rpm > [snip] > /usr/bin/ld: warning: i386 architecture of input file > `libcrypto.a(krb5_asn.o)' is incompatible with i386:x86-64 output Building i686 on x86_64 is a bit more involved than that. Jeff already mentioned 'mock'. If you have an access to a suitable "86" installation rebuilding there those "missing" packages may be a simpler option. Michal From michal at harddata.com Sun Oct 1 16:38:53 2006 From: michal at harddata.com (Michal Jaegermann) Date: Sun, 1 Oct 2006 10:38:53 -0600 Subject: openssl updates In-Reply-To: <1159672569.2405.4.camel@localhost.localdomain> References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> Message-ID: <20061001163853.GA19273@mail.harddata.com> On Sat, Sep 30, 2006 at 08:16:09PM -0700, Florin Andrei wrote: > On Sat, 2006-09-30 at 13:13 -0600, Michal Jaegermann wrote: > > Is there any bugzilla report for that? > > I don't know. All right. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208744 M. From florin at andrei.myip.org Sun Oct 1 23:39:50 2006 From: florin at andrei.myip.org (Florin Andrei) Date: Sun, 01 Oct 2006 16:39:50 -0700 Subject: openssl updates In-Reply-To: References: <20060929190833.GA4850@jadzia.bu.edu> <1159638454.2673.1.camel@rivendell.home.local> <20060930191341.GA23297@mail.harddata.com> <1159672569.2405.4.camel@localhost.localdomain> <20061001045046.GA31108@mail.harddata.com> <1159681712.2998.3.camel@rivendell.home.local> Message-ID: <1159745990.2672.11.camel@rivendell.home.local> On Sun, 2006-10-01 at 07:46 -0400, Jeff Sheltren wrote: > On Oct 1, 2006, at 1:48 AM, Florin Andrei wrote: > > > > If I try to build an i686 package on the x86_64 system I get: > > Mock is your friend :) > http://fedoraproject.org/wiki/Legacy/Mock That worked very well! I had to tweak the config file for the i386 version (point it directly to a fast i386 repo) otherwise, with the mirrorlist directive, it kept building the i386 chroot with x86_64 packages. :-/ But after that it was perfect. Bottom line: I rebuilt Michal's openssl src.rpm on FC4 x86_64 (also the i386 package with Mock), installed them and everything seems to be fine. OpenSSH, Apache and OpenVPN seem to continue to work fine with the updated OpenSSL packages. -- Florin Andrei http://florin.myip.org/ From deisenst at gtw.net Tue Oct 3 12:49:17 2006 From: deisenst at gtw.net (David Eisenstein) Date: Tue, 3 Oct 2006 07:49:17 -0500 Subject: openssl updates References: <20060929190833.GA4850@jadzia.bu.edu><20060929204659.GA2458@mail.harddata.com> <20060930024804.GA18204@jadzia.bu.edu> Message-ID: <014401c6e6ea$567a01d0$8162cfd0@homedns.org> ----- Original Message ----- From: "Matthew Miller" To: "Discussion of the Fedora Legacy Project" Sent: Friday, September 29, 2006 9:48 PM Subject: Re: openssl updates > On Fri, Sep 29, 2006 at 02:46:59PM -0600, Michal Jaegermann wrote: > > On Fri, Sep 29, 2006 at 03:08:33PM -0400, Matthew Miller wrote: > > > Anything? > > Well, you can retrieve a today updated source rpm for FC4 from > > ftp://ftp.harddata.com/pub/Legacy_srpms/ > > and recompile it. > > Thanks. I didn't see anything in bugzilla -- are these on track to become > official? > Yes, now they are. I've just entered bugzilla #209116 for these issues, and cc'ed in all the participants of this openssl discussion on that bug: . From martin at bugs.unl.edu.ar Thu Oct 5 12:19:48 2006 From: martin at bugs.unl.edu.ar (Martin Marques) Date: Thu, 5 Oct 2006 09:19:48 -0300 (ART) Subject: Mailman vulnerability Message-ID: I have a FC4 web server installed and got this mailman report: http://www.securityfocus.com/bid/19831/discuss Is it to worry? I am thinking about promoting it to FC5 but as it is a server in production I want to make a very good plan first. -- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18 --------------------------------------------------------- Lic. Mart?n Marqu?s | SELECT 'mmarques' || Centro de Telem?tica | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador --------------------------------------------------------- From michal at harddata.com Thu Oct 5 16:12:45 2006 From: michal at harddata.com (Michal Jaegermann) Date: Thu, 5 Oct 2006 10:12:45 -0600 Subject: Mailman vulnerability In-Reply-To: References: Message-ID: <20061005161245.GB17040@mail.harddata.com> On Thu, Oct 05, 2006 at 09:19:48AM -0300, Martin Marques wrote: > I have a FC4 web server installed and got this mailman report: > > http://www.securityfocus.com/bid/19831/discuss > > Is it to worry? Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html FC4 is using mailman-2.1.5-35 so fixes in sources used by RHEL4, as specified by RHSA-2006-0600, will likely apply directly or after minimal modifications. You can produce your own update before something general eventually will show up. Add patches, edit specs and rebuild rpm. Michal From michal at harddata.com Thu Oct 5 23:53:41 2006 From: michal at harddata.com (Michal Jaegermann) Date: Thu, 5 Oct 2006 17:53:41 -0600 Subject: patched openssh Message-ID: <20061005235341.GA25838@mail.harddata.com> FC4 source rpm of openssh-4.2p1 with added recent security fixes is available at ftp://ftp.harddata.com/pub/Legacy_srpms/. At least patches for cve-2006-4924 and cve-2006-5051 do not really differ from what you can find in recent RHEL updates so these can likely be applied (close to?) "as is" in earlier distros as well. Michal From deisenst at gtw.net Fri Oct 6 08:57:19 2006 From: deisenst at gtw.net (David Eisenstein) Date: Fri, 6 Oct 2006 03:57:19 -0500 Subject: Fedora Core 4 Legacy security updates? References: <451C8A87.3050409@cjc.org> Message-ID: <00a101c6e926$04f7b710$8c62cfd0@homedns.org> ----- Original Message ----- From: "Cheng-Jih Chen" To: Sent: Thursday, September 28, 2006 9:52 PM Subject: Fedora Core 4 Legacy security updates? > Any word on when this will start? I'm seeing a number of FC5 updates > going by, but there appears to be no corresponding work on FC4 Legacy, > for, say, the openssl security issue and so on. > > Thanks. Hi Chen, Thank you for writing. I echo your concern. Part of the problem is that FC4 security issues have not (until lately) been reported in Bugzilla. There are likely dozens of packages for FC4 and FC3 (RHL7.3 and RHL9, too) with issues that have never been reported. (Thank you to Steven Roberts for opening the OpenSSH bug ticket (Bugzilla #208727)! 'Tis a big help, believe me!) FOLKS: PLEASE HELP US OUT!! Chen, (and anyone reading this): you can help us by opening Legacy Bugzilla reports on security issues that you are concerned with or know about. Bugzilla is the tracking system that we use to track security issues with our packages, from initial awareness of the issue to creating test RPM pack- ages, doing testing/QA'ing on source and binary packages, to releasing pack- ages to Legacy's official updates, which your yum updates can pick them up from. A fairly decent Bugzilla ticket to look at that illustrates the process is here: . There is an old saying, "If it's not in Bugzilla, it's not a bug." Those of us who work with building and testing packages are not aware of issues until they're entered there or mentioned here on this list. We can use as much help as we can get, and opening Bugzilla's is a pretty easy way to help us out. If you don't know how to find security issues, do Bugzilla & such, there is some (but not much) information available in Legacy's "Vulnerability Tracking" page on the Fedora wiki: . That page really needs updating, but here are a few additional pointers: * You should first check to make sure the issue is not already open in Bugzilla for the Fedora Legacy product. If the issue *is* open in Bugzilla, but not under Fedora Legacy, then a new ticket needs to be created for Legacy. * When you open a new bug ticket, you will need to make sure to open it under the Fedora Product "Fedora Legacy." * An easy way of opening a Legacy bug ticket is by cloning an exis- ting bug from either Fedora Core or Red Hat Enterprise Linux. * Select the proper version (that is, release of Fedora) and component (that is, package name). (The component in Bugzilla is based on the name of the source package (.src.rpm).) Those FC5 updates you see going by? They're probably also affecting FC4 and FC3; maybe even Red Hat Linux 7.3 or 9. You can find out more on different ways to help out the Fedora Legacy project under the topics "How to Participate" and "References" at the bottom of this page: . If you have any questions about any of this, or need more help figuring out how to help us, please write me or this list, or come visit us on the #fedora-legacy channel on IRC. Bottom line is this: We can't help you keep your computers secure unless you help us help you. This is the nature of a community-run Open Source project. Thanks! Warm regards, David Eisenstein From martin at bugs.unl.edu.ar Sat Oct 7 14:51:43 2006 From: martin at bugs.unl.edu.ar (Martin Marques) Date: Sat, 7 Oct 2006 11:51:43 -0300 (ART) Subject: Mailman vulnerability In-Reply-To: <20061005161245.GB17040@mail.harddata.com> References: <20061005161245.GB17040@mail.harddata.com> Message-ID: On Thu, 5 Oct 2006, Michal Jaegermann wrote: > On Thu, Oct 05, 2006 at 09:19:48AM -0300, Martin Marques wrote: >> I have a FC4 web server installed and got this mailman report: >> >> http://www.securityfocus.com/bid/19831/discuss >> >> Is it to worry? > > Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html > > FC4 is using mailman-2.1.5-35 so fixes in sources used by Nop. # rpm -qa | grep mailman mailman-2.1.8-0.FC4.1 > RHEL4, as specified by RHSA-2006-0600, will likely apply directly > or after minimal modifications. You can produce your own > update before something general eventually will show up. > Add patches, edit specs and rebuild rpm. I'm getting the source rpm, and I'll try to apply the patch. Do I submit the src.rpm afterwards? -- 21:50:04 up 2 days, 9:07, 0 users, load average: 0.92, 0.37, 0.18 --------------------------------------------------------- Lic. Mart?n Marqu?s | SELECT 'mmarques' || Centro de Telem?tica | '@' || 'unl.edu.ar'; Universidad Nacional | DBA, Programador, del Litoral | Administrador --------------------------------------------------------- From deisenst at gtw.net Sat Oct 7 15:13:52 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sat, 7 Oct 2006 10:13:52 -0500 Subject: Mailman vulnerability References: Message-ID: <000301c6ea23$32c62840$9762cfd0@homedns.org> ----- Original Message ----- From: "Martin Marques" To: Sent: Thursday, October 05, 2006 7:19 AM Subject: Mailman vulnerability > I have a FC4 web server installed and got this mailman report: > > http://www.securityfocus.com/bid/19831/discuss > > Is it to worry? > > I am thinking about promoting it to FC5 but as it is a server in > production I want to make a very good plan first. > Hi Martin, Thanks for writing. Indeed, these are issues that we in Legacy need to deal with. As far as I can tell, the latest version of mailman released for FC4 was mailman-2.1.8-9.FC4.1, released around 9-May-2006. The issue discussed in that securityfocus BID 19831 indicates that mailman-2.1.8 is vulnerable to those issues. Red Hat Security Team (in RHSA-2006-0600) has rated two of the three CVE issues mentioned in BID 19831 as having a moderate security impact: "A flaw was found in the way Mailman handled MIME multipart mes- sages. An attacker could send a carefully crafted MIME multipart email message to a mailing list run by Mailman which caused that particular mailing list to stop working. (CVE-2006-2941) "Several cross-site scripting (XSS) issues were found in Mailman. An attacker could exploit these issues to perform cross-site scrip- ting attacks against the Mailman administrator. (CVE-2006-3636)" The third issue is CVE-2006-4624: "CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via a carriage return/line feed sequences in the URI." This issue has been given a low security impact, and hasn't yet been fixed by Red Hat Enterprise Linux. However, Fedora Core 6 Test 2 upgraded to mailman-2.1.9, which fixes all three problems. Would you like us to do similarly for FC4/FC3? Have entered Bug for this issue. Regards, David Eisenstein From deisenst at gtw.net Sat Oct 7 15:36:19 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sat, 7 Oct 2006 10:36:19 -0500 Subject: Fw: Mailman vulnerability Message-ID: <003601c6ea26$559039d0$9762cfd0@homedns.org> ----- Original Message ----- From: "Martin Marques" To: "Discussion of the Fedora Legacy Project" Sent: Saturday, October 07, 2006 9:51 AM Subject: Re: Mailman vulnerability > On Thu, 5 Oct 2006, Michal Jaegermann wrote: > > > On Thu, Oct 05, 2006 at 09:19:48AM -0300, Martin Marques wrote: > >> I have a FC4 web server installed and got this mailman report: > >> > >> http://www.securityfocus.com/bid/19831/discuss > >> > >> Is it to worry? > > > > Probably. See also http://rhn.redhat.com/errata/RHSA-2006-0600.html > > > > FC4 is using mailman-2.1.5-35 so fixes in sources used by > > Nop. > > # rpm -qa | grep mailman > mailman-2.1.8-0.FC4.1 > > > RHEL4, as specified by RHSA-2006-0600, will likely apply directly > > or after minimal modifications. You can produce your own > > update before something general eventually will show up. > > Add patches, edit specs and rebuild rpm. > Hi Martin! Our emails must have crossed, so mine was at cross-purposes to what you just wrote. :) > I'm getting the source rpm, and I'll try to apply the patch. > > Do I submit the src.rpm afterwards? Yes! If you get the patched mailman-2.1.8-0.FC4.1 to work okay with the patches, please do post the .src.rpm on the web, and let us know you have done so in Bugzilla Bug #209891! We can then test & QA it and work on getting it released to updates. Thanks! --David From donvogt2001 at yahoo.com Sat Oct 7 17:34:57 2006 From: donvogt2001 at yahoo.com (don vogt) Date: Sat, 7 Oct 2006 10:34:57 -0700 (PDT) Subject: Activity? Message-ID: <20061007173457.92740.qmail@web84102.mail.mud.yahoo.com> I saw the notices that core4 is now in the legacy category and I modified my repos as advised in the FAQ ( I think). However, when I run yum update. I get an answer that says no packages are marked for update. Is it that my yum system is broken or is there no activity yet? I don't know that I need any updates - it is just a desktop system for e-mail and browsing - but I would like good security. My plan is to re-build with core6 after it has been out for a month or two. Thanks to all. From hkg at chello.at Sat Oct 7 18:42:07 2006 From: hkg at chello.at (hkg at chello.at) Date: Sat, 7 Oct 2006 20:42:07 +0200 Subject: OpenSSL & kernel RPMs? Message-ID: <20061007184207.MGOY14296.viefep20-int.chello.at@localhost> Hi, When will an RPM for FC3 fixing OpenSSL ASN.1 Remote Buffer Overflow (CVE-2006-3738) be available? Also, was the local kernel vulnerability CVE-2006-3745 ever fixed for FC3 with SMP support? I didn't see any announcements on http://www.fedoralegacy.org/updates/FC3/. thanks, Hans From hkg at chello.at Mon Oct 9 16:20:27 2006 From: hkg at chello.at (hkg at chello.at) Date: Mon, 9 Oct 2006 18:20:27 +0200 Subject: OpenSSL & kernel RPMs? Message-ID: <20061009162027.TZCR3148.viefep14-int.chello.at@localhost> Anybody? Hans wrote: > > Hi, > > When will an RPM for FC3 fixing OpenSSL ASN.1 Remote Buffer Overflow (CVE-2006-3738) be available? > Also, was the local kernel vulnerability CVE-2006-3745 ever fixed for FC3 with SMP support? > I didn't see any announcements on http://www.fedoralegacy.org/updates/FC3/. > > thanks, > Hans thanks in advance, Hans From deisenst at gtw.net Mon Oct 9 23:57:10 2006 From: deisenst at gtw.net (David Eisenstein) Date: Mon, 09 Oct 2006 18:57:10 -0500 Subject: OpenSSL & kernel RPMs? In-Reply-To: <20061009162027.TZCR3148.viefep14-int.chello.at@localhost> References: <20061009162027.TZCR3148.viefep14-int.chello.at@localhost> Message-ID: <452AE1D6.7000400@gtw.net> hkg at chello.at wrote: > Anybody? > > Hans wrote: > >>Hi, >> >>When will an RPM for FC3 fixing OpenSSL ASN.1 Remote Buffer Overflow (CVE-2006-3738) be available? >>Also, was the local kernel vulnerability CVE-2006-3745 ever fixed for FC3 with SMP support? >>I didn't see any announcements on http://www.fedoralegacy.org/updates/FC3/. >> >>thanks, >>Hans > > > thanks in advance, > Hans Hi Hans, Work is being done. * I am working with OpenSSL ASN.1 Remote Buffer Overflow (CVE-2006-3738): See Bugzilla #209116, . * There is a FC3 kernel bug open. Marc Deslauriers, who has already put in quite a bit of work on the FC3 kernel and submitted it for PUBLISH QA (which no one ever did), says new kernel issues have appeared since his submission of August 2nd. It needs work. See Bugzilla #200034: . I don't see CVE-2006-3745 among the vulnerabilities listed that have so far been worked into an updated FC3 kernel package. Maybe it's among the new issues that yet need to be addressed? Hans, maybe you can add the patch for it (or at least indicate where the patch can be found in the bugzilla ticket 200034) as a contribution to the Legacy project? It would be nice if you do so. Thanks! Hope this helps. -David From geoff.filippi at twcable.com Tue Oct 10 18:18:37 2006 From: geoff.filippi at twcable.com (Filippi, Geoff) Date: Tue, 10 Oct 2006 14:18:37 -0400 Subject: Interested in contributing to RPM of openssl package 0.9.8d Message-ID: <2817AF6876483A489EB08E0D28D2325501572817@PRVPVSMAIL07.corp.twcable.com> All, I noticed that for Fedora Core 4 the latest rpm release of openssl available is openssl-0.9.7f-7.10.i386.rpm . However, openssl.org has the source for openssl-0.9.8d.tar.gz I have a machine available to test and/or create an updated rpm. The architecture: # uname -a Linux webtools 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 athlon i386 GNU/Linux I have already built this release from source and would be willing to package it or assist someone else in packaging it, or testing. If someone is already working on it and doesn't need any help, then that is fine also. This would be my first contribution to Fedora, so hopefully someone on this list can tell me what to do next. Thanks, Geoff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3094 bytes Desc: not available URL: From mbs at tenagraobservatories.com Tue Oct 10 20:45:48 2006 From: mbs at tenagraobservatories.com (Michael Schwartz) Date: Tue, 10 Oct 2006 13:45:48 -0700 Subject: Help With Serial Port Message-ID: <000101c6ecad$14253d40$6401a8c0@TenagraNB> Hi - I have an application that runs under Redhat 7.2 that expects to see a serial port at /dev/tty4 with characteristics 9600,N,1,1. Through my own ignorance or perhaps through failure of the PCI serial card (Dolphin 2-port PCI card) the application doesn't appear to notice the serial port. I know very little about linux and how to turn this back on or test to see of the port has failed. Does anyone have a way (or can VNC to my computer) to see what's going on? Many thanks in advance. Michael Tenagra Observatories -------------- next part -------------- An HTML attachment was scrubbed... URL: From sec at shee.org Tue Oct 10 20:49:45 2006 From: sec at shee.org (Moire) Date: Tue, 10 Oct 2006 22:49:45 +0200 Subject: Interested in contributing to RPM of openssl package 0.9.8d In-Reply-To: <2817AF6876483A489EB08E0D28D2325501572817@PRVPVSMAIL07.corp.twcable.com> References: <2817AF6876483A489EB08E0D28D2325501572817@PRVPVSMAIL07.corp.twcable.com> Message-ID: <33e38e41e3ee1829ff1db374a9a5056d@shee.org> Am 10.10.2006 um 20:18 schrieb Filippi, Geoff: > ... > I have already built this release from source and would be willing to > package it or assist someone else in packaging it, or testing. If > someone is > already working on it and doesn't need any help, then that is fine > also. > > This would be my first contribution to Fedora, so hopefully someone on > this > list can tell me what to do next. Hello, take a look at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209116 I don't know how far the patch files from FC5s openssl-0.9.8a-5.4.src.rpm openssl-0.9.8b-cve-2006-2937.patch openssl-0.9.8b-cve-2006-3738.patch openssl-0.9.8b-cve-2006-4339.patch openssl-0.9.8b-cve-2006-4343.patch openssl-0.9.8a-cve-2006-2940.patch could be back ported to FC4s openssl-0.9.7f-7.10.src.rpm It looks that Florian La Roche is on the way. Thanks C.Moire From khudnut at ucar.edu Tue Oct 10 20:56:13 2006 From: khudnut at ucar.edu (Karl Hudnut) Date: Tue, 10 Oct 2006 14:56:13 -0600 (MDT) Subject: Help With Serial Port In-Reply-To: <000101c6ecad$14253d40$6401a8c0@TenagraNB> References: <000101c6ecad$14253d40$6401a8c0@TenagraNB> Message-ID: Red Hat serial ports are /dev/ttyS0, S1 etc. /dev/tty4 is the 4th console port. Does your application use a .cfg or .conf file? -- Dr. Karl Hudnut System Administrator UCAR - COSMIC khudnut at ucar.edu http://www.cosmic.ucar.edu 303 497 8024 On Tue, 10 Oct 2006, Michael Schwartz wrote: > Hi - > > I have an application that runs under Redhat 7.2 that expects to see a > serial port at /dev/tty4 with characteristics 9600,N,1,1. Through my own > ignorance or perhaps through failure of the PCI serial card (Dolphin 2-port > PCI card) the application doesn't appear to notice the serial port. I know > very little about linux and how to turn this back on or test to see of the > port has failed. Does anyone have a way (or can VNC to my computer) to see > what's going on? Many thanks in advance. > > Michael > Tenagra Observatories > > From tthome at cox.net Wed Oct 11 04:13:36 2006 From: tthome at cox.net (Tim Thome) Date: Tue, 10 Oct 2006 21:13:36 -0700 Subject: Fedora Core 4 Legacy security updates? In-Reply-To: <00a101c6e926$04f7b710$8c62cfd0@homedns.org> References: <451C8A87.3050409@cjc.org> Message-ID: <4.3.2.7.2.20061010210910.035f6990@pop.west.cox.net> David, Sounds like a good thing entering it into Bugzilla, however, if there is not a priority within Red Hat to fix it, the bug will sit there and rot... Might be a good time to split the bugzilla between active devlopment and legacy, and move the bugs over as needed, where they can be triaged, and dealt with in accordance with the Fedora Legacy charter. Thoughts? Tim At 01:57 AM 10/6/2006, David Eisenstein wrote: >FOLKS: PLEASE HELP US OUT!! > >Chen, (and anyone reading this): you can help us by opening Legacy >Bugzilla reports on security issues that you are concerned with or >know about. > >Bugzilla is the tracking system that we use to track security issues with >our packages, from initial awareness of the issue to creating test RPM pack- >ages, doing testing/QA'ing on source and binary packages, to releasing pack- >ages to Legacy's official updates, which your yum updates can pick them up >from. A fairly decent Bugzilla ticket to look at that illustrates the >process is here: > . > >There is an old saying, "If it's not in Bugzilla, it's not a bug." Those >of us who work with building and testing packages are not aware of issues >until they're entered there or mentioned here on this list. We can use >as much help as we can get, and opening Bugzilla's is a pretty easy way >to help us out. -- "Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment." -Buddha -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.1/470 - Release Date: 10/10/2006 From jeroen at lankheet.com Wed Oct 11 08:10:34 2006 From: jeroen at lankheet.com (Jeroen Lankheet) Date: Wed, 11 Oct 2006 10:10:34 +0200 Subject: Help With Serial Port In-Reply-To: <000101c6ecad$14253d40$6401a8c0@TenagraNB> References: <000101c6ecad$14253d40$6401a8c0@TenagraNB> Message-ID: <1160554234.3256.8.camel@keet.lankheet.com> On Tue, 2006-10-10 at 13:45 -0700, Michael Schwartz wrote: > Hi ? > > > > I have an application that runs under Redhat 7.2 that expects to see a > serial port at /dev/tty4 with characteristics 9600,N,1,1. Through my > own ignorance or perhaps through failure of the PCI serial card > (Dolphin 2-port PCI card) the application doesn?t appear to notice the > serial port. I know very little about linux and how to turn this back > on or test to see of the port has failed. Does anyone have a way (or > can VNC to my computer) to see what?s going on? Many thanks in > advance. > > > > Michael > > Tenagra Observatories > > > > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list Michael, You need to make sure that a proper driver is loaded for the serial port. If you type cat /var/log/messages after booting then you should see all your configured serial ports. You can see the devices under /proc/bus/pci cat /proc/bus/pci/devices gives you a list of PCI devices. The serial board should be there. If you type lsmod you get a list of all loaded kernel modules. The serial driver should be there. If not, you should install one. You can test the port with minicom. Regards, Jeroen. From jkosin at beta.intcomgrp.com Wed Oct 11 12:48:30 2006 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Wed, 11 Oct 2006 08:48:30 -0400 Subject: Fedora Core 4 Legacy security updates? In-Reply-To: <4.3.2.7.2.20061010210910.035f6990@pop.west.cox.net> References: <451C8A87.3050409@cjc.org> <4.3.2.7.2.20061010210910.035f6990@pop.west.cox.net> Message-ID: <452CE81E.6030303@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Thome wrote: > David, > > Sounds like a good thing entering it into Bugzilla, however, if > there is not a priority within Red Hat to fix it, the bug will sit > there and rot... Might be a good time to split the bugzilla between > active devlopment and legacy, and move the bugs over as needed, > where they can be triaged, and dealt with in accordance with the > Fedora Legacy charter. > > Thoughts? > > Tim > Tim, (1) Don't top post.... (2) It use to be separate; but, I'm a little fuzzy as to why it was consolidated... but, it is separate in a since. You have to post it in the Legacy section of Bugzilla. (3) Redhat is not responsible for fixing the BUGs. It is the Fedora Legacy support group which is. Which comes right down to US in the end. Redhat manages and supports the group; but, it is the group of volunteers that support the updates. - -James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFLOgekNLDmnu1kSkRAv7/AJ95lpwIqBxEsU9Ghnesr3+gH37S0ACfZEa9 VH5xnG1vYduqxLoAziAr73w= =8CEq -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From mattdm at mattdm.org Thu Oct 12 17:40:39 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 12 Oct 2006 13:40:39 -0400 Subject: Fedora Core 4 Legacy security updates? In-Reply-To: <452CE81E.6030303@beta.intcomgrp.com> References: <451C8A87.3050409@cjc.org> <4.3.2.7.2.20061010210910.035f6990@pop.west.cox.net> <452CE81E.6030303@beta.intcomgrp.com> Message-ID: <20061012174039.GA3618@jadzia.bu.edu> On Wed, Oct 11, 2006 at 08:48:30AM -0400, James Kosin wrote: > (2) It use to be separate; but, I'm a little fuzzy as to why it was > consolidated... but, it is separate in a since. You have to post it > in the Legacy section of Bugzilla. Having them in the same bugzilla is hugely helpful, as it's easy to clone bugs from Fedora or RHEL into Legacy. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From deisenst at gtw.net Sun Oct 15 05:41:35 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sun, 15 Oct 2006 00:41:35 -0500 Subject: [Fwd: Problem in Upgradation Mysql 3.23 in Fedora 2] Message-ID: <4531CA0F.7050905@gtw.net> -------- Original Message -------- Subject: Problem in Upgradation Mysql 3.23 in Fedora 2 Date: Sat, 14 Oct 2006 14:18:55 +0530 From: Pawan Kaslikar To: secnotice at fedoralegacy.org Dear Sir, My server is running on Fedora-2(2.4.20-021stab028.3.777-enterprise), and also using mysql-3.23.58-16.fc2-1. I have to Upgrade mysql 3.23 to Mysql 4.0., I can't get perfect mysql 4.0 software for fedora 2, then I downloaded mysql 4.1 software ( mysql-server-4.1.11-2.i386, mysql-devel-4.1.11-2.i386, mysqlclient10-3.23.58-6.i386.), whenever I installing it was giving error like this " mysql 4.11-2 is conflict with mysql 3.23.58.16 ". We want to urgent solution. Plz suggest the best solution or link for perfect download mysql packages..... Thanking You & Regards, Pawan -------- End Original Message -------- Pawan, I am cc'ing in the Fedora-Legacy-List just in case someone on it may have some answers for you. I did a quick search on rpm.pbone.net (a nice RPM package search engine) for "mysql" and it returned only mysql-3.23.58-xxxxx. You said you downloaded "mysql-server-4.1.11-2.i386, mysql-devel-4.1.11-2.i386, mysqlclient10-3.23.58-6.i386." First of all, you probably don't want to try to install mysqlclient version 3.23.58 if you're trying to install mysql-server & mysql-devel 4.1.11. You should install the same version of mysqlclient as you are installing of the server and devel packages. Where did you download those from? Pawan, you might wish to subscribe to fedora-legacy-list. You might also try subscribing to fedora-list and ask the same question(s) there. To subscribe to these, you can go to these two URL's: . Google is your friend, Pawan: Try querying ["mysql 4" "fedora core 2"] there. The first hit I got on that query what this: "Installing MySQL 4.1 on Fedora Core 2..." at . Also found this looking around, entitled "Upgrading MySQL version 3 to 4 RedHat / Fedora," which may help you even more. DISCLAIMER: I've never tried either of these. Hope this helped. -David ps: If anyone on fedora-legacy-list has any hints or suggestions, please share, and do a cc: to Pawan, as he's not (yet) subscribed to the list. Thanks. -dde From nils at lemonbit.nl Sun Oct 15 09:05:11 2006 From: nils at lemonbit.nl (Nils Breunese (Lemonbit Internet)) Date: Sun, 15 Oct 2006 11:05:11 +0200 Subject: [Fwd: Problem in Upgradation Mysql 3.23 in Fedora 2] In-Reply-To: <4531CA0F.7050905@gtw.net> References: <4531CA0F.7050905@gtw.net> Message-ID: <0EE317A9-63B5-401D-A098-CAF9162D35DE@lemonbit.nl> David Eisenstein wrote: > I am cc'ing in the Fedora-Legacy-List just in case someone on it > may have some > answers for you. I did a quick search on rpm.pbone.net (a nice RPM > package > search engine) for "mysql" and it returned only mysql-3.23.58-xxxxx. > > You said you downloaded "mysql-server-4.1.11-2.i386, mysql- > devel-4.1.11-2.i386, > mysqlclient10-3.23.58-6.i386." First of all, you probably don't > want to try to > install mysqlclient version 3.23.58 if you're trying to install > mysql-server & > mysql-devel 4.1.11. You should install the same version of > mysqlclient as you > are installing of the server and devel packages. Where did you > download those from? > > Pawan, you might wish to subscribe to fedora-legacy-list. You > might also try > subscribing to fedora-list and ask the same question(s) there. To > subscribe to > these, you can go to these two URL's: > > . > > Google is your friend, Pawan: Try querying ["mysql 4" "fedora core > 2"] there. > The first hit I got on that query what this: "Installing MySQL 4.1 > on Fedora > Core 2..." at scott_20041117_131449>. > > Also found this looking around, entitled "Upgrading MySQL version 3 > to 4 RedHat > / Fedora," > which may help > you even more. DISCLAIMER: I've never tried either of these. > > Hope this helped. > > -David > > ps: If anyone on fedora-legacy-list has any hints or suggestions, > please share, > and do a cc: to Pawan, as he's not (yet) subscribed to the list. > Thanks. -dde I'm using the Atomic Rocket Turtle repository (http:// www.atomicrocketturtle.com/) and that gets you MySQL 4.1.21 at the moment and provides a mysql-compat package for 3.23.x. Works just fine for me and is also available for Fedora Core 2. But, FC2 is EOL, so I'd look into an upgrade for that FC2 box. Nils Breunese. From mattdm at mattdm.org Thu Oct 19 15:44:58 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 19 Oct 2006 11:44:58 -0400 Subject: lwn article on the death of Fedora Legacy Message-ID: <20061019154458.GA3683@jadzia.bu.edu> This is subscriber-only content for two weeks, but the gist is: there's a whole lotta unpatched vulnerabilities in FC4. Can we really pretend this is an ongoing concern? I know that personally I haven't been able to contribute the amount of time I'd like to make this succeed. But I have a full-time job and a young child, and am mildly active in umpteen other projects. Legacy support is hard work, and really needs two or three full-time workers to be a success. It's tempting to blame the lack of volunteers, but this sort of project works best if there's a solid base. When Jesse Keating worked at Pogo, that was largely true, but with his duties at RH and with his new kid, it doesn't seem to be the case anymore. I'm sure this is not Jesse's fault -- there needs to be commitment from above, and that's clearly not the case. I think this is really unfortunate, because it makes a big gap in the Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild distros like CentOS, which is well and good (and particularly painless from the end-user point of few) but bad for Fedora. Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at j2solutions.net Thu Oct 19 16:00:26 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 19 Oct 2006 12:00:26 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019154458.GA3683@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> Message-ID: <200610191200.26527.jkeating@j2solutions.net> On Thursday 19 October 2006 11:44, Matthew Miller wrote: > When Jesse Keating worked at Pogo, that was largely true, but with his > duties at RH and with his new kid, it doesn't seem to be the case anymore. > I'm sure this is not Jesse's fault -- there needs to be commitment from > above, and that's clearly not the case. > > I think this is really unfortunate, because it makes a big gap in the > Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild > distros like CentOS, which is well and good (and particularly painless from > the end-user point of few) but bad for Fedora. > > Without a functioning lifespan of over a year, Fedora is only practically > useful as an enthusiast, bleeding-edge distro. That's only supposed to be > _part_ of its mission. Here is what I think can happen. A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. C) Move to Core style updates process. Spin a possible update, toss it in -testing. If nobody says boo after a period of time, release the darn thing. If somebody finds it to be broken, fix it and resubmit. Somewhere in there convince Luke Macken to do the work to get a Fedora Update tool available for use externally that does the boring stuff like generate the email with the checksums and with the subpackage list and all that boring stuff. It could even handle moving the bug to 'MODIFIED' when it goes in updates-testing, and finally to CLOSED when it goes to release. Then it would be easier to get people to contribute, as they'd just be doing things like checking out a package module, copying a patch from somewhere, commit, build. That would help a lot. Somebody more "senior" in the project would fiddle with the tool to prepare the update, and do the sign+push. I honestly think that doing these things is the only way that Legacy will survive. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mattdm at mattdm.org Thu Oct 19 16:04:57 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 19 Oct 2006 12:04:57 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191200.26527.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> Message-ID: <20061019160457.GA4917@jadzia.bu.edu> On Thu, Oct 19, 2006 at 12:00:26PM -0400, Jesse Keating wrote: > Here is what I think can happen. Oh, hey, that was fast. :) > A) Kill off RHL now. Stop trying to do stuff there when we just don't have > the man power or the volunteers. > B) Move to using Extras infrastructure for building packages. They're > ready for us for FC3 and FC4. So RHL has been the hold-up there? In that case, *definitely* time to end RHL support; RHL != Fedora anyway. I really, really think the bugzilla process should be moved to be more "normal", too -- one bug # per release, even if the issue is identical in FC3 and FC4. (That's why there's the "clone bug" bugzilla feature.) > C) Move to Core style updates process. Spin a possible update, toss it > in -testing. If nobody says boo after a period of time, release the darn > thing. If somebody finds it to be broken, fix it and resubmit. Yes. Better this than nothing. > Somewhere in there convince Luke Macken to do the work to get a Fedora > Update tool available for use externally that does the boring stuff like > generate the email with the checksums and with the subpackage list and all > that boring stuff. It could even handle moving the bug to 'MODIFIED' when > it goes in updates-testing, and finally to CLOSED when it goes to release. Yes. How much work will this convincing take? Does he accept bribes? [...] > I honestly think that doing these things is the only way that Legacy will > survive. I agree that they're needed. I guess the question is: will it be enough? -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at j2solutions.net Thu Oct 19 16:11:26 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 19 Oct 2006 12:11:26 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019160457.GA4917@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <20061019160457.GA4917@jadzia.bu.edu> Message-ID: <200610191211.27193.jkeating@j2solutions.net> On Thursday 19 October 2006 12:04, Matthew Miller wrote: > So RHL has been the hold-up there? In that case, *definitely* time to end > RHL support; RHL != Fedora anyway. My thoughts too. I keep trying to be nice to these people, and they never help out. So screw 'em. > I really, really think the bugzilla process should be moved to be more > "normal", too -- one bug # per release, even if the issue is identical in > FC3 and FC4. (That's why there's the "clone bug" bugzilla feature.) Absolutely. This works much better when the update tool can automanage bugs, so that each gets closed when the update goes out, and we're not so tied to every release must be fixed for the bug to be closed. (note, there can be a top level "tracker" but for the CVE itself, and individual bugs are cloned for each vuln Fedora release) > > C) Move to Core style updates process. ?Spin a possible update, toss it > > in -testing. ?If nobody says boo after a period of time, release the darn > > thing. ?If somebody finds it to be broken, fix it and resubmit. > > Yes. Better this than nothing. > > > Somewhere in there convince Luke Macken to do the work to get a Fedora > > Update tool available for use externally that does the boring stuff like > > generate the email with the checksums and with the subpackage list and > > all that boring stuff. It could even handle moving the bug to 'MODIFIED' > > when it goes in updates-testing, and finally to CLOSED when it goes to > > release. > > Yes. How much work will this convincing take? Does he accept bribes? I think he does. A lot of it is a time issue. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From pekkas at netcore.fi Thu Oct 19 17:57:31 2006 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 19 Oct 2006 20:57:31 +0300 (EEST) Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019160457.GA4917@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <20061019160457.GA4917@jadzia.bu.edu> Message-ID: On Thu, 19 Oct 2006, Matthew Miller wrote: >> A) Kill off RHL now. Stop trying to do stuff there when we just don't have >> the man power or the volunteers. >> B) Move to using Extras infrastructure for building packages. They're >> ready for us for FC3 and FC4. > > So RHL has been the hold-up there? ... That is an incorrect conclusion. FWIW, Marc was the most active contributor, only interested in FC1, but willing to do the work for other versions as well. Up until some time ago, I was willing to help but my interest was only the RHLs but was willing ot do PUBLISH/VERIFY for other versions in order to get RHL updates. There were a couple of other people who did some VERIFYs and proposed a couple of packages. That's it. A better phrasing could maybe be that RHL/old distros was what kept FL going, because those had significant deployment base before people realized that trying to use Fedora and expect long maintenance wasn't a good idea (and hence folks moved to CentOS). You could say that there is some problem with the process if e.g., sendmail MIME vulnerability updates (which are declared "ready") haven't been published during the 1.5 months they've been ready [1]. I guess the issue is that no one with privileges to send the notification or move stuff from updates-testing to updates has been around during that time. As a result, there are very few people left who care enough about FC3/FC4 updates. There just aren't enough people to do the job, and the machinery to do the job has been way too heavyweight for a long time. I guess one could still move the FC3/FC4 stuff to extras (instead of just declaring the project dead) but I doubt the number of contributors is going to rise dramatically as a result even if extras were used. Some administrative overhead would be reduced but you'd someone would still be needed to do the work. [1] http://netcore.fi/pekkas/buglist.html https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195418 -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From mattdm at mattdm.org Thu Oct 19 18:12:44 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 19 Oct 2006 14:12:44 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <20061019160457.GA4917@jadzia.bu.edu> Message-ID: <20061019181244.GA10133@jadzia.bu.edu> On Thu, Oct 19, 2006 at 08:57:31PM +0300, Pekka Savola wrote: > On Thu, 19 Oct 2006, Matthew Miller wrote: > >>A) Kill off RHL now. Stop trying to do stuff there when we just don't > >>have > >>the man power or the volunteers. > >>B) Move to using Extras infrastructure for building packages. They're > >>ready for us for FC3 and FC4. > >So RHL has been the hold-up there? ... > That is an incorrect conclusion. You're misunderstanding me; I meant RHL has been the hold-up for switching to the Extras build infrastructure. > time. I guess one could still move the FC3/FC4 stuff to extras > (instead of just declaring the project dead) but I doubt the number of > contributors is going to rise dramatically as a result even if extras > were used. Some administrative overhead would be reduced but you'd > someone would still be needed to do the work. Agreed. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From jkeating at j2solutions.net Thu Oct 19 18:28:02 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 19 Oct 2006 14:28:02 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: References: <20061019154458.GA3683@jadzia.bu.edu> <20061019160457.GA4917@jadzia.bu.edu> Message-ID: <200610191428.03063.jkeating@j2solutions.net> On Thursday 19 October 2006 13:57, Pekka Savola wrote: > As a result, there are very few people left who care enough about > FC3/FC4 updates. ?There just aren't enough people to do the job, and > the machinery to do the job has been way too heavyweight for a long > time. ?I guess one could still move the FC3/FC4 stuff to extras > (instead of just declaring the project dead) but I doubt the number of > contributors is going to rise dramatically as a result even if extras > were used. ?Some administrative overhead would be reduced but you'd > someone would still be needed to do the work. A good chunk of my proposal is removing administrative overhead. Its overhead now because we have to manually assemble the email, do write out the content, checksome the packages, push them around etc.. Its VERY cumbersome, and requires a lot of permissions I'm not happy about giving folks. Moving it to Extras and tying into existing scripts or slightly new scripts to do most the work would lighten the load SIGNIFICANTLY. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From smooge at gmail.com Thu Oct 19 23:07:30 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 19 Oct 2006 17:07:30 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191200.26527.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> Message-ID: <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> On 10/19/06, Jesse Keating wrote: > On Thursday 19 October 2006 11:44, Matthew Miller wrote: > > When Jesse Keating worked at Pogo, that was largely true, but with his > > duties at RH and with his new kid, it doesn't seem to be the case anymore. > > I'm sure this is not Jesse's fault -- there needs to be commitment from > > above, and that's clearly not the case. > > > > I think this is really unfortunate, because it makes a big gap in the > > Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild > > distros like CentOS, which is well and good (and particularly painless from > > the end-user point of few) but bad for Fedora. > > > > Without a functioning lifespan of over a year, Fedora is only practically > > useful as an enthusiast, bleeding-edge distro. That's only supposed to be > > _part_ of its mission. > > Here is what I think can happen. > > A) Kill off RHL now. Stop trying to do stuff there when we just don't have > the man power or the volunteers. > > B) Move to using Extras infrastructure for building packages. They're ready > for us for FC3 and FC4. > > C) Move to Core style updates process. Spin a possible update, toss it > in -testing. If nobody says boo after a period of time, release the darn > thing. If somebody finds it to be broken, fix it and resubmit. > D) Move to Core style plan. Figure out what core packages we are going to backport for, and what packages we are just going to push the latest stuff for. Mozilla -> Seamonkey Gaim -> Gaim latest etc. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From hahaha_30k at yahoo.com Fri Oct 20 00:04:18 2006 From: hahaha_30k at yahoo.com (Robinson Tiemuqinke) Date: Thu, 19 Oct 2006 17:04:18 -0700 (PDT) Subject: Any support news on FC4? Message-ID: <20061020000418.98243.qmail@web36715.mail.mud.yahoo.com> Hi, It looks that there have been no new security updates for FC3/FC4 for about three months. Anyone know when the new updates will be available? After FC6 released, or some other times? Thanks. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mattdm at mattdm.org Fri Oct 20 00:58:07 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 19 Oct 2006 20:58:07 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> Message-ID: <20061020005807.GA27154@jadzia.bu.edu> On Thu, Oct 19, 2006 at 05:07:30PM -0600, Stephen John Smoogen wrote: > D) Move to Core style plan. Figure out what core packages we are going > to backport for, and what packages we are just going to push the > latest stuff for. > Mozilla -> Seamonkey > Gaim -> Gaim latest Yeah. And also, if at all possible, E) See if any Fedora Core engineers are interested in, out of the goodness of their hearts, building updates for their packages in Legacy when it isn't much extra work -- and enabling them to easily do so. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mattdm at mattdm.org Fri Oct 20 00:58:25 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Thu, 19 Oct 2006 20:58:25 -0400 Subject: Any support news on FC4? In-Reply-To: <20061020000418.98243.qmail@web36715.mail.mud.yahoo.com> References: <20061020000418.98243.qmail@web36715.mail.mud.yahoo.com> Message-ID: <20061020005825.GB27154@jadzia.bu.edu> On Thu, Oct 19, 2006 at 05:04:18PM -0700, Robinson Tiemuqinke wrote: > It looks that there have been no new security updates > for FC3/FC4 for about three months. > Anyone know when the new updates will be available? > After FC6 released, or some other times? See other thread. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From gene.heskett at verizon.net Fri Oct 20 02:47:42 2006 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 19 Oct 2006 22:47:42 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191200.26527.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> Message-ID: <200610192247.42394.gene.heskett@verizon.net> On Thursday 19 October 2006 12:00, Jesse Keating wrote: >On Thursday 19 October 2006 11:44, Matthew Miller wrote: >> When Jesse Keating worked at Pogo, that was largely true, but with his >> duties at RH and with his new kid, it doesn't seem to be the case >> anymore. I'm sure this is not Jesse's fault -- there needs to be >> commitment from above, and that's clearly not the case. >> >> I think this is really unfortunate, because it makes a big gap in the >> Fedora ecosystem. This will be largely filled by migration to >> RHEL-rebuild distros like CentOS, which is well and good (and >> particularly painless from the end-user point of few) but bad for >> Fedora. >> >> Without a functioning lifespan of over a year, Fedora is only >> practically useful as an enthusiast, bleeding-edge distro. That's only >> supposed to be _part_ of its mission. > >Here is what I think can happen. > >A) Kill off RHL now. Stop trying to do stuff there when we just don't > have the man power or the volunteers. > >B) Move to using Extras infrastructure for building packages. They're > ready for us for FC3 and FC4. > >C) Move to Core style updates process. Spin a possible update, toss it >in -testing. If nobody says boo after a period of time, release the darn >thing. If somebody finds it to be broken, fix it and resubmit. > >Somewhere in there convince Luke Macken to do the work to get a Fedora > Update tool available for use externally that does the boring stuff like > generate the email with the checksums and with the subpackage list and > all that boring stuff. It could even handle moving the bug to > 'MODIFIED' when it goes in updates-testing, and finally to CLOSED when > it goes to release. Then it would be easier to get people to > contribute, as they'd just be doing things like checking out a package > module, copying a patch from somewhere, commit, build. That would help > a lot. Somebody more "senior" in the project would fiddle with the tool > to prepare the update, and do the sign+push. > >I honestly think that doing these things is the only way that Legacy will >survive. You make too much sense for this to ever happen, Jesse, and you know it. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. From jkosin at beta.intcomgrp.com Fri Oct 20 12:58:33 2006 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Fri, 20 Oct 2006 08:58:33 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020005807.GA27154@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> <20061020005807.GA27154@jadzia.bu.edu> Message-ID: <4538C7F9.7070802@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Miller wrote: > Yeah. > > And also, if at all possible, > > E) See if any Fedora Core engineers are interested in, out of the goodness > of their hearts, building updates for their packages in Legacy when it > isn't much extra work -- and enabling them to easily do so. > > The only problem with this is WHY ever go with the latest FC6 or 7 or whatever if you can have the packages updated to the latest even if you have FC2. It is extra work. The patches need to be verified against usually different source trees before applying and etc. It would be good if every package was the latest, then FC? could be compatible with FCy... etc. Then dare I say you have inter-package dependencies, that usually throw everyone for a loop. It seems these days that every package is highly dependent on every other package to be installed. I think the problem is we may have too many people with the wrong platforms to properly build, test, patch, debug, and etc that they mostly move either to the latest FC? series or another distro all together. This may be interesting as a poll question..... I've been with FC1 now for years. When they announced that FC1 would no longer be supported (many many years ago) I found out about Fedora Legacy. I was willing to help; but, I couldn't find a good source for instructions on how to help. It has changed a bit... but, in the end I ended up rolling my own updates, much like DAG, etc. I still do... but, I'm only one person. I could go ON and ON about the history, but, that doesn't change the facts. Legacy is all about security-updates!!! ONLY!!! The policy is update with PATCHES if at all possible. From RH even better; otherwise fall back to other sources for patches such as the development groups, etc. Only if EVERYTHING else fails, you can update to the latest stable release to fix the flaw. Sincerely, James Kosin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFOMf5kNLDmnu1kSkRApQKAJwIMDv6Y7/rbumnVwfoCWbZ+DMwsQCfcdE5 XvL81Ec+mEO4Rh1M79eNUTI= =IA1G -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From nils at lemonbit.nl Fri Oct 20 13:24:55 2006 From: nils at lemonbit.nl (Nils Breunese (Lemonbit)) Date: Fri, 20 Oct 2006 15:24:55 +0200 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019154458.GA3683@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> Message-ID: Matthew Miller wrote: > I know that personally I haven't been able to contribute the amount > of time > I'd like to make this succeed. But I have a full-time job and a > young child, > and am mildly active in umpteen other projects. Legacy support is > hard work, > and really needs two or three full-time workers to be a success. It's > tempting to blame the lack of volunteers, but this sort of project > works > best if there's a solid base. The Fedora Infrastructure team recently sent out an announce mail to let people know they could use a couple of extra hands. Already a couple of people mailed that team and said they could help out. Maybe Fedora Legacy should send out such an email? > I think this is really unfortunate, because it makes a big gap in > the Fedora > ecosystem. This will be largely filled by migration to RHEL-rebuild > distros > like CentOS, which is well and good (and particularly painless from > the > end-user point of few) but bad for Fedora. I'm sorry, but I can't help you guys out here. I'm also migrating all our servers to CentOS. I use Fedora for my desktop system, but I just run the most recent release on that (no Fedora Legacy there). Nils Breunese. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: Dit deel van het bericht is digitaal ondertekend URL: From rostetter at mail.utexas.edu Fri Oct 20 14:39:45 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 09:39:45 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019154458.GA3683@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> Message-ID: <20061020093945.s9slt86hlcsg08o8@mail.ph.utexas.edu> Quoting Matthew Miller : > I know that personally I haven't been able to contribute the amount of time > I'd like to make this succeed. But I have a full-time job and a young child, > and am mildly active in umpteen other projects. Legacy support is hard work, > and really needs two or three full-time workers to be a success. It's > tempting to blame the lack of volunteers, but this sort of project works > best if there's a solid base. I can't disagree with that. > I think this is really unfortunate, because it makes a big gap in the Fedora > ecosystem. This will be largely filled by migration to RHEL-rebuild distros > like CentOS, which is well and good (and particularly painless from the > end-user point of few) but bad for Fedora. I think it is good for everyone. RHEL and its clones have a different mission than Fedora, and people should use the one that fits their needs. The two fill different needs. > Without a functioning lifespan of over a year, Fedora is only practically > useful as an enthusiast, bleeding-edge distro. That's only supposed to be > _part_ of its mission. It is exactly what it is supposed to be. Yes, that is only part of the mission, the other major part being a test-bed for RHEL. The mission also includes helping developers, providing consistency of interfaces, and making the Fedora "experience" better for the end user. But the whole point of Fedora is to be leading/cutting edge, and you can't be leading edge with a long lifetime. Fedora Legacy is really only there to allow for a more flexible upgrade schedule for the users, not to extend the lifetime any real length of time. That is, maybe a particular site can only upgrade 2 times per year, and those times don't match with the Fedora Project release schedule. Fedora Legacy allows them to keep running the previous version in a _secure_ manor until their update window comes along. That's really all Fedora Legacy is for, as concerns Fedora Core (not Red Hat Linux, which is a slightly different issue). Now, maybe we've dropped the ball (on delivering the "secure" part of the promise). I won't argue that. Nor can I say exactly why the ball might have been dropped, or how best to pick it back up. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From smooge at gmail.com Fri Oct 20 14:41:14 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Fri, 20 Oct 2006 08:41:14 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: References: <20061019154458.GA3683@jadzia.bu.edu> Message-ID: <80d7e4090610200741k52d3e18fnceee1c654e0c74cb@mail.gmail.com> On 10/20/06, Nils Breunese (Lemonbit) wrote: > Matthew Miller wrote: > > > I know that personally I haven't been able to contribute the amount > > of time > > I'd like to make this succeed. But I have a full-time job and a > > young child, > > and am mildly active in umpteen other projects. Legacy support is > > hard work, > > and really needs two or three full-time workers to be a success. It's > > tempting to blame the lack of volunteers, but this sort of project > > works > > best if there's a solid base. > > The Fedora Infrastructure team recently sent out an announce mail to > let people know they could use a couple of extra hands. Already a > couple of people mailed that team and said they could help out. Maybe > Fedora Legacy should send out such an email? > I think we sent out one before the Infrastructure team did.. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From rostetter at mail.utexas.edu Fri Oct 20 14:43:32 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 09:43:32 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191200.26527.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> Message-ID: <20061020094332.4btb4m5uo35wksso@mail.ph.utexas.edu> Quoting Jesse Keating : >> Without a functioning lifespan of over a year, Fedora is only practically >> useful as an enthusiast, bleeding-edge distro. That's only supposed to be >> _part_ of its mission. As noted, I disagree with the above statement. > Here is what I think can happen. > > A) Kill off RHL now. Stop trying to do stuff there when we just don't have > the man power or the volunteers. But, then there is no trust in the project. You said you would support it until December, and people depend on that. If you drop it now, then where is the trust? How can we be sure you will support FC5 for the length of time you claim, rather than just dropping it? Is 2 months really worth losing trust over? > B) Move to using Extras infrastructure for building packages. They're ready > for us for FC3 and FC4. Then why haven't we started doing this yet? > C) Move to Core style updates process. Spin a possible update, toss it > in -testing. If nobody says boo after a period of time, release the darn > thing. If somebody finds it to be broken, fix it and resubmit. I think this is fine for FC releases. No problem... It is in line with the FC philosophy. > Somewhere in there convince Luke Macken to do the work to get a Fedora Update > tool available for use externally that does the boring stuff like generate > the email with the checksums and with the subpackage list and all that boring > stuff. It could even handle moving the bug to 'MODIFIED' when it goes in > updates-testing, and finally to CLOSED when it goes to release. Then it > would be easier to get people to contribute, as they'd just be doing things > like checking out a package module, copying a patch from somewhere, commit, > build. That would help a lot. Somebody more "senior" in the project would > fiddle with the tool to prepare the update, and do the sign+push. Is he the only one who can do this stuff? Does he need help? > I honestly think that doing these things is the only way that Legacy will > survive. I agree with all but dropping RHL 2 months early. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From rostetter at mail.utexas.edu Fri Oct 20 14:48:05 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 09:48:05 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191211.27193.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <20061019160457.GA4917@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> Message-ID: <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> Quoting Jesse Keating : > On Thursday 19 October 2006 12:04, Matthew Miller wrote: >> So RHL has been the hold-up there? In that case, *definitely* time to end >> RHL support; RHL != Fedora anyway. IMHO, Fedora Legacy was started for RHL, not FC, and the name is shouldn't dictate policy, the original purpose should dictate policy. > My thoughts too. I keep trying to be nice to these people, and they never > help out. So screw 'em. Yeah, and when offers of help are met with resistence, people do tend to not help out. When people say stuff like "So screw 'em" then people tend to not help out. >> I really, really think the bugzilla process should be moved to be more >> "normal", too -- one bug # per release, even if the issue is identical in >> FC3 and FC4. (That's why there's the "clone bug" bugzilla feature.) > > Absolutely. This works much better when the update tool can automanage bugs, > so that each gets closed when the update goes out, and we're not so tied to > every release must be fixed for the bug to be closed. (note, there can be a > top level "tracker" but for the CVE itself, and individual bugs are cloned > for each vuln Fedora release) So, hey, here's an idea: Let's do that! What's the hold up? >> > C) Move to Core style updates process. Spin a possible update, toss it >> > in -testing. If nobody says boo after a period of time, release the darn >> > thing. If somebody finds it to be broken, fix it and resubmit. >> >> Yes. Better this than nothing. No problem for FC releases. Since there is only 2 months left on RHL, there isn't much of a problem there either (in particular if you set the "period of time" to be a month or one week before the EOL date, which ever comes first. >> Yes. How much work will this convincing take? Does he accept bribes? > > I think he does. A lot of it is a time issue. Again, could he use help with this? If so, what kind of help? Even gentle encouragement? Or money? Or coding support? Or documentation support? Or??? -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From rostetter at mail.utexas.edu Fri Oct 20 14:52:09 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 09:52:09 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061019181244.GA10133@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <20061019160457.GA4917@jadzia.bu.edu> <20061019181244.GA10133@jadzia.bu.edu> Message-ID: <20061020095209.o9p14cnme76s44wc@mail.ph.utexas.edu> Quoting Matthew Miller : > You're misunderstanding me; I meant RHL has been the hold-up for switching > to the Extras build infrastructure. Can't we somehow run the two build systems in parallel? Use the old one for RHL, and test the new one out for FC releases? That way we also get a good test in, and have a backup if the new build system isn't working right, etc. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From jkeating at redhat.com Fri Oct 20 14:59:13 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 10:59:13 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> Message-ID: <200610201059.13949.jkeating@redhat.com> On Friday 20 October 2006 10:48, Eric Rostetter wrote: > IMHO, Fedora Legacy was started for RHL, not FC, and the name is shouldn't > dictate policy, the original purpose should dictate policy. Actually no. Fedora Legacy came from when Fedora was created. Fedora Alternatives and Extras were other proposed projects. I picked up Legacy because I wanted to provide Fedora to my customers, and provide them a slightly longer life span. I was persuaded to do updates for RHL too, which I really think was a mistake. > > My thoughts too. ?I keep trying to be nice to these people, and they > > never help out. ?So screw 'em. ? > > Yeah, and when offers of help are met with resistence, people do tend to > not help out. ?When people say stuff like "So screw 'em" then people tend > to not help out. Where we need help is testing packages, reporting and vetting issues (not just 'hey this CVE was filed, does it effect us?' Actually LOOK at the package and package sources to see, perhaps provide a patch? Where are you meeting resistance doing this kind of work? > >> I really, really think the bugzilla process should be moved to be more > >> "normal", too -- one bug # per release, even if the issue is identical > >> in FC3 and FC4. (That's why there's the "clone bug" bugzilla feature.) > > > > Absolutely. ?This works much better when the update tool can automanage > > bugs, so that each gets closed when the update goes out, and we're not so > > tied to every release must be fixed for the bug to be closed. ?(note, > > there can be a top level "tracker" but for the CVE itself, and individual > > bugs are cloned for each vuln Fedora release) > > So, hey, here's an idea: Let's do that! ?What's the hold up? Getting software in place. Time. Energy. > >> > C) Move to Core style updates process. ?Spin a possible update, toss > >> > it in -testing. ?If nobody says boo after a period of time, release > >> > the darn thing. ?If somebody finds it to be broken, fix it and > >> > resubmit. > >> > >> Yes. Better this than nothing. > > No problem for FC releases. ?Since there is only 2 months left on RHL, > there isn't much of a problem there either (in particular if you set > the "period of time" to be a month or one week before the EOL date, which > ever comes first. > > >> Yes. How much work will this convincing take? Does he accept bribes? > > > > I think he does. ?A lot of it is a time issue. > > Again, could he use help with this? ?If so, what kind of help? > Even gentle encouragement? ?Or money? ?Or coding support? ?Or documentation > support? ?Or??? I don't know. Email him. Find out. He's on the fedora infrastructure team which has this listed as one of the projects. http://fedoraproject.org/wiki/Infrastructure Don't wait on me to make it happen. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jkeating at redhat.com Fri Oct 20 14:59:39 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 10:59:39 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020095209.o9p14cnme76s44wc@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <20061019181244.GA10133@jadzia.bu.edu> <20061020095209.o9p14cnme76s44wc@mail.ph.utexas.edu> Message-ID: <200610201059.39801.jkeating@redhat.com> On Friday 20 October 2006 10:52, Eric Rostetter wrote: > > You're misunderstanding me; I meant RHL has been the hold-up for > > switching to the Extras build infrastructure. > > Can't we somehow run the two build systems in parallel? ?Use the old one > for RHL, and test the new one out for FC releases? ?That way we also get > a good test in, and have a backup if the new build system isn't working > right, etc. Only if we agree to split RHL updates from Fedora updates and nothold one up for the other. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From smooge at gmail.com Fri Oct 20 15:36:15 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Fri, 20 Oct 2006 09:36:15 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201059.13949.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> Message-ID: <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> On 10/20/06, Jesse Keating wrote: > On Friday 20 October 2006 10:48, Eric Rostetter wrote: > > IMHO, Fedora Legacy was started for RHL, not FC, and the name is shouldn't > > dictate policy, the original purpose should dictate policy. > > Actually no. Fedora Legacy came from when Fedora was created. Fedora > Alternatives and Extras were other proposed projects. I picked up Legacy > because I wanted to provide Fedora to my customers, and provide them a > slightly longer life span. I was persuaded to do updates for RHL too, which > I really think was a mistake. > I am getting deja-vu from the last time we tried fixing things about 6 months ago. I think the problem isn't RHL updates, Fedora updates etc. The problem is that we are just beat. Jesse has a kid, a release cycle, a new knee, and a lot of other stuff on his real job. The other people who have been doing stuff have also had 'stuff happen', and temporary schedule changes that have become permanent. I just have enough time currently to answer questions for people on #fedora-legacy, trying to put in 10-20 hours to qa a package because I don't know how much qa it really takes to ship a fix (especially after all the negative feedback when we put out a patch that 'broke' systems). Most of the other people who have been really interested in the project have been interested in a certain release (FC1, RHL-7.2, etc) and once we stopped supporting it, they went away. I really do not know of anyone new who has wanted to support FC-4 or FC-5 in 4 months. Maybe the question we should be asking is: Can we do this? We don't have the number of people that Debian Security has on supporting old releases.. and because we have fallen so far behind with everything.. can we dig ourselves out.. or do we need to completely reboot the whole thing (new people, new goals, new name) with the new people really knowing that A) we arent going to get much help from 3rd party vendors B) we arent going to get much help from the community C) etc -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From jkeating at redhat.com Fri Oct 20 16:21:35 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 12:21:35 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> Message-ID: <200610201221.38526.jkeating@redhat.com> On Friday 20 October 2006 11:36, Stephen John Smoogen wrote: > I just have enough time currently to answer questions for people on > #fedora-legacy, trying to put in 10-20 hours to qa a package because I > don't know how much qa it really takes to ship a fix (especially after > all the negative feedback when we put out a patch that 'broke' > systems). Yikes, 10-20 hours seems CRAZY. It built, patch applied, app launches, push it as a testing update. (sure you could do a LITTLE more testing, but trying to fit 20 hours of heavy qa on an app is just silly) -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jkeating at redhat.com Fri Oct 20 16:23:12 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 12:23:12 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201221.38526.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <200610201221.38526.jkeating@redhat.com> Message-ID: <200610201223.12640.jkeating@redhat.com> On Friday 20 October 2006 12:21, Jesse Keating wrote: > Yikes, 10-20 hours seems CRAZY. ?It built, patch applied, app launches, > push it as a testing update. ?(sure you could do a LITTLE more testing, but > trying to fit 20 hours of heavy qa on an app is just silly) I should note that the only way we'll REALLY know its qad is if people use it in similar setups to their system, and updates-testing is usually the only way to get packages to them for testing. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From mattdm at mattdm.org Fri Oct 20 17:18:48 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 20 Oct 2006 13:18:48 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201059.39801.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <20061019181244.GA10133@jadzia.bu.edu> <20061020095209.o9p14cnme76s44wc@mail.ph.utexas.edu> <200610201059.39801.jkeating@redhat.com> Message-ID: <20061020171848.GA26047@jadzia.bu.edu> On Fri, Oct 20, 2006 at 10:59:39AM -0400, Jesse Keating wrote: > Only if we agree to split RHL updates from Fedora updates and nothold one > up for the other. This is another benefit of one bug per distro release. FC3 packages shouldn't hold up FC4, for that matter. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From gene.heskett at verizon.net Fri Oct 20 17:19:08 2006 From: gene.heskett at verizon.net (Gene Heskett) Date: Fri, 20 Oct 2006 13:19:08 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> Message-ID: <200610201319.09053.gene.heskett@verizon.net> On Friday 20 October 2006 11:36, Stephen John Smoogen wrote: >On 10/20/06, Jesse Keating wrote: >> On Friday 20 October 2006 10:48, Eric Rostetter wrote: >> > IMHO, Fedora Legacy was started for RHL, not FC, and the name is >> > shouldn't dictate policy, the original purpose should dictate policy. >> >> Actually no. Fedora Legacy came from when Fedora was created. Fedora >> Alternatives and Extras were other proposed projects. I picked up >> Legacy because I wanted to provide Fedora to my customers, and provide >> them a slightly longer life span. I was persuaded to do updates for >> RHL too, which I really think was a mistake. > >I am getting deja-vu from the last time we tried fixing things about 6 >months ago. I think the problem isn't RHL updates, Fedora updates etc. > >The problem is that we are just beat. Jesse has a kid, a release >cycle, a new knee, and a lot of other stuff on his real job. The other >people who have been doing stuff have also had 'stuff happen', and >temporary schedule changes that have become permanent. > >I just have enough time currently to answer questions for people on >#fedora-legacy, trying to put in 10-20 hours to qa a package because I >don't know how much qa it really takes to ship a fix (especially after >all the negative feedback when we put out a patch that 'broke' >systems). > >Most of the other people who have been really interested in the >project have been interested in a certain release (FC1, RHL-7.2, etc) >and once we stopped supporting it, they went away. I really do not >know of anyone new who has wanted to support FC-4 or FC-5 in 4 months. > >Maybe the question we should be asking is: Can we do this? We don't >have the number of people that Debian Security has on supporting old >releases.. and because we have fallen so far behind with everything.. >can we dig ourselves out.. or do we need to completely reboot the >whole thing (new people, new goals, new name) with the new people >really knowing that > >A) we arent going to get much help from 3rd party vendors >B) we arent going to get much help from the community I'd comment that for this fedora user at least, the security etc stuffs should be extended at least to the point where we each of us, has a system, old though it may be in FC years, that works and does everything WE want it to do. Throwing us "to the wolves" doesn't make me want to format and update at anywhere near the release cycle for FC. My email archive alone goes back into 1998 here. Yes, there are backups, and I do them rather religiously at the feet of a gal named amanda, but it would still be a weeks work to get stuff back to the Just Works(TM) state here if I was to put FC5 on this box today. But after an extended rattlesnake sorting session on my lappy, FC5 is now looking & working pretty good, so FC6 will probably get installed when its out or shortly after. But I'm not about to do this every 6 months as planned by the FC people, I have other things these machines need to do, and do on a set it up in cron so I can forget about it scenario. My $0.02, adjust for inflation. :-) >C) etc -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. From mattdm at mattdm.org Fri Oct 20 17:20:00 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 20 Oct 2006 13:20:00 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201059.13949.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> Message-ID: <20061020172000.GB26047@jadzia.bu.edu> On Fri, Oct 20, 2006 at 10:59:13AM -0400, Jesse Keating wrote: > Where we need help is testing packages, reporting and vetting issues (not > just 'hey this CVE was filed, does it effect us?' Actually LOOK at the > package and package sources to see, perhaps provide a patch? Where are you > meeting resistance doing this kind of work? Although, "hey, this CVE was filed, does it affect us" in bugzilla is helpful too as a starting point -- a lot of issues which do affect us aren't even that far along at this point. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mattdm at mattdm.org Fri Oct 20 17:29:01 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 20 Oct 2006 13:29:01 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> Message-ID: <20061020172901.GC26047@jadzia.bu.edu> On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: > The problem is that we are just beat. Jesse has a kid, a release > cycle, a new knee, and a lot of other stuff on his real job. The other > people who have been doing stuff have also had 'stuff happen', and > temporary schedule changes that have become permanent. Yes. In order to survive the project needs some real support from Red Hat. (Or some other large company who wants to do Red Hat a favor, but that seems even less likely.) Using the "Chasm" marketing model [*], without Legacy, Fedora is only a viable solution for Early Adopters and of dubious value to the second "Pragmatist" group. However, Fedora has been enough of a success that many Pragmatists are indeed using Fedora. This results in large numbers of FC2, FC3, FC4 machines in production beyond their supported lifetime. Pragmatists, by their nature, don't wanna be upgrading all the time. Without Legacy, they're best served by CentOS and kin. That's fine, but it's a loss for Fedora, as they're then less likely to feed back into Extras, etc. And it's also a problem because it results in large numbers of potentially vulnerable machines in the wild. Fedora people repeatedly state that the distribution is great for users beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's really not true. * -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From mattdm at mattdm.org Fri Oct 20 17:31:08 2006 From: mattdm at mattdm.org (Matthew Miller) Date: Fri, 20 Oct 2006 13:31:08 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <4538C7F9.7070802@beta.intcomgrp.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> <20061020005807.GA27154@jadzia.bu.edu> <4538C7F9.7070802@beta.intcomgrp.com> Message-ID: <20061020173108.GD26047@jadzia.bu.edu> On Fri, Oct 20, 2006 at 08:58:33AM -0400, James Kosin wrote: > > E) See if any Fedora Core engineers are interested in, out of the goodness > > of their hearts, building updates for their packages in Legacy when it > > isn't much extra work -- and enabling them to easily do so. > The only problem with this is WHY ever go with the latest FC6 or 7 or > whatever if you can have the packages updated to the latest even if > you have FC2. I really don't think that's a major concern. Most packages wouldn't be updated to the newest version -- just the ones where that's the easiest thing to do. > Legacy is all about security-updates!!! ONLY!!! > The policy is update with PATCHES if at all possible. From RH even > better; otherwise fall back to other sources for patches such as the > development groups, etc. Only if EVERYTHING else fails, you can > update to the latest stable release to fix the flaw. Right now, everything is clearly failing. -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From rostetter at mail.utexas.edu Fri Oct 20 17:58:48 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 12:58:48 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201059.13949.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> Message-ID: <20061020125848.8hg9qiqctlskg40k@mail.ph.utexas.edu> Quoting Jesse Keating : > On Friday 20 October 2006 10:48, Eric Rostetter wrote: >> IMHO, Fedora Legacy was started for RHL, not FC, and the name is shouldn't >> dictate policy, the original purpose should dictate policy. > > Actually no. Fedora Legacy came from when Fedora was created. Yes, which was about the same time RHL was killed off in favor of RHEL. And the only reason I joined was because almost all the talk at that time was about keeping RHL releases alive "for as long as there is interest" with just a small amount of "and Fedora Core releases for a few months longer on a 1-2-3-out basis". > Fedora > Alternatives and Extras were other proposed projects. I picked up Legacy > because I wanted to provide Fedora to my customers, and provide them a > slightly longer life span. I was persuaded to do updates for RHL too, which > I really think was a mistake. Okay, that may be your position/opinion, as and the defacto leader that carries some weight. But that is not how the project came across many of those who joined after RHL was added. > Where we need help is testing packages, reporting and vetting issues (not > just 'hey this CVE was filed, does it effect us?' Actually LOOK at the > package and package sources to see, perhaps provide a patch? Where are you > meeting resistance doing this kind of work? First, my interest doesn't really fit there. It is in testing what is in updates-testing (which is nothing). If there was something in updates-testing to test, I would test it and report the results. Secondly, I've offered to help many times with other infrastructure issues, and been turned down over and over. Third, when I've tried to help test packages before updates-testing, I met with lots of trouble. Someone: "No, you have to do this, this way, not that way!" Me: "Okay, where's that documented?" Someone: "No where." Me: "Okay, I'll document that and resubmit" Someone: "No, you still missed Step X". Me: Okay, where is that documented? Someone: "No where." Me: "Okay, I'll document that..." And so on. Eventually of course, my documentation is no longer good because it is a web page and now it should all be wiki, and I don't have access to the wiki. By the time I finally get access to the wiki, I've lost interest. Third, I had a big project that took about a year of my life, during which I could not spend a lot of time of FL work. That is over now, and I could go back to working on FL again, but I really don't see where I'm needed now. The fact that I only have one FC machine to play with (FC 3 x86_64 now, could upgrade to FC4 or what ever if needed) doesn't help. I'm willing to put it towards FL work if you tell me what you need me to do. But you can't expect me to do everything any more than I expect you to do everything. And as long as you keep refusing my offers to help saying you'll do it yourself, you won't get many unsolicited offers from me, so you better start soliciting if you want anything. >> So, hey, here's an idea: Let's do that! What's the hold up? > > Getting software in place. Time. Energy. Is there anything I can do to help, or not? >> Again, could he use help with this? If so, what kind of help? >> Even gentle encouragement? Or money? Or coding support? Or documentation >> support? Or??? > > I don't know. Email him. Find out. He's on the fedora infrastructure team > which has this listed as one of the projects. > http://fedoraproject.org/wiki/Infrastructure > > Don't wait on me to make it happen. Is there a particular reason to contact only him instead of the whole infrastructure team? > -- > Jesse Keating > Release Engineer: Fedora -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From rostetter at mail.utexas.edu Fri Oct 20 17:59:32 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 12:59:32 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201059.39801.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <20061019181244.GA10133@jadzia.bu.edu> <20061020095209.o9p14cnme76s44wc@mail.ph.utexas.edu> <200610201059.39801.jkeating@redhat.com> Message-ID: <20061020125932.5dz177txfg2ck48s@mail.ph.utexas.edu> Quoting Jesse Keating : > On Friday 20 October 2006 10:52, Eric Rostetter wrote: >> > You're misunderstanding me; I meant RHL has been the hold-up for >> > switching to the Extras build infrastructure. >> >> Can't we somehow run the two build systems in parallel? Use the old one >> for RHL, and test the new one out for FC releases? That way we also get >> a good test in, and have a backup if the new build system isn't working >> right, etc. > > Only if we agree to split RHL updates from Fedora updates and nothold one up > for the other. Fine with me. > -- > Jesse Keating > Release Engineer: Fedora > -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From jkeating at redhat.com Fri Oct 20 18:08:38 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 14:08:38 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020125848.8hg9qiqctlskg40k@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <20061020125848.8hg9qiqctlskg40k@mail.ph.utexas.edu> Message-ID: <200610201408.38207.jkeating@redhat.com> On Friday 20 October 2006 13:58, Eric Rostetter wrote: > First, my interest doesn't really fit there. ?It is in testing what is > in updates-testing (which is nothing). ?If there was something in > updates-testing to test, I would test it and report the results. Its tough to get to updates-testing without the pre-work done. So thats where we need the help right now. > Secondly, I've offered to help many times with other infrastructure issues, > and been turned down over and over. Where? When? You refused to use IRC, you've refused to even try to get a wiki account. > Third, when I've tried to help test packages before updates-testing, I > met with lots of trouble. ?Someone: "No, you have to do this, this way, not > that way!" Me: "Okay, where's that documented?" ?Someone: "No where." > Me: "Okay, I'll document that and resubmit" ?Someone: "No, you still missed > Step X". ?Me: Okay, where is that documented? ?Someone: "No where." ? > Me: "Okay, > I'll document that..." ?And so on. ?Eventually of course, my documentation > is no longer good because it is a web page and now it should all be wiki, > and I don't have access to the wiki. ?By the time I finally get access to > the wiki, I've lost interest. When did you try to get a wiki account? We always welcome more documentation. > Third, I had a big project that took about a year of my life, during which > I could not spend a lot of time of FL work. ?That is over now, and I could > go back to working on FL again, but I really don't see where I'm needed > now. I've outlined what help we need. > The fact that I only have one FC machine to play with (FC 3 x86_64 now, > could upgrade to FC4 or what ever if needed) doesn't help. ?I'm willing > to put it towards FL work if you tell me what you need me to do. > > But you can't expect me to do everything any more than I expect you to do > everything. ?And as long as you keep refusing my offers to help saying > you'll do it yourself, you won't get many unsolicited offers from me, > so you better start soliciting if you want anything. > > >> So, hey, here's an idea: Let's do that! ?What's the hold up? > > > > Getting software in place. ?Time. ?Energy. > > Is there anything I can do to help, or not? Again, I don't know, you'd have to ask Luke and / or the Infrastructure team. > > >> Again, could he use help with this? ?If so, what kind of help? > >> Even gentle encouragement? ?Or money? ?Or coding support? ?Or > >> documentation support? ?Or??? > > > > I don't know. ?Email him. ?Find out. ?He's on the fedora infrastructure > > team which has this listed as one of the projects. > > http://fedoraproject.org/wiki/Infrastructure > > > > Don't wait on me to make it happen. > > Is there a particular reason to contact only him instead of the whole > infrastructure team? Mostly because he "owns" the project. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From rostetter at mail.utexas.edu Fri Oct 20 18:19:13 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 13:19:13 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020172901.GC26047@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> Message-ID: <20061020131913.y8yf20lsflwksk8k@mail.ph.utexas.edu> Quoting Matthew Miller : > Fedora people repeatedly state that the distribution is great for users > beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's really > not true. It is only good for tech-savy people who can upgrade outside of pre-set windows. Legacy extends this to tech-savy people who can upgrade at some point during the year. Someday the Fedora Documentation Project along with Fedora Legacy (if it survives) may extend this to non-tech-savy people who can upgrade within a year... Let's face it. Fedora Legacy use is limited. The fact that some Fedora people say otherwise doesn't make it true. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From michal at harddata.com Fri Oct 20 18:33:16 2006 From: michal at harddata.com (Michal Jaegermann) Date: Fri, 20 Oct 2006 12:33:16 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201319.09053.gene.heskett@verizon.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <200610201319.09053.gene.heskett@verizon.net> Message-ID: <20061020183316.GC9313@mail.harddata.com> On Fri, Oct 20, 2006 at 01:19:08PM -0400, Gene Heskett wrote: > > My email archive alone goes back > into 1998 here. Yes, there are backups, and I do them rather religiously > at the feet of a gal named amanda, but it would still be a weeks work to > get stuff back to the Just Works(TM) state here if I was to put FC5 on > this box today. Eh? How come? Not that I am trying to tell you "upgrade right now" but I have around machines which went through numerous release upgrades, some with original installations dating back to times of RH6.x realeases or maybe even earlier, and it never took me "weeks" to do such thing. Rather small hours when most of the time I was doing something else when a machine was busy installing updated packages. I am not trying to imply that there is no work involved. It is easier when you can do that over a network or from DVD, or otherwise you have to babysit a machine and switch CDs from time to time, but I never had a situation that such operation destroyed my data or made a machine inoperable. It is also true that after such step there is some cleanup to perform; but with possible small exceptions this is not extremely urgent and can be done here and there at your leisure. 'rpm -qa --last' will make you a list where possible "leftovers" are easy to pick up and you should go through assorted '.rpmnew' and '.rpmsave' files. 'locate' is of a great help here after you updated its database. On some occasions I did even such "nasty" things as 'rpm -Uvh --nodeps fedora-release*', with that rpm from a target distro, followed by 'yum update "yum*" "rpm*" "python*"' and after that 'yum update ...' (various things as needed), but such trickery may require assorted "manual interventions" which depend on what you really have already installed and falls into "if you have to ask how to do that you should not be doing it" category. Still it worked fine in the final account (with a different set of tradeoffs than a "normal update"). Yes, I know that some claim that to upgrade a release one should do an install from scratch and restore personal data from backups. Unless you really messed up previously your installation doing things like 'rpm --Uvh --nodeps ...' all over the place, and other nasties of that sort, this is misguided. But after an extended rattlesnake sorting session on my > lappy, FC5 is now looking & working pretty good, so FC6 will probably get > installed when its out or shortly after. > > But I'm not about to do this every 6 months as planned by the FC people, I > have other things these machines need to do, and do on a set it up in cron > so I can forget about it scenario. > > My $0.02, adjust for inflation. :-) > > >C) etc > > -- > Cheers, Gene > "There are four boxes to be used in defense of liberty: > soap, ballot, jury, and ammo. Please use in that order." > -Ed Howdershelt (Author) > Yahoo.com and AOL/TW attorneys please note, additions to the above > message by Gene Heskett are: > Copyright 2006 by Maurice Eugene Heskett, all rights reserved. > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list From rostetter at mail.utexas.edu Fri Oct 20 18:40:31 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 13:40:31 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201408.38207.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <20061020125848.8hg9qiqctlskg40k@mail.ph.utexas.edu> <200610201408.38207.jkeating@redhat.com> Message-ID: <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> Quoting Jesse Keating : > On Friday 20 October 2006 13:58, Eric Rostetter wrote: >> First, my interest doesn't really fit there. It is in testing what is >> in updates-testing (which is nothing). If there was something in >> updates-testing to test, I would test it and report the results. > > Its tough to get to updates-testing without the pre-work done. So > thats where > we need the help right now. Yes, true. But, like I said, you can't expect one person to do everything... If we had a way to know what work needed to be done, it might be easier for people like me to help. Long ago I suggested that there be a mailing list for entries in bugzilla, and while it was received well by many on this list, it was rejected by you. If I got an e-mail saying we need to test package X, and I decided I could test package X, I would do it. But I don't have the time to go crawling through bugzilla looking to see what needs to be tested, and I've not seen a mailing to this list lately with a list of things that needed testing. In other words, I personally respond better to a "push" to me of what is needed than having to expend effort to "pull" what is needed from various sources. >> Secondly, I've offered to help many times with other infrastructure issues, >> and been turned down over and over. > > Where? When? You refused to use IRC, you've refused to even try to get a > wiki account. Yes, I basically refuse to use IRC. If that means I can't help with FL, then so be it. That's your problem. My requests to help go back to the beginning, like setting up CVS for the web site, a web-interface to the CVS, a mailing list for the CVS, etc. You refused all that help, saying you already planned to do that kind of stuff and would do it yourself, etc. You did setup the CVS, but none of the rest. I've never managed to get access to change bugzilla entry white boards, etc. though I've asked about it, etc. As for a wiki access, I _did_ get it. But, I'm really never been sure how you plan to split the web site and wiki, if at all, and what you want done, and personally I _hate_ the idea of putting everything in the wiki. I specifically hate putting the advisories in the wiki, but you say you want to. Well, so be it, but I've not seen any work done to do it, and I've not been asked to help in doing so. >> I'll document that..." And so on. Eventually of course, my documentation >> is no longer good because it is a web page and now it should all be wiki, >> and I don't have access to the wiki. By the time I finally get access to >> the wiki, I've lost interest. > > When did you try to get a wiki account? We always welcome more > documentation. I _did_ get access to the wiki (though I don't know if it still works or not). In fact I say that above where you quote me. >> Third, I had a big project that took about a year of my life, during which >> I could not spend a lot of time of FL work. That is over now, and I could >> go back to working on FL again, but I really don't see where I'm needed >> now. > > I've outlined what help we need. No, you said we need lots of stuff. I said, okay, I'm trying to do some of that stuff. You said, no, we need this other stuff since the stuff I want to do can't be done until the other stuff is done... Well, fine, if I have to do that other stuff I'm willing, if it is made easy for me to do. Is anyone willing to make it easier for me to do? > Again, I don't know, you'd have to ask Luke and / or the Infrastructure team. I'll reread the thread, and _if_ I understand what is desired, I'll approach them about it. If not, then I'll _try_ to get someone here to explain to me what it is I'm supposed to ask them. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From jkosin at beta.intcomgrp.com Fri Oct 20 18:41:54 2006 From: jkosin at beta.intcomgrp.com (James Kosin) Date: Fri, 20 Oct 2006 14:41:54 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020173108.GD26047@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> <80d7e4090610191607q7842f04ey7354da36f493c1c9@mail.gmail.com> <20061020005807.GA27154@jadzia.bu.edu> <4538C7F9.7070802@beta.intcomgrp.com> <20061020173108.GD26047@jadzia.bu.edu> Message-ID: <45391872.9020309@beta.intcomgrp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew Miller wrote: >> Legacy is all about security-updates!!! ONLY!!! The policy is >> update with PATCHES if at all possible. From RH even better; >> otherwise fall back to other sources for patches such as the >> development groups, etc. Only if EVERYTHING else fails, you can >> update to the latest stable release to fix the flaw. > > Right now, everything is clearly failing. > No, I think what is failing is that Legacy has never had a policy other that extras was not included in the security concerns. There are hundreds of packages to cope with and many people are stretched very thin. :'( There is literally a hand full of people managing all the packages and it is up to the users to keep track and raise issues with packages. The managers of the packages then run around trying to come up with the fixes. Some of which are not plain and simple. Then they need to go through the QA process and etc. This all leads to TIME. Unfortunately, most people are hard at work with say FC6 to really devote great attention to the current FL project. So, we have been left to fend for ourselves. The last straw was probably the decision to lighten the load and get rid of all the other legacy supported (releases) and concentrate on one to two FL releases at most.... All of this and more has forced many to abandon supporting FL in favor of other platforms with continued support. In short, people willing and able to do all the work necessary has dwindled to but a few. Jesse and a few others, mostly working at RH serving many roles on other projects. Just my 2-cents. James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFORhxkNLDmnu1kSkRAv9GAJ9FOcPqqp4RZrsd4kvGZkdF48RdJwCfeOk/ ctVFXAmj0eEm95TrDFm9/kg= =/7Bx -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net From jkeating at redhat.com Fri Oct 20 18:58:06 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 14:58:06 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201408.38207.jkeating@redhat.com> <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> Message-ID: <200610201458.06658.jkeating@redhat.com> On Friday 20 October 2006 14:40, Eric Rostetter wrote: > If we had a way to know what work needed to be done, it might be easier > for people like me to help. ?Long ago I suggested that there be a mailing > list for entries in bugzilla, and while it was received well by many on > this list, it was rejected by you. ?If I got an e-mail saying we need > to test package X, and I decided I could test package X, I would do it. > But I don't have the time to go crawling through bugzilla looking to > see what needs to be tested, and I've not seen a mailing to this list > lately with a list of things that needed testing. ?In other words, I > personally respond better to a "push" to me of what is needed than > having to expend effort to "pull" what is needed from various sources. And for a while Pekka was posting a list of all the work needed items. Was that not usable? I don't remember the discussion of a mailing list for bugs, there is a 'bugs at fedoralegacy.org' email alias, if you want on that, by all means I'll add you. I do know that I don't want bug discussion to happen on a list and out of the bug. > >> Secondly, I've offered to help many times with other infrastructure > >> issues, and been turned down over and over. > > > > Where? ?When? ?You refused to use IRC, you've refused to even try to get > > a wiki account. > > Yes, I basically refuse to use IRC. ?If that means I can't help with FL, > then so be it. ?That's your problem. > > My requests to help go back to the beginning, like setting up CVS for the > web site, a web-interface to the CVS, a mailing list for the CVS, etc. > You refused all that help, saying you already planned to do that kind of > stuff and would do it yourself, etc. ?You did setup the CVS, but none of > the rest. Yep, I suck again. There was CVS, but I had always wanted to use Red Hat resources for things like source control. Now we have it, WITH webcvs I do believe (although I still hate CVS (: ) As for adding the web to the new CVS infrastructure, I haven't thought much about it. When this was happening, I had thought you had left the project, so it wasn't much of a thought process. > I've never managed to get access to change bugzilla entry > white boards, etc. though I've asked about it, etc. I don't recall you asking. I could easily get you added to a bugzilla group, but the best way is to go through the Extras contributor process (yes it sucks that it isn't a "Fedora" contributors process yet, but that process has to be created, wanna help?) > As for a wiki access, I _did_ get it. ?But, I'm really never been sure > how you plan to split the web site and wiki, if at all, and what you want > done, and personally I _hate_ the idea of putting everything in the wiki. > I specifically hate putting the advisories in the wiki, but you say you > want to. ?Well, so be it, but I've not seen any work done to do it, and > I've not been asked to help in doing so. Advisories do not belong in wiki, you're correct. They belong in email, and maybe echo'd to a website if there is automated things to make that happen. We don't have it for Core, we don't _need_ it for Legacy yet. One should come from the other. As for wiki content: http://fedoraproject.org/wiki/Legacy I would like EVERYTHING except advisories (see above) and the GPG keys. David Eisenstein has done a lot of work of porting some content over, I'm sure he'd like a hand with that. I like the wiki as it is a LOT lower overhead to contribute content, make updates as things change, refine processes, interlink with other Fedora documentation such as how to use the CVS system, how to get an account, how to use the build system, etc... > > >> I'll document that..." ?And so on. ?Eventually of course, my > >> documentation is no longer good because it is a web page and now it > >> should all be wiki, and I don't have access to the wiki. ?By the time I > >> finally get access to the wiki, I've lost interest. > > > > When did you try to get a wiki account? ?We always welcome more ? > > documentation. > > I _did_ get access to the wiki (though I don't know if it still works or > not). In fact I say that above where you quote me. > > >> Third, I had a big project that took about a year of my life, during > >> which I could not spend a lot of time of FL work. ?That is over now, and > >> I could go back to working on FL again, but I really don't see where I'm > >> needed now. > > > > I've outlined what help we need. > > No, you said we need lots of stuff. ?I said, okay, I'm trying to do some > of that stuff. ?You said, no, we need this other stuff since the stuff > I want to do can't be done until the other stuff is done... ?Well, fine, > if I have to do that other stuff I'm willing, if it is made easy for me > to do. ?Is anyone willing to make it easier for me to do? > > > Again, I don't know, you'd have to ask Luke and / or the Infrastructure > > team. > > I'll reread the thread, and _if_ I understand what is desired, I'll > approach them about it. ?If not, then I'll _try_ to get someone here to > explain to me what it is I'm supposed to ask them. Thanks. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From rostetter at mail.utexas.edu Fri Oct 20 19:16:45 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Fri, 20 Oct 2006 14:16:45 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201458.06658.jkeating@redhat.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201408.38207.jkeating@redhat.com> <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> <200610201458.06658.jkeating@redhat.com> Message-ID: <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> Quoting Jesse Keating : >> But I don't have the time to go crawling through bugzilla looking to >> see what needs to be tested, and I've not seen a mailing to this list >> lately with a list of things that needed testing. In other words, I Please read the above. > And for a while Pekka was posting a list of all the work needed items. Was > that not usable? I don't remember the discussion of a mailing list for bugs, Yes, it was, but as I said, I've not seen one for a while... > there is a 'bugs at fedoralegacy.org' email alias, if you want on that, by all > means I'll add you. I do know that I don't want bug discussion to happen on > a list and out of the bug. Correct, it should be a one-way mailing only. Yes, if you want me to help, please add me to bugs at fedoralegacy.org. > When this was happening, I > had thought you had left the project, so it wasn't much of a thought process. I've never left the project, I've just become much less active in it. > I would like EVERYTHING except advisories (see above) and the GPG > keys. David > Eisenstein has done a lot of work of porting some content over, I'm sure he'd > like a hand with that. I like the wiki as it is a LOT lower overhead to > contribute content, make updates as things change, refine processes, > interlink with other Fedora documentation such as how to use the CVS system, > how to get an account, how to use the build system, etc... Okay, I'll take you at your word on the above. And I'll just keep my own opinions about it to myself where they belong. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From jkeating at redhat.com Fri Oct 20 19:22:23 2006 From: jkeating at redhat.com (Jesse Keating) Date: Fri, 20 Oct 2006 15:22:23 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201458.06658.jkeating@redhat.com> <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> Message-ID: <200610201522.23861.jkeating@redhat.com> On Friday 20 October 2006 15:16, Eric Rostetter wrote: > Yes, if you want me to help, please add me to bugs at fedoralegacy.org. You've been added. -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From lmb at biosci.ki.se Thu Oct 19 13:37:56 2006 From: lmb at biosci.ki.se (Leif Bergman) Date: Thu, 19 Oct 2006 15:37:56 +0200 Subject: Legacy kernels Message-ID: <1161265076.31277.3.camel@hornbill.csb.ki.se> Hi Is there a reason for not building/distributing devel packages of the kernel in fedora legacy? Regards, -- This has been an unsolicited bulk email from: Leif O M Bergman From dennis.activesignal at email.toast.net Fri Oct 20 16:34:42 2006 From: dennis.activesignal at email.toast.net (Dennis) Date: Fri, 20 Oct 2006 12:34:42 -0400 Subject: Fedora Core 4 x86_64 Yum update issues Message-ID: <4538FAA2.1030707@email.toast.net> I am trying to update my x86_64 installation of Fedora core 4 and I am getting the following message from Yum and I need help to resolve this issue. ----------------------------------------------------------------------------- --> Running transaction check --> Processing Dependency: kernel = 2.6.15-1.1833_FC4 for package: cman-kernel --> Processing Dependency: /lib/modules/2.6.15-1.1833_FC4 for package: cman-kernel Importing Additional filelist information for dependency resolution --> Processing Dependency: /lib/modules/2.6.15-1.1833_FC4 for package: dlm-kernel Importing Additional filelist information for dependency resolution --> Processing Dependency: kernel = 2.6.15-1.1833_FC4 for package: GFS-kernel --> Processing Dependency: /lib/modules/2.6.15-1.1833_FC4 for package: gnbd-kernel Importing Additional filelist information for dependency resolution --> Processing Dependency: kernel = 2.6.15-1.1833_FC4 for package: dlm-kernel --> Processing Dependency: /lib/modules/2.6.15-1.1833_FC4 for package: GFS-kernel Importing Additional filelist information for dependency resolution --> Processing Dependency: kernel = 2.6.15-1.1833_FC4 for package: gnbd-kernel --> Finished Dependency Resolution Error: Missing Dependency: kernel = 2.6.15-1.1833_FC4 is needed by package cman-kernel Error: Missing Dependency: /lib/modules/2.6.15-1.1833_FC4 is needed by package cman-kernel Error: Missing Dependency: /lib/modules/2.6.15-1.1833_FC4 is needed by package dlm-kernel Error: Missing Dependency: kernel = 2.6.15-1.1833_FC4 is needed by package GFS-kernel Error: Missing Dependency: /lib/modules/2.6.15-1.1833_FC4 is needed by package gnbd-kernel Error: Missing Dependency: kernel = 2.6.15-1.1833_FC4 is needed by package dlm-kernel Error: Missing Dependency: /lib/modules/2.6.15-1.1833_FC4 is needed by package GFS-kernel Error: Missing Dependency: kernel = 2.6.15-1.1833_FC4 is needed by package gnbd-kernel ------------------------------------------------------------------------------- Where can I find the necessary files? Dennis From smooge at gmail.com Sat Oct 21 04:43:56 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Fri, 20 Oct 2006 22:43:56 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020172901.GC26047@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> Message-ID: <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> On 10/20/06, Matthew Miller wrote: > On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: > > The problem is that we are just beat. Jesse has a kid, a release > > cycle, a new knee, and a lot of other stuff on his real job. The other > > people who have been doing stuff have also had 'stuff happen', and > > temporary schedule changes that have become permanent. > > Yes. > > In order to survive the project needs some real support from Red Hat. (Or > some other large company who wants to do Red Hat a favor, but that seems > even less likely.) > > Using the "Chasm" marketing model [*], without Legacy, Fedora is only a > viable solution for Early Adopters and of dubious value to the second > "Pragmatist" group. However, Fedora has been enough of a success that many > Pragmatists are indeed using Fedora. > I would argue that the pragmatists had been using it out of a trust model. They had used Red Hat Linux when it has crossed the chasm, and were using Fedora out of the same trust model. However, Fedora seems to have only been for Early Adopters. Legacy was an added on idea by people who realized that if you are going to put "service" software in an OS, people arent going to want to upgrade every 6 months. The problem with that is that maintaining an OS is always more effort/cost than creating it. That is why Pragmatists, Conservatives, and Laggards are better suited with an "Enterprise" linux. The problem with trying to stay on the Early Adopter side is that they will most likely drop you for the next shiney thing (Gentoo 3 years ago, Ubuntu today, xPath in 3 years) > > Fedora people repeatedly state that the distribution is great for users > beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's really > not true. > To be honest, there are only 2 reasons I use Fedora these days: 1) I drank the Bob Young koolaid long ago, and I am too much an "RPM" man to change to something else.. and 2) I use Fedora to alpha/beta test for the next/current Red Hat Enterprise. Even if Red Hat does not use Fedora as a alpha/beta test for Red Hat Enterprise.. I and many other people who are RHEL/Centos/etc customers do. I use Fedora because I need to know what the next RHEL will have in it. I use it to see what tools in extras I can pull over to my production systems because I need a plone, git, or other tool for some project. I do like having the nice new distro every 6 to 9 months, but I don't get paid to have it... and I am not longer the young kid who has time to twiddle with all the nobs to find out why something isnt working. > > * > > Heh. I hadn't seen that for a long time. Erik Sink was sort of my boss before I went to work for Red Hat. The books "Crossing the Chasm" and "Inside the Tornado" should be required reading for anyone dealing with emerging markets. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From tthome at cox.net Sat Oct 21 04:57:43 2006 From: tthome at cox.net (Tim Thome) Date: Fri, 20 Oct 2006 21:57:43 -0700 Subject: Fedora Core 4 x86_64 Yum update issues In-Reply-To: <4538FAA2.1030707@email.toast.net> References: <4538FAA2.1030707@email.toast.net> Message-ID: <4539A8C7.3090005@cox.net> Dennis wrote: > I am trying to update my x86_64 installation of Fedora core 4 and I am > getting the following > message from Yum and I need help to resolve this issue. Dennis, These items are related to xen and some other esoteric items that most folks don't use (some do) yum remove gnbd-kernel GFS-kernel cman-kernel dlm-kernel and then you run yum to update things... if you want to reload them... yum install gnbd-kernel GFS-kernel cman-kernel dlm-kernel And you're good to go... Tim From pekkas at netcore.fi Sat Oct 21 06:58:03 2006 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 21 Oct 2006 09:58:03 +0300 (EEST) Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201408.38207.jkeating@redhat.com> <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> <200610201458.06658.jkeating@redhat.com> <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> Message-ID: On Fri, 20 Oct 2006, Eric Rostetter wrote: > Quoting Jesse Keating : >> And for a while Pekka was posting a list of all the work needed items. Was >> that not usable? I don't remember the discussion of a mailing list for >> bugs, > > Yes, it was, but as I said, I've not seen one for a while... Me not having sent the reminder doesn't mean that the bug list hasn't been updated. It has -- at least semi-regularly (once 1-2 days). I didn't bother because clearly the project failed to function some time ago and there didn't seem to be a point. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From deisenst at gtw.net Sat Oct 21 09:29:15 2006 From: deisenst at gtw.net (David Eisenstein) Date: Sat, 21 Oct 2006 04:29:15 -0500 Subject: Fedora-legacy open bugs; following them &c Message-ID: <4539E86B.30103@gtw.net> Hi Eric and all, Just as a point of information, if you all are interested in following already- existing Fedora Legacy bugs in Bugzilla, it is pretty easy if you have a Bugzilla account. All you need to do is, once logged in to Bugzilla, click the grey "Account" tab at the top of the page to get to your Bugzilla user preferences. Once there, click on the "Email" tab. That should put you on web-page . There is a form entry on this page, "Users to watch." If you enter "bugs at fedoralegacy.org" in that form, then suddenly you will be able to watch (that is get emails about) all bug activity happening on Fedora Legacy-related bugs, without having to be added to the bugs at fedoralegacy.org email alias by Jesse. Here are some bugs that have lately received at least some attention (that I am aware of): * Bug 209116 , openssl. A FC4 source package, openssl-0.9.7f-7.11.legacy, has been proposed for source-level 'PUBLISH' QA (are we still doing this?), and there are binary packages out there one can also look at and play with if one wants to. The openssl097a compatibility package still needs to be worked on for FC4. For FC3 (which maybe we can create a new Bug item for?), both its native openssl and its compatibility openssl096b packages need work. I have been hoping to get work done on these myself, but I am slow. Note that Red Hat employee Florian La Roche was kind enough to add some suggestions to make our work easier on this bug. * Bug 209167 , seamonkey. Seamonkey is the best we can do to fix Mozilla, because the Mozilla foundation has stopped supporting the Mozilla suite (web browser, email & irc client) as of Mozilla-1.7.13. However, Seamonkey has up until now been produced by Fedora Extras, and Kai Engert has been its maintainer. Michal Jaegermann was kind enough to share information with us about his seamonkey replace- ment packages, and older versions for Red Hat/FC1/FC2 we can probably get from RHEL sources. So this bug is partly to work with Kai in getting the ball rolling and negotiating a (necessary, in my opinion) port of seamonkey from being an Extras package into becoming a Mozilla-replacement Core (Legacy) package, upon which other software (like epiphany and yelp) depend. That way we fix *all* Mozilla-related security bugs. * Other bugs needing some attention: - mailman (bugs 209891 for FC4, 211676 for FC3, I guess ....). There is also a much older mailman bug report (bug #193843) that perhaps we can still get work done on for RHL 7.3, RHL 9, FC1 & FC2. - openssh (bug 208727). Originally opened to deal with FC3, FC4, RHL 7.3 & RHL 9 releases. - kernel (Bug 200034). Many patches were added for FC3 when this bug was being worked originally, but time has elapsed and this bug has grown stale. We now need packages for fc4 as well as fc3, since no doubt there are new kernel vulnerabilities since Legacy was given fc4. This bug was also opened to help RHL 7.3, RHL 9, FC1 & FC2 distros. By the way, Pekka Savola (bless his heart!) still maintains his Fedora Legacy bug-list, here: . There are also, no doubt, scores packages with security bugs that have never been filed in Bugzilla for FC3 and FC4. Like for firefox/thunderbird/httpd/ kdelibs/php/etc. etc. Hope this helped. Regards, David Eisenstein From michal at harddata.com Sat Oct 21 17:48:25 2006 From: michal at harddata.com (Michal Jaegermann) Date: Sat, 21 Oct 2006 11:48:25 -0600 Subject: Fedora-legacy open bugs; following them &c In-Reply-To: <4539E86B.30103@gtw.net> References: <4539E86B.30103@gtw.net> Message-ID: <20061021174825.GA953@mail.harddata.com> On Sat, Oct 21, 2006 at 04:29:15AM -0500, David Eisenstein wrote: > > * Other bugs needing some attention: ... > - openssh (bug 208727). Originally opened to deal with FC3, FC4, RHL 7.3 > & RHL 9 releases. A comment #2, put there by David Eisenstein, :-) in bug 208727 mentions ftp://ftp.harddata.com/pub/Legacy_srpms/openssh-4.2p1-fc4.10.1mj.src.rpm Lifting fixes from RHEL packages and applying to other distribution sources does not look here like a very big deal. In general whatever is available in "Legacy_srpms" is surely in "worksforme" state and in an actual use. OTOH FC4 machines around me most likely pretty soon will be moved to FC6. Michal From rostetter at mail.utexas.edu Sat Oct 21 21:30:59 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Sat, 21 Oct 2006 16:30:59 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: References: <20061019154458.GA3683@jadzia.bu.edu> <200610201408.38207.jkeating@redhat.com> <20061020134031.6uzrpsbb0em80888@mail.ph.utexas.edu> <200610201458.06658.jkeating@redhat.com> <20061020141645.eyalm6kqnfkggg48@mail.ph.utexas.edu> Message-ID: <20061021163059.isyyg0qt6z4ss04g@mail.ph.utexas.edu> Quoting Pekka Savola : > Me not having sent the reminder doesn't mean that the bug list hasn't > been updated. It has -- at least semi-regularly (once 1-2 days). Yep, but my point was that people like me, and I've often said on this list I'm basically lazy, want a "push" rather than "pull" system. > I didn't bother because clearly the project failed to function some > time ago and there didn't seem to be a point. I'm not disagreeing. Just answering Jesse's question to me. I do appreciate that you tried for so long to make a difference by maintaining the list and sending it to the list. At least you took and active role and tried to make things better. More than I can really give myself credit for really. You've been a great help to the project, at least IMHO. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From rostetter at mail.utexas.edu Sun Oct 22 01:51:32 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Sat, 21 Oct 2006 20:51:32 -0500 Subject: Fedora Core 4 x86_64 Yum update issues In-Reply-To: <4538FAA2.1030707@email.toast.net> References: <4538FAA2.1030707@email.toast.net> Message-ID: <20061021205132.8q7p0o19pmo0sgws@mail.ph.utexas.edu> Quoting Dennis : > I am trying to update my x86_64 installation of Fedora core 4 and I am > getting the following > message from Yum and I need help to resolve this issue. As someone else already pointed out, all of these are packages needed to run a cluster. Unless you know you need them (because you are running a cluster system, or a GFS file system), you can just remove them as the other person suggested, and in doing so not only fix it this time but also for future updates/upgrades. If you _do_ need these packages, then you should try the command yum upgrade kernel* which _should_ fix the problem allow your next yum update/upgrade to work. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From alilomo at gmail.com Sun Oct 22 06:09:29 2006 From: alilomo at gmail.com (Ali Lomonaco) Date: Sun, 22 Oct 2006 01:09:29 -0500 Subject: gzip multiple vulnerabilities Message-ID: Hello, Just opened bugzilla #211760 for the gzip vulnerability. I just cloned the fc5 bugzilla #207643. If no one has done any work on this I'll backport the fix from fc5. References: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=211760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4338 Thanks, Ali From jkeating at redhat.com Sun Oct 22 13:18:19 2006 From: jkeating at redhat.com (Jesse Keating) Date: Sun, 22 Oct 2006 09:18:19 -0400 Subject: gzip multiple vulnerabilities In-Reply-To: References: Message-ID: <200610220918.19203.jkeating@redhat.com> On Sunday 22 October 2006 02:09, Ali Lomonaco wrote: > ? Just opened bugzilla #211760 for the gzip vulnerability. ?I just > cloned the fc5 bugzilla #207643. ?If no one has done any work on this > I'll backport the fix from fc5. Thanks!! -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From khudnut at ucar.edu Mon Oct 23 17:58:09 2006 From: khudnut at ucar.edu (Karl Hudnut) Date: Mon, 23 Oct 2006 11:58:09 -0600 (MDT) Subject: xfs_iget_core bug. In-Reply-To: <200610220918.19203.jkeating@redhat.com> References: <200610220918.19203.jkeating@redhat.com> Message-ID: Hi, I have been working on a problem that contains a fix for a bug, not a vulnerability, in 2.6.x kernels. Based on kernel.org info I cannot say exactly when it was patched. Here is the patch: ====================================================================================== --- 1.20/fs/xfs/xfs_iget.c Fri Jan 9 07:20:13 2004 +++ edited/fs/xfs/xfs_iget.c Mon Feb 23 14:47:03 2004 @@ -236,13 +236,14 @@ goto again; } -/* Chances are the other vnode (the one in the inode) is being torn - * down right now, and we landed on top of it. Question is, what do - * we do? Unhook the old inode and hook up the new one? - */ - cmn_err(CE_PANIC, - "xfs_iget_core: ambiguous vns: vp/0x%p, invp/0x%p", - inode_vp, vp); + + printk("%s: ambiguous vns: vp/0x%p, invp/0x%p", + __FUNCTION__, inode_vp, vp); + printk("v_vflag = 0x%x, v_type = %d\n", + inode_vp->v_flag, inode_vp->v_type); + printk("i_state = 0x%x, i_count = %d, i_nlink = %d\n", + inode->i_state, inode->i_count, inode->i_nlink); + BUG(); } read_unlock(&ih->ih_lock); ====================================================================================== I think the patch was introduced after 2.6.11, not totally sure. I can tell it was patched by 2.6.17. I need this patch. Can anyone verify if this is included in kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm for FC3 from Fedora Legacy? Thanks. If the answer is yes, please point me to the evidence so I can show it to the rest of the SysAdmin Team here at COSMIC. (Not that we would doubt it, but it would be better to see it for ourselves. Paranoid mode set = 1 and so on.) -- Dr. Karl Hudnut System Administrator UCAR - COSMIC khudnut at ucar.edu http://www.cosmic.ucar.edu 303 497 8024 From tthome at cox.net Tue Oct 24 05:29:50 2006 From: tthome at cox.net (Tim Thome) Date: Mon, 23 Oct 2006 22:29:50 -0700 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610191200.26527.jkeating@j2solutions.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191200.26527.jkeating@j2solutions.net> Message-ID: <453DA4CE.7080208@cox.net> Jesse Keating wrote: > On Thursday 19 October 2006 11:44, Matthew Miller wrote: > >> I think this is really unfortunate, because it makes a big gap in the >> Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild >> distros like CentOS, which is well and good (and particularly painless from >> the end-user point of few) but bad for Fedora. >> >> Without a functioning lifespan of over a year, Fedora is only practically >> useful as an enthusiast, bleeding-edge distro. That's only supposed to be >> _part_ of its mission. >> I can't speak for others, but going into Fedora Core, I knew what the limitations were, and I adjusted my expectations accordingly. I think what much it is boils down is to what is Fedora? It's a distro that is close to the tip of development on GNU/Linux, close enough to be cutting edge, but not so close to the tip to be useless. I knew this going in, and Fedora has done well for what I expected it to do. It's fairly stable, has up to date items for most of the things that I'm interested in for development, and let's me explore some of the items that are next step for RHEL... The realistic expectation is that SQA has been done for core and updates, along with extras... and that Fedora is not forever... If a longer life-cycle is desired, move over to RHEL/Clones... you'll be happier for it. > Here is what I think can happen. > > A) Kill off RHL now. Stop trying to do stuff there when we just don't have > the man power or the volunteers. > Agreed, might get some flak here from others, but is Fedora Legacy the right place for supporting RHL? > B) Move to using Extras infrastructure for building packages. They're ready > for us for FC3 and FC4. > Again, agreed... can prolong things to some extent... > C) Move to Core style updates process. Spin a possible update, toss it > in -testing. If nobody says boo after a period of time, release the darn > thing. If somebody finds it to be broken, fix it and resubmit. > For non-critical patches, this is more than fair... > Somewhere in there convince Luke Macken to do the work to get a Fedora Update > tool available for use externally that does the boring stuff like generate > the email with the checksums and with the subpackage list and all that boring > stuff. It could even handle moving the bug to 'MODIFIED' when it goes in > updates-testing, and finally to CLOSED when it goes to release. Then it > would be easier to get people to contribute, as they'd just be doing things > like checking out a package module, copying a patch from somewhere, commit, > build. That would help a lot. Somebody more "senior" in the project would > fiddle with the tool to prepare the update, and do the sign+push. > > I honestly think that doing these things is the only way that Legacy will > survive. > What would be nice, in a perfect world, is that we change things... Dev/Stable/Maint... add one more level... Maint would be [security] updates only for -2 from current, Stable would be the previous release, and Dev would be the current release... on the eve of FC6 release (hopefully)... Dev - FC6 Stable - FC5 Maint - FC4 Obsolete - FC3 and earlier... And then increment once the next Development snapshot is formally released... Keeping that in mind, this reduces the load to Legacy, as Legacy can work through the maintainance of non-core/non-security updates, and this prolongs the Legacy releases... My biggest grip right now with moving from one snapshot to the next (i.e. from FC3 -> FC4 or FC4-> FC5) is that upgrading is not very clean. Sorry if this is a bit late... been busy in the real-world, but this is something that we can fix... both for supporting older releases as well as making the migration less painful... Tim From Mike.McCarty at sbcglobal.net Tue Oct 24 14:19:23 2006 From: Mike.McCarty at sbcglobal.net (Mike McCarty) Date: Tue, 24 Oct 2006 09:19:23 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610201319.09053.gene.heskett@verizon.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <200610201319.09053.gene.heskett@verizon.net> Message-ID: <453E20EB.4050206@sbcglobal.net> Gene Heskett wrote: [snip] >>Maybe the question we should be asking is: Can we do this? We don't >>have the number of people that Debian Security has on supporting old >>releases.. and because we have fallen so far behind with everything.. >>can we dig ourselves out.. or do we need to completely reboot the >>whole thing (new people, new goals, new name) with the new people >>really knowing that >> >>A) we arent going to get much help from 3rd party vendors >>B) we arent going to get much help from the community > > > I'd comment that for this fedora user at least, the security etc stuffs > should be extended at least to the point where we each of us, has a > system, old though it may be in FC years, that works and does everything > WE want it to do. Hi, Gene. I haven't been around here for a while. Nice to see something from you. That's my situation, too. But I don't think that the FC project is really set up for that. I use FC2, and when I finally bite the bullet and feel it imperative to "upgrade" it won't be to FCx. That isn't what FC is about, it seems. For the reason you give, it doesn't really suit my needs. > Throwing us "to the wolves" doesn't make me want to format and update at > anywhere near the release cycle for FC. My email archive alone goes back > into 1998 here. Yes, there are backups, and I do them rather religiously Umm, FC didn't exist in 1998. Anyway, FC is really for tinkerers, not for people who want a distro that "just works". I installed it because I was asked to do so by a company which hired me for a contract. For my *own* needs, Debian would have been better. Much slower release cycle. Fewer defects. > But I'm not about to do this every 6 months as planned by the FC people, I Well, that's what FC *is*. I have several friends who have started using Linux over the last few years, and we are all going through culture shock at what is called QA in the "Linux World". FC, even in Linux terms, is a "use at your own risk" kind of distro. Not that care isn't taken, but stuff is gonna break when a new release comes out. If you don't want installing the OS to be a hobby, perhaps you should consider a different distro. I know I am. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From Mike.McCarty at sbcglobal.net Tue Oct 24 14:23:00 2006 From: Mike.McCarty at sbcglobal.net (Mike McCarty) Date: Tue, 24 Oct 2006 09:23:00 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <20061020172901.GC26047@jadzia.bu.edu> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> Message-ID: <453E21C4.2060106@sbcglobal.net> Matthew Miller wrote: [snip] > Using the "Chasm" marketing model [*], without Legacy, Fedora is only a > viable solution for Early Adopters and of dubious value to the second > "Pragmatist" group. However, Fedora has been enough of a success that many > Pragmatists are indeed using Fedora. I'm not familiar with that, but I'll look into it. I agree with your statement. > This results in large numbers of FC2, FC3, FC4 machines in production beyond > their supported lifetime. Pragmatists, by their nature, don't wanna be > upgrading all the time. Without Legacy, they're best served by CentOS and > kin. That's fine, but it's a loss for Fedora, as they're then less likely to > feed back into Extras, etc. And it's also a problem because it results in > large numbers of potentially vulnerable machines in the wild. You have struck a very large nail upon the head with perfect orthogonality. I'm using FC2 here. > Fedora people repeatedly state that the distribution is great for users > beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's really > not true. Indeed. This is a statement which I have made on several occasions, only to be hooted down. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From Mike.McCarty at sbcglobal.net Tue Oct 24 14:33:16 2006 From: Mike.McCarty at sbcglobal.net (Mike McCarty) Date: Tue, 24 Oct 2006 09:33:16 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> Message-ID: <453E242C.4080707@sbcglobal.net> Stephen John Smoogen wrote: > On 10/20/06, Matthew Miller wrote: > >> On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: >> > The problem is that we are just beat. Jesse has a kid, a release >> > cycle, a new knee, and a lot of other stuff on his real job. The other >> > people who have been doing stuff have also had 'stuff happen', and >> > temporary schedule changes that have become permanent. >> >> Yes. >> >> In order to survive the project needs some real support from Red Hat. (Or >> some other large company who wants to do Red Hat a favor, but that seems >> even less likely.) >> > >> Using the "Chasm" marketing model [*], without Legacy, Fedora is only a >> viable solution for Early Adopters and of dubious value to the second >> "Pragmatist" group. However, Fedora has been enough of a success that >> many >> Pragmatists are indeed using Fedora. >> > > I would argue that the pragmatists had been using it out of a trust > model. They had used Red Hat Linux when it has crossed the chasm, and I don't believe that Linux in general has crossed the chasm yet. I think it's *all* still in the "early adopters" stage. But within the "Linux community" (oxymoron) FC is the early adopters of the early adopters. [snip] > 2) I use Fedora to alpha/beta test for the next/current Red Hat Enterprise. How come when I state that FC is beta test, I get dog-piled, but you don't? [snip] Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From cradle at umd.edu Tue Oct 24 14:33:22 2006 From: cradle at umd.edu (David Eisner) Date: Tue, 24 Oct 2006 10:33:22 -0400 Subject: Migrating from RH9 Legacy to CentOS 3 Message-ID: <453E2432.5050708@umd.edu> With the end of Legacy support for RH9, I'd like to migrate my Fedora Legacified RH9 box to Centos 3. I've used these directions in the past to successfully migrate from non-legacy RH9 to Centos 3.1 using yum: http://www.owlriver.com/tips/centos-31-ex-rhl-9/ Any thoughts on whether this should also work with the .legacy packages? Thanks in advance. -David From gene.heskett at verizon.net Tue Oct 24 14:43:14 2006 From: gene.heskett at verizon.net (Gene Heskett) Date: Tue, 24 Oct 2006 10:43:14 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <453E20EB.4050206@sbcglobal.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610201319.09053.gene.heskett@verizon.net> <453E20EB.4050206@sbcglobal.net> Message-ID: <200610241043.14914.gene.heskett@verizon.net> On Tuesday 24 October 2006 10:19, Mike McCarty wrote: >Gene Heskett wrote: > >[snip] > >>>Maybe the question we should be asking is: Can we do this? We don't >>>have the number of people that Debian Security has on supporting old >>>releases.. and because we have fallen so far behind with everything.. >>>can we dig ourselves out.. or do we need to completely reboot the >>>whole thing (new people, new goals, new name) with the new people >>>really knowing that >>> >>>A) we arent going to get much help from 3rd party vendors >>>B) we arent going to get much help from the community >> >> I'd comment that for this fedora user at least, the security etc stuffs >> should be extended at least to the point where we each of us, has a >> system, old though it may be in FC years, that works and does >> everything WE want it to do. > >Hi, Gene. I haven't been around here for a while. Nice to see something >from you. > >That's my situation, too. But I don't think that the FC project is >really set up for that. I use FC2, and when I finally bite the bullet >and feel it imperative to "upgrade" it won't be to FCx. That isn't >what FC is about, it seems. For the reason you give, it doesn't really >suit my needs. > >> Throwing us "to the wolves" doesn't make me want to format and update >> at anywhere near the release cycle for FC. My email archive alone goes >> back into 1998 here. Yes, there are backups, and I do them rather >> religiously > >Umm, FC didn't exist in 1998. Of course not, but RH5 did. >Anyway, FC is really for tinkerers, not for people who want a distro >that "just works". I installed it because I was asked to do so by >a company which hired me for a contract. For my *own* needs, Debian >would have been better. Much slower release cycle. Fewer defects. > >> But I'm not about to do this every 6 months as planned by the FC >> people, I > >Well, that's what FC *is*. I have several friends who have started >using Linux over the last few years, and we are all going through >culture shock at what is called QA in the "Linux World". FC, even in >Linux terms, is a "use at your own risk" kind of distro. Not that >care isn't taken, but stuff is gonna break when a new release comes >out. So we've noticed, and its the really blatant breakage that irks us the most, like FC4's x crashing on probably half the boxes at the initial reboot. With no clues of course because the only way to get to the logs was to reboot from the cd in single mode. And not being fam with the mount tree, the logs are hard to find. But, that FC4 fiaso that had many of us threatening to burn someone at the stake did help in that it brought the attention of TPTB that additional checking and bodies needed to be assigned to the FC releases, and that additional effort can certainly be seen in the overall quality of the FC5 release. Unforch, now I'm reading between the lines and coming to the conclusion that fedora is again being body starved. We'll see in a couple of days I guess. >If you don't want installing the OS to be a hobby, perhaps you >should consider a different distro. I know I am. Yup, I have one kubuntu box now running emc2-head, and there may be a kubuntu install on this box in another few weeks. Although, after the initial fixups of FC5 on my lappy, its all working pretty well, so the coin with kubuntu 6.10 on one side, and FC6 on the other, is still up in the air. Kubuntu's main problem is the cups install is about half, like one testical didn't come down, so there's a lot of wheels to reinvent there before cups does its thing with networked printers. I made it work by copying stuff off other working systems, thank $favorite-deity for samba & someone telling me howto make a real root account on a kubuntu box... > >Mike -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. From gene.heskett at verizon.net Tue Oct 24 14:57:54 2006 From: gene.heskett at verizon.net (Gene Heskett) Date: Tue, 24 Oct 2006 10:57:54 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <453E21C4.2060106@sbcglobal.net> References: <20061019154458.GA3683@jadzia.bu.edu> <20061020172901.GC26047@jadzia.bu.edu> <453E21C4.2060106@sbcglobal.net> Message-ID: <200610241057.54123.gene.heskett@verizon.net> On Tuesday 24 October 2006 10:23, Mike McCarty wrote: >Matthew Miller wrote: > >[snip] > >> Using the "Chasm" marketing model [*], without Legacy, Fedora is only a >> viable solution for Early Adopters and of dubious value to the second >> "Pragmatist" group. However, Fedora has been enough of a success that >> many Pragmatists are indeed using Fedora. > >I'm not familiar with that, but I'll look into it. I agree with your >statement. > I couldn't say it any better either. >> This results in large numbers of FC2, FC3, FC4 machines in production >> beyond their supported lifetime. Pragmatists, by their nature, don't >> wanna be upgrading all the time. Without Legacy, they're best served by >> CentOS and kin. That's fine, but it's a loss for Fedora, as they're >> then less likely to feed back into Extras, etc. And it's also a problem >> because it results in large numbers of potentially vulnerable machines >> in the wild. > >You have struck a very large nail upon the head with perfect >orthogonality. I'm using FC2 here. Ditto, albeit with lots of stuff installed from tarballs because so much of FC2 was considerably more broken. IMO to release that without any kde testing should have been a no-no. As it was, just waving the mouse over a printing function in a kde menu brought the box down. Thats NOT good PR for fedora. >> Fedora people repeatedly state that the distribution is great for users >> beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's >> really not true. > >Indeed. This is a statement which I have made on several occasions, only >to be hooted down. Well, in my case I picked a distro that spoke english, then fixed what needed to be fixed. That wasn't as easy as it should have been when one can't stand the gnome's constant nagging about being root, dammit its my machine, why the heck should I put another million miles on my mouse getting rid of nag windows cause I'm root! That meant that cups, gimp, imagemajik, kino, qt and kde all got installed outside the rpm box from tarballs that FC2 would never backport even though what they had was broken. Now kino has died due to kernel changes (currently running 2.6.19-rc3), so the next vcd I make will be on my lappies teeny little 60GB partition for linux. Or on this box after I put FC6||kubuntu on it. Would the world be worse off if fedora died? Obviously yes, even for the pragmatists. We all bet on our favorite horse you know. >Mike -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. From rostetter at mail.utexas.edu Tue Oct 24 15:33:18 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Tue, 24 Oct 2006 10:33:18 -0500 Subject: Migrating from RH9 Legacy to CentOS 3 In-Reply-To: <453E2432.5050708@umd.edu> References: <453E2432.5050708@umd.edu> Message-ID: <20061024103318.xayo05eq1p5kckc8@mail.ph.utexas.edu> Quoting David Eisner : > With the end of Legacy support for RH9, I'd like to migrate my Fedora > Legacified RH9 box to Centos 3. Sounds reasonable. > I've used these directions in the past to successfully migrate from > non-legacy RH9 to Centos 3.1 using yum: > > http://www.owlriver.com/tips/centos-31-ex-rhl-9/ > > Any thoughts on whether this should also work with the .legacy packages? Should work fine. Sometimes you will find a dependency issue to work around. Often that means removing the old package. Sometimes it might mean changing yum's "exactarch=1" to "exactarch=0" to get around a dependency issue caused by architecture changes (from i386 to noarch or vise-versa, or from 32 bit to 64 bit, etc). Generally it runs smoothly, but occassionally some thought must be put into resolving some dependency issue... One thing I don't see mentioned much. First, do a "yum update" or "yum upgrade" on the RHL 9 repo. Then do a "yum clean" to free up disk space. Then do your yum upgrade to Centos. Otherwise, you will have your old RHL yum cache taking up a lot of space... > Thanks in advance. > > -David -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From hahaha_30k at yahoo.com Tue Oct 24 18:52:09 2006 From: hahaha_30k at yahoo.com (Robinson Tiemuqinke) Date: Tue, 24 Oct 2006 11:52:09 -0700 (PDT) Subject: Some supporting ideas regarding fedora legacy project when FC6 is out today Message-ID: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Hi, Glad that FC6 is out today for download/playing. But FC5 and FC6 are released too closely -- only three months apart. while FC4 had released over one year before FC5 appeared. Consequently, a lot of people and small organizations, as far as I know, have installed bunches of "free" FC4 boxes instead of FC5. Thereafter, they will directly go to FC6 instead of FC4->FC5->FC6, taking into the consideration of that each upgrade from one release to another one is not a tedious work. Based on the above fact, one idea will flow out naturally: based on the limited resourses of fedora legacy groups, and facing losing users because limited legacy support is flatted to each FC legacy release. Is it possible to support only some subset of releases? We can take the following strategy: 1, for each odd-numbered release, take it as a alpha version release, and don't support it with limited fedora legacy resources. So FC5, FC7, FC9 will not go into fedora legacy. and they will be in official(redhat) support status in no more than half year, or even a quarter. 2, for each even-numbered release, take it as a post-beta version release. these version will stay in official support for more than one year like FC4, then after its ending of official support, the release will go to fedora legacy for another one and half years or even longer based on resources. 3, for the support even-numbered releases, both i386/x86_64 arches are supported. because nowadays all new machines are amd64 or Intel EM64T, while original i386 is still in use. This way we can bring FC releases back into the free RH years since RH6.0 to RH9, helpful for FC, RH and users. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jkeating at j2solutions.net Tue Oct 24 19:07:24 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Tue, 24 Oct 2006 15:07:24 -0400 Subject: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> References: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Message-ID: <200610241507.24541.jkeating@j2solutions.net> On Tuesday 24 October 2006 14:52, Robinson Tiemuqinke wrote: > ?But FC5 and FC6 are released too closely -- only > three months apart. while FC4 had released over one > year before FC5 appeared. Where the heck are you getting your figures? FC5 was released 3/20/2006, FC4 was released 6/13/2005, that's 9~ months. FC6 was released today, 10/24, about 7 months since FC5 was released. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From drees76 at gmail.com Tue Oct 24 19:09:11 2006 From: drees76 at gmail.com (David Rees) Date: Tue, 24 Oct 2006 12:09:11 -0700 Subject: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> References: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Message-ID: <72dbd3150610241209x206303c7u2be5e0a493da662d@mail.gmail.com> On 10/24/06, Robinson Tiemuqinke wrote: > But FC5 and FC6 are released too closely -- only > three months apart. while FC4 had released over one > year before FC5 appeared. Huh? There has been at least 6 months between each FC release. FC1 release: Nov 5 2003 FC2 release: May 18 2004 FC3 release: Nov 8 2004 FC4 release: Jun 13 2005 FC5 release: Mar 20 2006 FC6 release: Oct 24 2006 -Dave From kelson at speed.net Tue Oct 24 19:14:56 2006 From: kelson at speed.net (Kelson) Date: Tue, 24 Oct 2006 12:14:56 -0700 Subject: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> References: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Message-ID: <453E6630.5000202@speed.net> Robinson Tiemuqinke wrote: > But FC5 and FC6 are released too closely -- only > three months apart. Only if by "three" you mean "seven." FC5 came out in March. -- Kelson Vibber SpeedGate Communications From hahaha_30k at yahoo.com Tue Oct 24 20:04:46 2006 From: hahaha_30k at yahoo.com (Robinson Tiemuqinke) Date: Tue, 24 Oct 2006 13:04:46 -0700 (PDT) Subject: Sorry for confusion -- Re: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Message-ID: <20061024200446.91706.qmail@web36712.mail.mud.yahoo.com> Hi, Sorry, confusion regarding the release date and "end of official support" date. But in general, That doesn't look like a bad idea, a strategy similar to linux kernel maintenance. Every will gain from the strategy: Redhat RPM lovers will stay happily with FC/FCLegacy with longer release support time; Redhat Inc. will attract more users, I mean, both pure enthusiastic and small business users. Currently FC just scares aways small business users to Debian/Gentoo because the former have so short a lifespan. Without real business users play in these FC test-beds RHEL will die away shortly. FC Legacy support group have no reasons to object the strategy as well? :) There are lesser releases to support but better support for supported ones. --- Robinson Tiemuqinke wrote: > Hi, > > Glad that FC6 is out today for download/playing. > > But FC5 and FC6 are released too closely -- only > three months apart. while FC4 had released over one > year before FC5 appeared. Consequently, a lot of > people and small organizations, as far as I know, > have > installed bunches of "free" FC4 boxes instead of > FC5. > Thereafter, they will directly go to FC6 instead of > FC4->FC5->FC6, taking into the consideration of that > each upgrade from one release to another one is not > a > tedious work. > > Based on the above fact, one idea will flow out > naturally: based on the limited resourses of fedora > legacy groups, and facing losing users because > limited > legacy support is flatted to each FC legacy release. > Is it possible to support only some subset of > releases? We can take the following strategy: > > 1, for each odd-numbered release, take it as a > alpha > version release, and don't support it with limited > fedora legacy resources. So FC5, FC7, FC9 will not > go > into fedora legacy. and they will be in > official(redhat) support status in no more than half > year, or even a quarter. > > 2, for each even-numbered release, take it as a > post-beta version release. these version will stay > in > official support for more than one year like FC4, > then > after its ending of official support, the release > will > go to fedora legacy for another one and half years > or > even longer based on resources. > > 3, for the support even-numbered releases, both > i386/x86_64 arches are supported. because nowadays > all > new machines are amd64 or Intel EM64T, while > original > i386 is still in use. > > This way we can bring FC releases back into the > free > RH years since RH6.0 to RH9, helpful for FC, RH and > users. > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From nils at lemonbit.nl Tue Oct 24 20:44:04 2006 From: nils at lemonbit.nl (Nils Breunese (Lemonbit)) Date: Tue, 24 Oct 2006 22:44:04 +0200 Subject: Sorry for confusion -- Re: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024200446.91706.qmail@web36712.mail.mud.yahoo.com> References: <20061024200446.91706.qmail@web36712.mail.mud.yahoo.com> Message-ID: <40FD01EB-3B23-4D62-90FC-6B1A4F1FE15D@lemonbit.nl> Robinson Tiemuqinke wrote: > Currently FC just scares aways small business users to > Debian/Gentoo because the former have so short a > lifespan. Without real business users play in these FC > test-beds RHEL will die away shortly. Why do you think they will move to Debian or Gentoo? And why Debian or Gentoo? I really don't see the logic. If they like the Red Hat-way of running Linux they'll almost certainly prefer CentOS or RHEL if they like Fedora but want a longer life cycle. Nils Breunese. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: Dit deel van het bericht is digitaal ondertekend URL: From rostetter at mail.utexas.edu Tue Oct 24 21:42:27 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Tue, 24 Oct 2006 16:42:27 -0500 Subject: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> References: <20061024185209.60477.qmail@web36704.mail.mud.yahoo.com> Message-ID: <20061024164227.yckd9fpljq8kcwws@mail.ph.utexas.edu> Quoting Robinson Tiemuqinke : > Based on the above fact, one idea will flow out > naturally: based on the limited resourses of fedora > legacy groups, and facing losing users because limited > legacy support is flatted to each FC legacy release. > Is it possible to support only some subset of > releases? We can take the following strategy: Sure. We can just support one release if we want. Kind of makes the project rather pointless though if we keep changing the rules constantly. The _ONLY_ way there is a justification for Fedora Legacy is if it has, and maintains, a schedule so that people can depend on it. Otherwise, there really is no point to it. > 1, for each odd-numbered release, take it as a alpha > version release, and don't support it with limited > fedora legacy resources. So FC5, FC7, FC9 will not go > into fedora legacy. and they will be in > official(redhat) support status in no more than half > year, or even a quarter. And people who unkowning install one of those and then find out about FL are just out of luck? > 2, for each even-numbered release, take it as a > post-beta version release. these version will stay in > official support for more than one year like FC4, then > after its ending of official support, the release will > go to fedora legacy for another one and half years or > even longer based on resources. This implies that Fedora Core will support the even numbered releases for more than a year which is not something they will guarantee. So this won't work. > This way we can bring FC releases back into the free > RH years since RH6.0 to RH9, helpful for FC, RH and > users. I don't understand what you are trying to say here. You want to reduce support, then you compare that to the fantastic support of the old RHL days? Doesn't make any sense to me. If FL is to have any trust from the users and Fedora community, it _must_ keep a support schedule, and not change it willy nilly. (Actually, it is okay to extend support for something, or even reduce support for future unreleased versions, but not to reduce or eliminate support that was already promised for a release that is already in use). -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From smooge at gmail.com Tue Oct 24 21:52:26 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Tue, 24 Oct 2006 15:52:26 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <453E242C.4080707@sbcglobal.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> <453E242C.4080707@sbcglobal.net> Message-ID: <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> On 10/24/06, Mike McCarty wrote: > Stephen John Smoogen wrote: > > On 10/20/06, Matthew Miller wrote: > > > >> On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: > >> > The problem is that we are just beat. Jesse has a kid, a release > >> > cycle, a new knee, and a lot of other stuff on his real job. The other > >> > people who have been doing stuff have also had 'stuff happen', and > >> > temporary schedule changes that have become permanent. > >> > >> Yes. > >> > >> In order to survive the project needs some real support from Red Hat. (Or > >> some other large company who wants to do Red Hat a favor, but that seems > >> even less likely.) > >> > > > >> Using the "Chasm" marketing model [*], without Legacy, Fedora is only a > >> viable solution for Early Adopters and of dubious value to the second > >> "Pragmatist" group. However, Fedora has been enough of a success that > >> many > >> Pragmatists are indeed using Fedora. > >> > > > > I would argue that the pragmatists had been using it out of a trust > > model. They had used Red Hat Linux when it has crossed the chasm, and > > I don't believe that Linux in general has crossed the chasm yet. I think > it's *all* still in the "early adopters" stage. But within the "Linux > community" (oxymoron) FC is the early adopters of the early adopters. > That would put you in the conservative column then. So far at the 3 10,000+ person companies I have worked at for the last 5 years, we have replaced 90% of our Solaris, AIX, mainframes etc with Linux. From what I have been helping with at other sites this has been the trend in the last 4 years. One site a friend works at just bought 5000 sun boxes. Although they each have a Solaris license, none of them will be using Solaris.. its just that the AMD hardware was considered better to run the clusters on. > > [snip] > > > 2) I use Fedora to alpha/beta test for the next/current Red Hat Enterprise. > > How come when I state that FC is beta test, I get dog-piled, but > you don't? > Because I said I used Fedora as a beta test.. not that Fedora is a beta test. The two are not equal statements. Red Hat may not use it as such, but I as a consumer do. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From rostetter at mail.utexas.edu Tue Oct 24 21:57:11 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Tue, 24 Oct 2006 16:57:11 -0500 Subject: Sorry for confusion -- Re: Some supporting ideas regarding fedora legacy project when FC6 is out today In-Reply-To: <20061024200446.91706.qmail@web36712.mail.mud.yahoo.com> References: <20061024200446.91706.qmail@web36712.mail.mud.yahoo.com> Message-ID: <20061024165711.e6v3dc4drzi80c0o@mail.ph.utexas.edu> Quoting Robinson Tiemuqinke : > But in general, That doesn't look like a bad idea, a > strategy similar to linux kernel maintenance. This would be up to RH/Fedora to decide, not Fedora Legacy. > Every will gain from the strategy: Redhat RPM lovers > will stay happily with FC/FCLegacy with longer release > support time; Redhat Inc. will attract more users, I > mean, both pure enthusiastic and small business users. Assuming Red Hat wanted to attract them, yes. But what if RH doesn't want businesses to use FC since they want to make their stock holders happy by selling RHEL instead? > Currently FC just scares aways small business users to > Debian/Gentoo because the former have so short a > lifespan. Without real business users play in these FC > test-beds RHEL will die away shortly. Seems that RHEL is doing just fine actually. > FC Legacy support group have no reasons to object the > strategy as well? :) There are lesser releases to > support but better support for supported ones. But we have nothing to do with it. This decision is totally up to RH/Fedora. FL has nothing to do with it. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From Mike.McCarty at sbcglobal.net Tue Oct 24 22:21:10 2006 From: Mike.McCarty at sbcglobal.net (Mike McCarty) Date: Tue, 24 Oct 2006 17:21:10 -0500 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> <453E242C.4080707@sbcglobal.net> <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> Message-ID: <453E91D6.7050006@sbcglobal.net> Stephen John Smoogen wrote: > On 10/24/06, Mike McCarty wrote: > >> Stephen John Smoogen wrote: >> > On 10/20/06, Matthew Miller wrote: >> > >> >> On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: >> >> > The problem is that we are just beat. Jesse has a kid, a release >> >> > cycle, a new knee, and a lot of other stuff on his real job. The >> other >> >> > people who have been doing stuff have also had 'stuff happen', and >> >> > temporary schedule changes that have become permanent. >> >> >> >> Yes. >> >> >> >> In order to survive the project needs some real support from Red >> Hat. (Or >> >> some other large company who wants to do Red Hat a favor, but that >> seems >> >> even less likely.) >> >> >> > >> >> Using the "Chasm" marketing model [*], without Legacy, Fedora is >> only a >> >> viable solution for Early Adopters and of dubious value to the second >> >> "Pragmatist" group. However, Fedora has been enough of a success that >> >> many >> >> Pragmatists are indeed using Fedora. >> >> >> > >> > I would argue that the pragmatists had been using it out of a trust >> > model. They had used Red Hat Linux when it has crossed the chasm, and >> >> I don't believe that Linux in general has crossed the chasm yet. I think >> it's *all* still in the "early adopters" stage. But within the "Linux >> community" (oxymoron) FC is the early adopters of the early adopters. >> > > That would put you in the conservative column then. So far at the 3 No, I am not. I'm in the Pragmatist group. But you can't tell from what I wrote. > 10,000+ person companies I have worked at for the last 5 years, we > have replaced 90% of our Solaris, AIX, mainframes etc with Linux. From > what I have been helping with at other sites this has been the trend My opinion is based on the just recent (few months) decision of State governments to use Open Document formats, rather than MS proprietary. The people who use and promote Linux are, in the business world at least, still the "golly gee!" crowd, and not either the Pragmatists nor the Conservatives. > in the last 4 years. One site a friend works at just bought 5000 sun > boxes. Although they each have a Solaris license, none of them will be > using Solaris.. its just that the AMD hardware was considered better > to run the clusters on. These are interesting stats, and indicate that Linux may now be crossing the gap. I belive most offices are still firmly MS product houses, and a move to Linux would not even be considered. I know that every time I see a request for a resume, the format requested is MS Word. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! From jkeating at j2solutions.net Tue Oct 24 22:32:46 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Tue, 24 Oct 2006 18:32:46 -0400 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <453E91D6.7050006@sbcglobal.net> References: <20061019154458.GA3683@jadzia.bu.edu> <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> <453E91D6.7050006@sbcglobal.net> Message-ID: <200610241832.49254.jkeating@j2solutions.net> On Tuesday 24 October 2006 18:21, Mike McCarty wrote: > These are interesting stats, and indicate that Linux may now be > crossing the gap. I belive most offices are still firmly MS product > houses, and a move to Linux would not even be considered. I know > that every time I see a request for a resume, the format requested > is MS Word. Use on the desktop should not be tied to use in the server room. You'll find a MUCH higher usage of linux in the server room. However since the majority of the desktops are Windows, MS Word gets used a lot. A really open cross platform format should be used, such as PDF, but that's not a here nor there question. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From smooge at gmail.com Wed Oct 25 02:18:51 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Tue, 24 Oct 2006 20:18:51 -0600 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <453E91D6.7050006@sbcglobal.net> References: <20061019154458.GA3683@jadzia.bu.edu> <200610191211.27193.jkeating@j2solutions.net> <20061020094805.8vw0w2cpesvkskok@mail.ph.utexas.edu> <200610201059.13949.jkeating@redhat.com> <80d7e4090610200836u233f3e19hd2e43db16a44c91a@mail.gmail.com> <20061020172901.GC26047@jadzia.bu.edu> <80d7e4090610202143n7eb897d7p6323f2041f3ec7fc@mail.gmail.com> <453E242C.4080707@sbcglobal.net> <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> <453E91D6.7050006@sbcglobal.net> Message-ID: <80d7e4090610241918j7769adb4m52c4aaabfef244fc@mail.gmail.com> On 10/24/06, Mike McCarty wrote: > Stephen John Smoogen wrote: > > On 10/24/06, Mike McCarty wrote: > > > >> Stephen John Smoogen wrote: > >> > On 10/20/06, Matthew Miller wrote: > >> > > >> >> On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: > >> >> > The problem is that we are just beat. Jesse has a kid, a release > >> >> > cycle, a new knee, and a lot of other stuff on his real job. The > >> other > >> >> > people who have been doing stuff have also had 'stuff happen', and > >> >> > temporary schedule changes that have become permanent. > >> >> > >> >> Yes. > >> >> > >> >> In order to survive the project needs some real support from Red > >> Hat. (Or > >> >> some other large company who wants to do Red Hat a favor, but that > >> seems > >> >> even less likely.) > >> >> > >> > > >> >> Using the "Chasm" marketing model [*], without Legacy, Fedora is > >> only a > >> >> viable solution for Early Adopters and of dubious value to the second > >> >> "Pragmatist" group. However, Fedora has been enough of a success that > >> >> many > >> >> Pragmatists are indeed using Fedora. > >> >> > >> > > >> > I would argue that the pragmatists had been using it out of a trust > >> > model. They had used Red Hat Linux when it has crossed the chasm, and > >> > >> I don't believe that Linux in general has crossed the chasm yet. I think > >> it's *all* still in the "early adopters" stage. But within the "Linux > >> community" (oxymoron) FC is the early adopters of the early adopters. > >> > > > > That would put you in the conservative column then. So far at the 3 > > No, I am not. I'm in the Pragmatist group. > > But you can't tell from what I wrote. > > > 10,000+ person companies I have worked at for the last 5 years, we > > have replaced 90% of our Solaris, AIX, mainframes etc with Linux. From > > what I have been helping with at other sites this has been the trend > > My opinion is based on the just recent (few months) decision of > State governments to use Open Document formats, rather than MS > proprietary. The people who use and promote Linux are, in the > business world at least, still the "golly gee!" crowd, and > not either the Pragmatists nor the Conservatives. > > > in the last 4 years. One site a friend works at just bought 5000 sun > > boxes. Although they each have a Solaris license, none of them will be > > using Solaris.. its just that the AMD hardware was considered better > > to run the clusters on. > > These are interesting stats, and indicate that Linux may now be > crossing the gap. I belive most offices are still firmly MS product > houses, and a move to Linux would not even be considered. I know > that every time I see a request for a resume, the format requested > is MS Word. > Well there is a big difference between talking about Linux on the desktop and Linux in the server. I think Linux in the server area crossed the chasm a long time ago with over a million servers being used by most of the Fortune 500. On the personal desktop side.. I think it has crossed the chasm, but will never be the Gorilla (to steal a term from Moore's "Inside the Tornado"). A market place is usually split between a gorilla, 1-2 chimps, and the remaining monkeys. The 500 lb gorilla can get 40-85% of the market and the chimps and the monkeys get the rest. The Ape of the desktop market is of course Windows. Currently the Chimp #1 is and Chimp #2 might be some brand of Linux... and the various 'monkeys' being other brands of Linux/BSD/etc. Looking over my data, it looks to break down this way: Servers: Linux 50%, Windows 30%, Unix <10%, Mac/etc the rest Desktops: Windows 70%, Mac 20%, Linux/FreeBSD/etc the remaining 10%. [So while we had 3000 Linux desktops at one site.. it was only 10%] The embedded market space (small routers, firewalls, small security systems, cameras, etc) , we found that a majority of new systems were coming with Linux installed on them (even if we didnt know about it until we took them apart). -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From diogenes at xenodochy.org Wed Oct 25 04:56:59 2006 From: diogenes at xenodochy.org (Ralph E. Kenyon, Jr.) Date: Wed, 25 Oct 2006 00:56:59 -0400 Subject: Migrating from RH9 Legacy to CentOS 3 In-Reply-To: <20061024103318.xayo05eq1p5kckc8@mail.ph.utexas.edu> References: <453E2432.5050708@umd.edu> <20061024103318.xayo05eq1p5kckc8@mail.ph.utexas.edu> Message-ID: On Tue, 24 Oct 2006 11:33:18 -0400, Eric Rostetter wrote: > Quoting David Eisner : > >> With the end of Legacy support for RH9, I'd like to migrate my Fedora >> Legacified RH9 box to Centos 3. > > Sounds reasonable. > >> I've used these directions in the past to successfully migrate from >> non-legacy RH9 to Centos 3.1 using yum: >> >> http://www.owlriver.com/tips/centos-31-ex-rhl-9/ >> >> Any thoughts on whether this should also work with the .legacy packages? > > Should work fine. Sometimes you will find a dependency issue to work > around. Often that means removing the old package. Sometimes it might > mean changing yum's "exactarch=1" to "exactarch=0" to get around a > dependency issue caused by architecture changes (from i386 to noarch > or vise-versa, or from 32 bit to 64 bit, etc). > > Generally it runs smoothly, but occassionally some thought must be put > into resolving some dependency issue... > > One thing I don't see mentioned much. First, do a "yum update" or > "yum upgrade" on the RHL 9 repo. Then do a "yum clean" to free > up disk space. Then do your yum upgrade to Centos. Otherwise, you > will have your old RHL yum cache taking up a lot of space... > >> Thanks in advance. >> >> -David > I'm still using RedHat 9 and up2date. What would I have to do to upgrade to a fedora version? -- Ralph E. Kenyon, Jr. http://www.xenodochy.org/ralph.html 191 White Oaks Road Williamstown, MA 01267-2259 Phone: 413-458-3597 Home pages: http://www.xenodochy.org http://www.ballroomdances.org ------------------------------------------------------- FIGHT SPAM http://www.xenodochy.org/diogenes/antispam.html (If you are thinking about collecting my email address, read the above page first!) ------------------------------------------------------ Plain text markup: *bold*, /italic/, _underline_, LOUD -------------------------------------------------------- Keep our semantic environments and cyberspace clean. Always report errors discovered while surfing the web. ------------------------------------------------------ My favorite saying (from general semantics): It's not that seeing is believing, believing is seeing, and we're much better at believing than we are at seeing. http://www.xenodochy.org/ex/quotes/santayana.html From tthome at cox.net Wed Oct 25 04:48:12 2006 From: tthome at cox.net (Tim Thome) Date: Tue, 24 Oct 2006 21:48:12 -0700 Subject: lwn article on the death of Fedora Legacy In-Reply-To: <200610241832.49254.jkeating@j2solutions.net> References: <453E91D6.7050006@sbcglobal.net> <20061019154458.GA3683@jadzia.bu.edu> <80d7e4090610241452q3c18c0c3r124a99ad4dd93e17@mail.gmail.com> <453E91D6.7050006@sbcglobal.net> Message-ID: <4.3.2.7.2.20061024210547.038e2d78@pop.west.cox.net> At 03:32 PM 10/24/2006, Jesse Keating wrote: >On Tuesday 24 October 2006 18:21, Mike McCarty wrote: > > These are interesting stats, and indicate that Linux may now be > > crossing the gap. I belive most offices are still firmly MS product > > houses, and a move to Linux would not even be considered. I know > > that every time I see a request for a resume, the format requested > > is MS Word. Just because it's MSWord doesn't mean it is Windows... and even OpenOffice can export as Word native... so if someone wants Word format, Linux can deliver, as is PDF... It's funny that if you create a text file, and put that MS specific .DOC extension, Word can read it just fine... it has converters to do that, and most corporate installs have it already in place. Try it, you'll see... >Use on the desktop should not be tied to use in the server room. You'll find >a MUCH higher usage of linux in the server room. However since the majority >of the desktops are Windows, MS Word gets used a lot. A really open cross >platform format should be used, such as PDF, but that's not a here nor there >question. Linux is great in the server room/network closet. Linux runs every one of my servers on my home LAN, and I've been an advocate of Linux in the enterprise space to supplement/replace other platforms for servers. We can do it faster/better/cheaper (pick any three) in this arena... On the desktop, it's another story... Sorry if I'm getting a tad bit into advocacy... The KDE/Gnome folks have made excellent progress when you compare it to the shell or to CDE/OpenWindows... and it's a long way from NextStep (although OpenStep is working hard to resolve that vector). The Linux Desktop - It's similar to where MacOS was in the early days of System6, and Windows 3.1 days... and those days weren't bad. The Windows Program Manager/File Manager was a good shell to launch modal applications, and Mac's Finder in System6 isn't much different as compared to what Gnome is using. MacOS6 plus MultiFinder Win's OLE API's and Mac's Publish/Subscribe model at the system level is not really prevalent on the Linux desktop as of yet, however XMPP is a good step forward, if the desktop and apps folks buy into it... There's a long way to go before Linux can really challenge WindowsXP and OSX on the desktop... challenge is good, it motivates folks, and that may be the bridge to resolving the main Linux desktop problem, which is the KDE/Gnome issue. Until this is resolved, Linux will remain in the server room, where it is very suited, and will suffer on the desktop. Just my $0.02 worth... Tim -- "Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment." -Buddha -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.11/493 - Release Date: 10/23/2006 From rostetter at mail.utexas.edu Wed Oct 25 14:29:17 2006 From: rostetter at mail.utexas.edu (Eric Rostetter) Date: Wed, 25 Oct 2006 09:29:17 -0500 Subject: Migrating from RH9 Legacy to CentOS 3 In-Reply-To: References: <453E2432.5050708@umd.edu> <20061024103318.xayo05eq1p5kckc8@mail.ph.utexas.edu> Message-ID: <20061025092917.vgc9swaojegw0kww@mail.ph.utexas.edu> Quoting "Ralph E. Kenyon, Jr." : > I'm still using RedHat 9 and up2date. > What would I have to do to upgrade to a fedora version? You can either: 1) Install "yum" and upgrade that way 2) Download and burn a Fedora Core (or whatever RHEL/FedoraCore based distro you want) ISO to a cdrom, boot from the cdrom, and upgrade that way. If you want to go from RHL 9 to some similar version (Centos 3.x, Fedora Core 1, etc) then you can upgrade fairly painlessly either way. If you want to skip generations (upgrade to Centos 4.x, Fedora Core 5, etc) then you will probably have lots of problems/issues, and I don't recommend skipping over versions like that. In those cases, I do multiple consecutive upgrades (e.g. RHL 9 -> Fedora Core 1 -> Fedora Core 2 -> Fedora Core 5, or RHL 9 -> Centos 3.x -> Centos 4.x). There is just too much different between RHL 9 and current OS versions to rely on the upgrade between them without going through some inbetween releases. -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! From tthome at cox.net Thu Oct 26 04:13:19 2006 From: tthome at cox.net (Tim Thome) Date: Wed, 25 Oct 2006 21:13:19 -0700 Subject: Zod Release... Message-ID: <454035DF.8060002@cox.net> Jesse and all at the Fedora Release Team... Many congrats on releasing Zod, we all bow before you... Great Job!!! And we understand the challenges met by Zod melting down the FC5 core/updates/extra's repos... as well as much of the fedora.redhat.com infra... take that as a positive signal :) Any updates on things with the back end network support? Any thoughts about putting some of the load onto a BW aggregator like akamai in the short term? We have pending [Security] FC5/FC6 updates that are pending, but Yum is not as strong as Zod and surrenders, saying "no updates for you... bow before Zod." Just kidding, actually it refers to errors on the URL... "Cannot find a valid baseurl..." Thx, Tim From deisenst at gtw.net Thu Oct 26 05:25:44 2006 From: deisenst at gtw.net (David Eisenstein) Date: Thu, 26 Oct 2006 00:25:44 -0500 Subject: xfs_iget_core bug. In-Reply-To: References: <200610220918.19203.jkeating@redhat.com> Message-ID: <454046D8.7090002@gtw.net> Karl Hudnut wrote: > Hi, > > I have been working on a problem that contains a fix for a bug, not a > vulnerability, in 2.6.x kernels. Based on kernel.org info I cannot say > exactly when it was patched. Here is the patch: > > ====================================================================================== > --- 1.20/fs/xfs/xfs_iget.c Fri Jan 9 07:20:13 2004 > +++ edited/fs/xfs/xfs_iget.c Mon Feb 23 14:47:03 2004 > @@ -236,13 +236,14 @@ > > goto again; > } > -/* Chances are the other vnode (the one in the inode) is being torn > - * down right now, and we landed on top of it. Question is, what do > - * we do? Unhook the old inode and hook up the new one? > - */ > - cmn_err(CE_PANIC, > - "xfs_iget_core: ambiguous vns: vp/0x%p, invp/0x%p", > - inode_vp, vp); > + > + printk("%s: ambiguous vns: vp/0x%p, invp/0x%p", > + __FUNCTION__, inode_vp, vp); > + printk("v_vflag = 0x%x, v_type = %d\n", > + inode_vp->v_flag, inode_vp->v_type); > + printk("i_state = 0x%x, i_count = %d, i_nlink = %d\n", > + inode->i_state, inode->i_count, inode->i_nlink); > + BUG(); > } > > read_unlock(&ih->ih_lock); > > ====================================================================================== > > I think the patch was introduced after 2.6.11, not totally sure. I can tell it was > patched by 2.6.17. I need this patch. Can anyone verify if this is included in > kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm for FC3 from Fedora Legacy? > > Thanks. If the answer is yes, please point me to the evidence so I can show it to the > rest of the SysAdmin Team here at COSMIC. (Not that we would doubt it, but it would > be better to see it for ourselves. Paranoid mode set = 1 and so on.) > Hi Dr. Hudnut, I did a scan through all of the patch files in the source rpm at and could not find any patches that patch the 'fs/xfs/xfs_iget.c' source file. The xfs_iget.c source file itself appears not to be patched with the code you enclosed. It appears to be the original code, which calls 'cmn_err()'. Hope this helps. -David From jkeating at redhat.com Thu Oct 26 09:50:20 2006 From: jkeating at redhat.com (Jesse Keating) Date: Thu, 26 Oct 2006 05:50:20 -0400 Subject: Zod Release... In-Reply-To: <454035DF.8060002@cox.net> References: <454035DF.8060002@cox.net> Message-ID: <200610260550.24019.jkeating@redhat.com> On Thursday 26 October 2006 00:13, Tim Thome wrote: > "Cannot find a valid baseurl..." For a temporary work around, replace the fedora.redhat.com/download/mirrors with fedoraproject.org/mirrors -- Jesse Keating Release Engineer: Fedora -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From kirk at k4ro.net Thu Oct 26 14:50:59 2006 From: kirk at k4ro.net (Kirk Pickering) Date: Thu, 26 Oct 2006 09:50:59 -0500 Subject: FC4 Cannot find a valid baseurl for repo: legacy-updates Message-ID: <20061026145059.GA11133@darkstar.k4ro.net> I'm aware that there have been no updates for FC4 in some time, and just today I read all of the threads regarding the possible demise of Fedora legacy support. I just learned of CentOS from this list, and I will be taking a long look at it. I run GNU/Linux servers, and don't use the vast majority of the desktop applications. I have been running "yum update" periodically to check for FC4 legacy updates. I have installed the latest key and yum legacy configuration files. Up until today, "yum update" simply returned the string "No Packages marked for Update/Obsoletion." Today, I got a different message: # yum list yum Setting up repositories Cannot find a valid baseurl for repo: legacy-updates Error: Cannot find a valid baseurl for repo: legacy-updates Has something changed with the repository URL? Here are the contents of /etc/yum.repos.d/fedora-legacy.repo : # cat /etc/yum.repos.d/fedora-legacy.repo [legacy-updates] name=Fedora Legacy $releasever - $basearch - Updates mirrorlist=http://fedora.redhat.com/Download/mirrors/legacy-updates-released-fc$releasever enabled=1 gpgcheck=1 gpgkey=http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY [legacy-testing] name=Fedora Legacy $releasever - $basearch - Updates Testing mirrorlist=http://fedora.redhat.com/Download/mirrors/legacy-updates-testing-fc$releasever enabled=0 gpgcheck=1 gpgkey=http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY ------------------------------------------------------ -Kirk From kelson at speed.net Thu Oct 26 18:33:41 2006 From: kelson at speed.net (Kelson) Date: Thu, 26 Oct 2006 11:33:41 -0700 Subject: FC4 Cannot find a valid baseurl for repo: legacy-updates In-Reply-To: <20061026145059.GA11133@darkstar.k4ro.net> References: <20061026145059.GA11133@darkstar.k4ro.net> Message-ID: <4540FF85.5080603@speed.net> Kirk Pickering wrote: > Today, I got a different message: > > # yum list yum > Setting up repositories > Cannot find a valid baseurl for repo: legacy-updates > Error: Cannot find a valid baseurl for repo: legacy-updates The site's been down for a couple of days, probably related to download demand for FC6. Check the "Zod Release" thread. Jesse Keating suggested: > For a temporary work around, replace the fedora.redhat.com/download/mirrors > with fedoraproject.org/mirrors -- Kelson Vibber SpeedGate Communications From tthome at cox.net Thu Oct 26 20:07:50 2006 From: tthome at cox.net (Tim Thome) Date: Thu, 26 Oct 2006 13:07:50 -0700 Subject: Zod Release... In-Reply-To: <200610260550.24019.jkeating@redhat.com> References: <454035DF.8060002@cox.net> <200610260550.24019.jkeating@redhat.com> Message-ID: <45411596.50205@cox.net> Jesse Keating wrote: > On Thursday 26 October 2006 00:13, Tim Thome wrote: > >> "Cannot find a valid baseurl..." >> > > For a temporary work around, replace the fedora.redhat.com/download/mirrors > with fedoraproject.org/mirrors > > Thx, worked like a champ... wonder if this should be on the static page? Tim From jkeating at j2solutions.net Thu Oct 26 20:20:12 2006 From: jkeating at j2solutions.net (Jesse Keating) Date: Thu, 26 Oct 2006 16:20:12 -0400 Subject: Zod Release... In-Reply-To: <45411596.50205@cox.net> References: <454035DF.8060002@cox.net> <200610260550.24019.jkeating@redhat.com> <45411596.50205@cox.net> Message-ID: <200610261620.12391.jkeating@j2solutions.net> On Thursday 26 October 2006 16:07, Tim Thome wrote: > Thx, worked like a champ... wonder if this should be on the static page? We've fixed the static pages to provide access to the mirror lists. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From akonstam at sbcglobal.net Thu Oct 26 20:55:20 2006 From: akonstam at sbcglobal.net (Aaron Konstam) Date: Thu, 26 Oct 2006 15:55:20 -0500 Subject: FC4 Cannot find a valid baseurl for repo: legacy-updates In-Reply-To: <20061026145059.GA11133@darkstar.k4ro.net> References: <20061026145059.GA11133@darkstar.k4ro.net> Message-ID: <1161896120.2806.4.camel@vulcan> On Thu, 2006-10-26 at 09:50 -0500, Kirk Pickering wrote: > I'm aware that there have been no updates for > FC4 in some time, and just today I read all of > the threads regarding the possible demise of > Fedora legacy support. I just learned of CentOS > from this list, and I will be taking a long look > at it. I run GNU/Linux servers, and don't use the > vast majority of the desktop applications. > > I have been running "yum update" periodically to > check for FC4 legacy updates. I have installed the > latest key and yum legacy configuration files. > Up until today, "yum update" simply returned the > string "No Packages marked for Update/Obsoletion." > > Today, I got a different message: > > # yum list yum > Setting up repositories > Cannot find a valid baseurl for repo: legacy-updates > Error: Cannot find a valid baseurl for repo: legacy-updates > > Has something changed with the repository URL? > > Here are the contents of /etc/yum.repos.d/fedora-legacy.repo : > > # cat /etc/yum.repos.d/fedora-legacy.repo > > [legacy-updates] > name=Fedora Legacy $releasever - $basearch - Updates > mirrorlist=http://fedora.redhat.com/Download/mirrors/legacy-updates-released-fc$releasever > enabled=1 > gpgcheck=1 > gpgkey=http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY > > [legacy-testing] > name=Fedora Legacy $releasever - $basearch - Updates Testing > mirrorlist=http://fedora.redhat.com/Download/mirrors/legacy-updates-testing-fc$releasever > enabled=0 > gpgcheck=1 > gpgkey=http://www.fedoralegacy.org/FEDORA-LEGACY-GPG-KEY > > If you go to the mirror list site you will see that it is down to uograde some FC6 stuff. Aaron Konstam From herrold at owlriver.com Sun Oct 29 02:23:05 2006 From: herrold at owlriver.com (R P Herrold) Date: Sat, 28 Oct 2006 22:23:05 -0400 (EDT) Subject: fedora-l] Migrating from RH9 Legacy to CentOS 3 In-Reply-To: <453E2432.5050708@umd.edu> References: <453E2432.5050708@umd.edu> Message-ID: On Tue, 24 Oct 2006, David Eisner wrote: > With the end of Legacy support for RH9, I'd like to migrate my Fedora > Legacified RH9 box to Centos 3. > http://www.owlriver.com/tips/centos-31-ex-rhl-9/ > Any thoughts on whether this should also work with the .legacy packages? As author of the migration instructions in question, let me give an unqualified "Yes, probably" .... ;) I would feel safer 'stretching' into CentOS-4, just to get the later kernel, and buying the longer lifespan, but a move with a set of CentOS 3.8 spins ISO images will work, if you are a dead plain install wholly mediated by RPM, with minimal or no transition issues. But please: 1. level 0 backup 2. strip out unused packages -- a good idea anyway 3. possibly reboot and force a full fsck on all partitions 4. remove /home if at a separate mountpoint, from the fstab -- no reason to risk the data good luck -- please let us know how it turns out. - Russ Herrold From secnotice at fedoralegacy.org Sun Oct 29 08:09:52 2006 From: secnotice at fedoralegacy.org (David Eisenstein) Date: Sun, 29 Oct 2006 02:09:52 -0600 Subject: [FLSA-2006:195418] Updated sendmail packages fix security issue Message-ID: <454461D0.2020909@fedoralegacy.org> --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated sendmail packages fix security issue Advisory ID: FLSA:195418 Issue date: 2006-10-29 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Names: CVE-2006-1173 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated sendmail packages that fix a security issue are now available. The sendmail package provides a widely used Mail Transport Agent (MTA). 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A flaw in the handling of multi-part MIME messages was discovered in Sendmail. A remote attacker could create a carefully crafted message that could crash the sendmail process during delivery (CVE-2006-1173). Users of Sendmail are advised to upgrade to these erratum packages, which contain a backported patch from the Sendmail team to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195418 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.11.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.11.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.11.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.11.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-8.12.11-4.24.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-8.12.11-4.25.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-devel-8.12.11-4.25.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/sendmail-doc-8.12.11-4.25.4.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/sendmail-8.12.11-4.26.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-8.12.11-4.26.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-cf-8.12.11-4.26.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-devel-8.12.11-4.26.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/sendmail-doc-8.12.11-4.26.1.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/sendmail-8.13.1-4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-8.13.1-4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-cf-8.13.1-4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-devel-8.13.1-4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/sendmail-doc-8.13.1-4.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-8.13.1-4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-cf-8.13.1-4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-devel-8.13.1-4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/sendmail-doc-8.13.1-4.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- rh73: de3219959a42e413f4add01a96fe5bd4e5c2e25b redhat/7.3/updates/i386/sendmail-8.12.11-4.22.11.legacy.i386.rpm 6651ffec675ad29d60dae0b538cc4ab00833b7e9 redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm a863e902dac5362e8922e62358f00e76fccfb0dd redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.11.legacy.i386.rpm 8b02c451d2ed59b530f3e6976e3bbf4ce0ea535c redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.11.legacy.i386.rpm 76086504341d07d4ee88c15a5060c1088d6f3057 redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.11.legacy.src.rpm rh9: 31695348a11ac9b47d5470249072f2175131bdab redhat/9/updates/i386/sendmail-8.12.11-4.24.4.legacy.i386.rpm 05c883b5a6b218f69a08c711ca71e4d14d958141 redhat/9/updates/i386/sendmail-cf-8.12.11-4.24.4.legacy.i386.rpm 7bc9aef8a1a8794eb6ad6c8496ede743bc61fd76 redhat/9/updates/i386/sendmail-devel-8.12.11-4.24.4.legacy.i386.rpm 470d3a9ada94a6d1735176050cfa94c8eefc8c70 redhat/9/updates/i386/sendmail-doc-8.12.11-4.24.4.legacy.i386.rpm 5715d14fec8f303271ee7ef3ace828f80af76902 redhat/9/updates/SRPMS/sendmail-8.12.11-4.24.4.legacy.src.rpm fc1: b4e627654290a72eb736678f9ddf6c19031daed6 fedora/1/updates/i386/sendmail-8.12.11-4.25.4.legacy.i386.rpm 6e631fda5b975b4cd40b8e580b1562888addc272 fedora/1/updates/i386/sendmail-cf-8.12.11-4.25.4.legacy.i386.rpm c9e37c442488d4079983ad47d74c843b2e835b52 fedora/1/updates/i386/sendmail-devel-8.12.11-4.25.4.legacy.i386.rpm c3d8da108fb47db91a3bd9513de4e5e403e34656 fedora/1/updates/i386/sendmail-doc-8.12.11-4.25.4.legacy.i386.rpm 1198d4465b351b6555b510fe22ff93c3accdc794 fedora/1/updates/SRPMS/sendmail-8.12.11-4.25.4.legacy.src.rpm fc2: 719954687788a5194cde32eb235d3d542fa62690 fedora/2/updates/i386/sendmail-8.12.11-4.26.1.legacy.i386.rpm 840bf9b1d018965963ceaffec85e0be2dced5345 fedora/2/updates/i386/sendmail-cf-8.12.11-4.26.1.legacy.i386.rpm b44e5ba3a369885111d74232960b3de5e5e1207e fedora/2/updates/i386/sendmail-devel-8.12.11-4.26.1.legacy.i386.rpm 2a8eaa15f1c7e50dbc16542e5d93b88e1933d522 fedora/2/updates/i386/sendmail-doc-8.12.11-4.26.1.legacy.i386.rpm 48fce3c232e313a1648d04bdd0ffe727b1cb9867 fedora/2/updates/SRPMS/sendmail-8.12.11-4.26.1.legacy.src.rpm fc3: 27a009c764d367c5bb32c003ef79611602709808 fedora/3/updates/i386/sendmail-8.13.1-4.legacy.i386.rpm aa4ae72b7747269f6d20519e3fefd83a28e52df6 fedora/3/updates/i386/sendmail-cf-8.13.1-4.legacy.i386.rpm ea0d29481a712d42927f15da4fcc2709d4e5fbd0 fedora/3/updates/i386/sendmail-devel-8.13.1-4.legacy.i386.rpm 428282ff79c56f0f0bda0607612c38ca4253ab04 fedora/3/updates/i386/sendmail-doc-8.13.1-4.legacy.i386.rpm 14661dcec23213f5337e1eba749e8657daf5ef4b fedora/3/updates/x86_64/sendmail-8.13.1-4.legacy.x86_64.rpm c6fdccb6edf57d18aad1c955809ea74cbee333cd fedora/3/updates/x86_64/sendmail-cf-8.13.1-4.legacy.x86_64.rpm 67f50ca7957b1cef314f9ab2e5d5dba81376573c fedora/3/updates/x86_64/sendmail-devel-8.13.1-4.legacy.x86_64.rpm 05be329d3ec2df28d49b1e7f91e2eea9daf0159f fedora/3/updates/x86_64/sendmail-doc-8.13.1-4.legacy.x86_64.rpm 0167c72624710207c4c4b16afdce87e5fb161dd0 fedora/3/updates/SRPMS/sendmail-8.13.1-4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://www.sendmail.com/security/advisories/SA-200605-01.txt.asc http://www.kb.cert.org/vuls/id/146718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173 http://rhn.redhat.com/errata/RHSA-2006-0515.html 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From paul at weycrest.net Sun Oct 29 13:36:18 2006 From: paul at weycrest.net (Paul Lee) Date: Sun, 29 Oct 2006 13:36:18 +0000 Subject: fedora-l] Migrating from RH9 Legacy to CentOS 3 In-Reply-To: References: <453E2432.5050708@umd.edu> Message-ID: <4544AE52.2000900@weycrest.net> R P Herrold wrote: > On Tue, 24 Oct 2006, David Eisner wrote: > >> With the end of Legacy support for RH9, I'd like to migrate my Fedora >> Legacified RH9 box to Centos 3. >> http://www.owlriver.com/tips/centos-31-ex-rhl-9/ >> Any thoughts on whether this should also work with the .legacy packages? > > > As author of the migration instructions in question, let me give an > unqualified "Yes, probably" .... ;) > > I would feel safer 'stretching' into CentOS-4, just to get the later > kernel, and buying the longer lifespan, but a move with a set of CentOS > 3.8 spins ISO images will work, if you are a dead plain install wholly > mediated by RPM, with minimal or no transition issues. But please: > 1. level 0 backup > 2. strip out unused packages -- a good idea > anyway > 3. possibly reboot and force a full fsck on all > partitions > 4. remove /home if at a separate mountpoint, from > the fstab -- no reason to risk the data > I may be introducing another layer of complication here but I have found various OS Virtualization tools such OpenVZ extremely handy for for migrating / updating servers with legacy RH operating systems. Basically we have had a spare server where we have loaded the latest Centos OS and installed the openvz kernel and utilities (all in RPM format) and reboot. All we have to do then is copy/backup the legacy RH9 server into a the new openvz node (typically into /vz/private/ References: <453E2432.5050708@umd.edu> <4544AE52.2000900@weycrest.net> Message-ID: <20061029161421.GB20715@mail.harddata.com> On Sun, Oct 29, 2006 at 01:36:18PM +0000, Paul Lee wrote: > > All we have to do then is copy/backup the legacy RH9 server into a the > new openvz node (typically into /vz/private/ /home /var /usr etc A word of warning here. When you are doing operations like the above, for whatever reasons, skip /var/log/lastlog file. Not only an information in it will not be useful later but this is a sparse file and it is "very sparse". :-) On x86_64 installation its length will be in order of 1.2 TB while its size, in disk blocks, somewhere between 60 and 70 K. For i386 differences are not so dramatic. Typically around 20 MB versus 20-30 K (it varies with a number of accounts on an installation). Still you do not need it. Even if you did not forget about option -S to rsync, and similar if you are using some other utility, reading through 1.2 TB takes a long while. With 32-bits this is far from beeing that bad but better get into habit. :-) There are other sparse files laying around, typically those in /var/lib/rpm/, but gaps between lengths and sizes are not likely be so significant. Michal From paul at weycrest.net Sun Oct 29 19:17:14 2006 From: paul at weycrest.net (Paul Lee) Date: Sun, 29 Oct 2006 19:17:14 +0000 Subject: fedora-l] Migrating from RH9 Legacy to CentOS 3 In-Reply-To: <20061029161421.GB20715@mail.harddata.com> References: <453E2432.5050708@umd.edu> <4544AE52.2000900@weycrest.net> <20061029161421.GB20715@mail.harddata.com> Message-ID: <4544FE3A.1070606@weycrest.net> Michal Jaegermann wrote: > On Sun, Oct 29, 2006 at 01:36:18PM +0000, Paul Lee wrote: > >>All we have to do then is copy/backup the legacy RH9 server into a the >>new openvz node (typically into /vz/private/>/home /var /usr etc > > > A word of warning here. When you are doing operations like the > above, for whatever reasons, skip /var/log/lastlog file. Not only > an information in it will not be useful later but this is a sparse > file and it is "very sparse". :-) Thats a good point. But another reason I like Openvz. The "file system" is entirely quota based so scales dynamically and "on the fly" to the full extent of the space available on the disc. With Xen/UML etc its alo neccessary it create an image file with dd, then format it for ext3, them would have to mount the "image" as loopback device and the start copying your legacy system into the "file" etc.. These steps are entirely eliminated with openvz. You just copy to /vz/private/ (obviously with some refinements to avoid copying too much "junk," to save time and speed - you just need a big enough /var partition ;o)). You can cd straight into these directories. Create you vz.conf file then "boot" the VE instance. I know you can create "sparse" disc images for xen, uml etc which grow dynamically but there tends to be a performance issue. Anyway I'm perhaps wandering a bit "off topic" here ;o) Regards Paul Lee Weycrest.Net From deisenst at gtw.net Mon Oct 30 06:00:31 2006 From: deisenst at gtw.net (David Eisenstein) Date: Mon, 30 Oct 2006 00:00:31 -0600 Subject: [FLSA-2006:195418] Updated sendmail packages fix security issue In-Reply-To: References: Message-ID: <454594FF.7030802@gtw.net> Lawrence Houston wrote: > Subject: Re: [FLSA-2006:195418] Updated sendmail packages fix security issue > From: Lawrence Houston > Date: Sun, 29 Oct 2006 09:34:17 -0500 (EST) > To: fedora-legacy-announce at redhat.com > On Sun, 29 Oct 2006, Lawrence Houston wrote: > >> On Sun, 29 Oct 2006, fedora-legacy-announce at redhat.com wrote: >> >>> Red Hat Linux 7.3: >>> SRPM: >>> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.11.legacy.src.rpm >>> >>> i386: >>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.11.legacy.i386.rpm >> >> For the Red Hat 7.3 Distribution the above updates can also be found >> within the "updates-testing" Area: >> >> SRPM: >> http://download.fedoralegacy.org/redhat/7.3/updates-testing/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm >> >> i386: >> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm >> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-cf-0-8.12.11-4.22.11.legacy.i386.rpm >> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-devel-0-8.12.11-4.22.11.legacy.i386.rpm >> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-doc-0-8.12.11-4.22.11.legacy.i386.rpm >> >> Which means the final release of these updates will NOT be available >> by YUM until the comments around the "updates-testing" section of >> yum.conf have been removed!!! My understanding is this should NOT be >> required since the same updates should NOT appear in both areas??? > > A similar pattern repeats for the Red Hat 9 Distribution... Secondly I > failed to notice the leading '0' on the Major Release Number such that > removing the comments around the "updates-testing" sections still will > NOT allow the July 27th Sendmail Updates to be applied... The net > effect being the July 27th Update are being "held back", either on > purpose or because of an over-sight??? > > Lawrence Houston -- (legacy at greenfield.dyndns.org) I think there is something wrong with the header files that yum depends on to do updates. Perhaps our 'push-to-update' scripts did not generate them cor- rectly, or they may not have been pushed correctly from the build server to download.fedoralegacy.org. We're looking into that. Are messages you see that display the URL that have 'sendmail-*0-*.i386.rpm' being generated by the yum program? No such URL's were included in the Fedora Legacy Security Advisory FLSA-2006:195418, so I was wondering where you saw them. In the meantime, if you wish to update these files manually, you can download them with wget or a web browser using the URLs given in the Advisory message. You can then use the 'rpm -U' command (as user root) to update the sendmail packages. That will do the same thing that yum should have done. Please write us back and let us know if there is anything more we can do to help. Hope this helped. Regards, David Eisenstein From legacy at greenfield.dyndns.org Mon Oct 30 14:14:14 2006 From: legacy at greenfield.dyndns.org (Lawrence Houston) Date: Mon, 30 Oct 2006 09:14:14 -0500 (EST) Subject: [FLSA-2006:195418] Updated sendmail packages fix security issue In-Reply-To: <454594FF.7030802@gtw.net> References: <454594FF.7030802@gtw.net> Message-ID: David: On Mon, 30 Oct 2006, David Eisenstein wrote: > Lawrence Houston wrote: >> Subject: Re: [FLSA-2006:195418] Updated sendmail packages fix security issue >> From: Lawrence Houston >> Date: Sun, 29 Oct 2006 09:34:17 -0500 (EST) >> To: fedora-legacy-announce at redhat.com >> On Sun, 29 Oct 2006, Lawrence Houston wrote: >> >>> On Sun, 29 Oct 2006, fedora-legacy-announce at redhat.com wrote: >>> >>>> Red Hat Linux 7.3: >>>> SRPM: >>>> http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.11.legacy.src.rpm >>>> >>>> i386: >>>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.11.legacy.i386.rpm >>>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm >>>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.11.legacy.i386.rpm >>>> http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.11.legacy.i386.rpm >>> >>> For the Red Hat 7.3 Distribution the above updates can also be found >>> within the "updates-testing" Area: >>> >>> SRPM: >>> http://download.fedoralegacy.org/redhat/7.3/updates-testing/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm >>> >>> i386: >>> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-cf-0-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-devel-0-8.12.11-4.22.11.legacy.i386.rpm >>> http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-doc-0-8.12.11-4.22.11.legacy.i386.rpm >>> >>> Which means the final release of these updates will NOT be available >>> by YUM until the comments around the "updates-testing" section of >>> yum.conf have been removed!!! My understanding is this should NOT be >>> required since the same updates should NOT appear in both areas??? >> >> A similar pattern repeats for the Red Hat 9 Distribution... Secondly I >> failed to notice the leading '0' on the Major Release Number such that >> removing the comments around the "updates-testing" sections still will >> NOT allow the July 27th Sendmail Updates to be applied... The net >> effect being the July 27th Update are being "held back", either on >> purpose or because of an over-sight??? >> >> Lawrence Houston -- (legacy at greenfield.dyndns.org) > > I think there is something wrong with the header files that yum depends on to > do updates. Perhaps our 'push-to-update' scripts did not generate them cor- > rectly, or they may not have been pushed correctly from the build server to > download.fedoralegacy.org. We're looking into that. > > Are messages you see that display the URL that have 'sendmail-*0-*.i386.rpm' being > generated by the yum program? No such URL's were included in the Fedora Legacy > Security Advisory FLSA-2006:195418, so I was wondering where you saw them. After I uncommented the "updates-testing" section witin yum.conf YUM complains about the MD5 Signatures failing, which was before I noticed the headers within "updates-testing" following that "strange" pattern with that leading "0-" on their version numbers: Error: MD5 Signature check failed for /var/cache/yum/updates-testing/packages/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm The above RPM within my YUM Cache Tree is a very small HTML "like" File containing a message about the RPM not existing within "updates-testing": The requested URL /redhat/7.3/updates-testing/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm was not found on this server. Which is in keeping with your observations that the RPMs do NOT actually exist within "updates-testing", with an apparent error in the Header Generation... Also the above error messages do NOT include the leading "0-" within the "displayed" version numbers, those I see by Browsing the Headers on Legacy's Web Site within the "updates-testing" tree... You are correct I did NOT see those RPMs within "update-testing" on Legacy's Web Site!!! NOTE: with "updates-testing" commented out of yum.conf, YUM is still fails to detect the July 27th SENDMAIL Updates within "updates" (which should be installed)??? YUM claims there are NO Packages are available for Update, which is NOT True since the July 27th SENDMAIL Updates should applied!!! > In the meantime, if you wish to update these files manually, you can download > them with wget or a web browser using the URLs given in the Advisory message. You > can then use the 'rpm -U' command (as user root) to update the sendmail packages. > That will do the same thing that yum should have done. Lawrence Houston -- (legacy at greenfield.dyndns.org) From khudnut at ucar.edu Mon Oct 30 17:05:04 2006 From: khudnut at ucar.edu (Karl Hudnut) Date: Mon, 30 Oct 2006 10:05:04 -0700 (MST) Subject: xfs_iget_core bug. In-Reply-To: <454046D8.7090002@gtw.net> References: <200610220918.19203.jkeating@redhat.com> <454046D8.7090002@gtw.net> Message-ID: Hi David, > Hi Dr. Hudnut, > > I did a scan through all of the patch files in the source rpm at > > and could not find any patches that patch the 'fs/xfs/xfs_iget.c' source file. > The xfs_iget.c source file itself appears not to be patched with the code you > enclosed. It appears to be the original code, which calls 'cmn_err()'. I would like to note, and my main reason for posting here again is to say: the patch I describe below is actually a diagnostic patch not a fix. I used to think I was pretty good with C code but that was decades ago. This was really a sort of silly mistake I made. Meanwhile I combed through the source rpm stuff myself and I did not think xfs_iget was ever patched. However, by looking at the patches, the file xfs_iget.c from SGI is not the same as in the implementation in RH/FC and I never felt sure. Your method of looking for any patch at all seems to make sense. I conclude, with your help, that this bug is not fixed. Thanks. -- Dr. Karl Hudnut System Administrator UCAR - COSMIC khudnut at ucar.edu http://www.cosmic.ucar.edu 303 497 8024 On Thu, 26 Oct 2006, David Eisenstein wrote: > Karl Hudnut wrote: > > Hi, > > > > I have been working on a problem that contains a fix for a bug, not a > > vulnerability, in 2.6.x kernels. Based on kernel.org info I cannot say > > exactly when it was patched. Here is the patch: > > > > ====================================================================================== > > --- 1.20/fs/xfs/xfs_iget.c Fri Jan 9 07:20:13 2004 > > +++ edited/fs/xfs/xfs_iget.c Mon Feb 23 14:47:03 2004 > > @@ -236,13 +236,14 @@ > > > > goto again; > > } > > -/* Chances are the other vnode (the one in the inode) is being torn > > - * down right now, and we landed on top of it. Question is, what do > > - * we do? Unhook the old inode and hook up the new one? > > - */ > > - cmn_err(CE_PANIC, > > - "xfs_iget_core: ambiguous vns: vp/0x%p, invp/0x%p", > > - inode_vp, vp); > > + > > + printk("%s: ambiguous vns: vp/0x%p, invp/0x%p", > > + __FUNCTION__, inode_vp, vp); > > + printk("v_vflag = 0x%x, v_type = %d\n", > > + inode_vp->v_flag, inode_vp->v_type); > > + printk("i_state = 0x%x, i_count = %d, i_nlink = %d\n", > > + inode->i_state, inode->i_count, inode->i_nlink); > > + BUG(); > > } > > > > read_unlock(&ih->ih_lock); > > > > ====================================================================================== > > > > I think the patch was introduced after 2.6.11, not totally sure. I can tell it was > > patched by 2.6.17. I need this patch. Can anyone verify if this is included in > > kernel-smp-2.6.12-2.3.legacy_FC3.x86_64.rpm for FC3 from Fedora Legacy? > > > > Thanks. If the answer is yes, please point me to the evidence so I can show it to the > > rest of the SysAdmin Team here at COSMIC. (Not that we would doubt it, but it would > > be better to see it for ourselves. Paranoid mode set = 1 and so on.) > > > > Hi Dr. Hudnut, > > I did a scan through all of the patch files in the source rpm at > > and could not find any patches that patch the 'fs/xfs/xfs_iget.c' source file. > The xfs_iget.c source file itself appears not to be patched with the code you > enclosed. It appears to be the original code, which calls 'cmn_err()'. > > Hope this helps. -David > > -- > fedora-legacy-list mailing list > fedora-legacy-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > From deisenst at gtw.net Mon Oct 30 22:43:00 2006 From: deisenst at gtw.net (David Eisenstein) Date: Mon, 30 Oct 2006 16:43:00 -0600 Subject: Sendmail download issue fixed. Re: [FLSA-2006:195418] Updated sendmail packages fix security issue Message-ID: <45467FF4.4080401@gtw.net> If you tried running 'yum update' or had yum updates automatically enabled and sendmail did not update on your machine(s), please try doing 'yum update' again. There was a problem in the creation of the repository metadata. That problem should now be fixed, and the new repository metadata now uploaded to the download.fedoralegacy.org website. If you use a mirror of download.fedoralegacy.org, the corrected metadata along with the packages should be available when that mirror next refreshes. Regards, David Eisenstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: