Fedora 8 and 9 updates re-enabled

September 10, 2008

In a few hours, updates for Fedora 8 and Fedora 9 will start hitting
mirrors.  These updates are designed to transition users from our old
repo locations to new locations that have all our updates re-signed with
a new set of keys.

Most users will simply need to apply the offered updates, and later
apply any further updates, and verify/import the new GPG key.

The process to getting new updates is two stage.

Stage 1) Users configured to get updates from existing repos will see a
small set of updates available in the next few hours/days.  These
updates include fedora-release, PackageKit, gnome-packagekit, and unique
(for Fedora 8, only fedora-release is offered).  These updates should be
applied as soon as possible.

Stage 2) Once the above updates have been applied, your update tools
(yum, PackageKit, pirut) will see a new repository and a larger set of
updates available.  This is your new standard flow of updates, that will
continue to see new updates as the lifetime of Fedora 8 and 9 progress.

There will be further milestones in the future that involve redirection
of release package repos to match that of updates, and removing of old
gpg key from rpm trust.

For more details and an FAQ, please see

Jesse Keating
Fedora — Freedom² is a feature!
identi.ca: http://identi.ca/jkeating

Echo Monthly News, Issue 1

September 2, 2008

The echo-icon-theme development team just officially released its first
Echo Monthly News Issue [1]. In this release we cover these sections:

1. New Icons
2. “Huge” icons – 256×256
3. One Canvas Work-Flow
4. Automating the secondary jobs
1. Add a new icon set to Git
2. Setting up Git repository
3. Updating Git repository
4. Creating New Icon from Template
5. RPM package and other issues
5. Echo for Fedora 10?
6. Future plans
7. Request for feedback

Since it’s our first release it is not perfect and therefore we will
appreciate any feedback, suggestions for improvement, etc. at the
fedora-art-list and #fedora-art at irc.freenode.net🙂

[1] https://fedorahosted.org/echo-icon-theme/wiki/MonthlyNews/Issue1

Fedora Weekly News 141

September 2, 2008

Hash: SHA1

Fedora Weekly News Issue 141

Welcome to Fedora Weekly News Issue 141 for the week ending August 30, 2008.


Fedora Weekly News keeps you updated with the latest issues, events and
activities in the Fedora community.

If you are interested in contributing to Fedora Weekly News, please see
our ‘join’ page. Being a Fedora Weekly News beat writer gives you a
chance to work on one of our community’s most important sources of news.
Ideas for new beats are always welcome — let us know how you’d like to


= Announcements =

In this section, we cover announcements from the Fedora Project.



Contributing Writer: Max Spevack
Fedora Unity releases Fedora 8 Re-Spin

Ben Williams announced[0] that the Fedora Unity team has released a new
re-spin of Fedora 8. “These Re-Spin ISOs are based on the officially
released Fedora 8 installation media and include all updates released as
of August 14th, 2008. The ISO images are available for i386, x86_64 and
PPC architectures via Jigdo and Torrent starting Sunday August 24th,
2008. Go to http://spins.fedoraunity.org/spins to get the bits!”


= Planet Fedora =

In this section, we cover the highlights of Planet Fedora – an
aggregation of blogs from Fedora contributors worldwide.


Contributing Writer: Max Spevack


The Fedora Education Spin is progressing[0], having been “approved by
all necessary bodies – Spin SIG, Board, Rel-Eng”, reported Sebastian
Dziallas. The spin has its own feature page. “Hopefully, we’ll be able
to have a preview of the spin ready in the next weeks”, added Sebastian.


Greg DeKoenigsberg reminded potential OLPC contributors[1] to surf over
to the contributors’ program on the OLPC wiki in order to request their
own XO for development. Soon, Greg “will be sitting in on the weekly
call that decides how these laptops are disbursed”.

[1] http://gregdek.livejournal.com/34240.html

Tech Tidbits

Michael DeHaan, holder of the coveted “best blogger on Planet Fedora”
title, as determined each week by your correspondent, has penned a
treatise[8] concerning the future of systems management software.
“Cobbler and Func are very fun, I think they are quite useful, but I’m
wondering what are next on the horizon for server management tech, not
in terms of a evolutionary improvement but how things can be
legitimately improved by fundamental, indeed ‘paradigm-shifty’ means.”
Click the link below to read the entire post.

[8] http://www.michaeldehaan.net/?p=702

James Antill has written[9] a tutorial on the Python yum API, which is
incredibly useful if you have ever wanted to do stuff with yum, but
don’t know where to start and are afraid to ask Seth.

[9] http://illiterat.livejournal.com/6254.html


David Nalley shared some details about the upcoming Fedora Ambassadors
Day for North America[2]. The event will coincide with Ohio Linux Fest
in October. David said, “If you are a Fedora Ambassador, or want to be
one, you should try and attend.”

[2] http://www.nalley.sc/david/?p=81

[[ChristophWickert|Christoph Wickert] attended FrOSCon 2008, along with
several other other Ambassadors, and shared his event report[3]. “Just
like on Linuxtag the Fedora booth was located close to the entrance, so
we had quite a lot of visitors. Unfortunately the booth was a little
small and we had lot of stuff to show: Two OLPCs, an eeepc, two ALIX
Machines and a couple of Laptops. Everything was running Fedora, the
Laptops were running Gnome and Xfce, mine also LXDE.” Check out the link
below for pictures, and the full report.

[3] http://www.christoph-wickert.de/blog/2008/08/26/back-from-froscon/

Max Spevack reminded[4] everyone about the upcoming FUDCon Brno. “We
currently have 110 people registered for the event,” and the list of
sessions and hackfests is on the Fedora wiki. Hans de Goede will be
attending FUDCon Brno. He wrote an update[5] about webcam support in
Fedora, which will be worked on at FUDCon, and also blogged[6] about the
session he will give on how to become a Fedora package maintainer.

[4] http://spevack.livejournal.com/62369.html

[5] http://hansdegoede.livejournal.com/5576.html

[6] http://hansdegoede.livejournal.com/5304.html

Fedora List

Fedora Board member Chris Tyler wrote[7] about the plans for changing
the scope and ownership of fedora-list. Chris says, it is “one of the
first lists that most Fedora users join, and therefore quite important
to the community. However, it’s a high-volume list (and is sometimes
perceived to have a high noise level), so many veterans of the Fedora
community aren’t subscribed… Paul Frields and I have taken on the
ownership of the list, and we’d welcome one or two experienced members
of the community to join us.”


= Developments =

In this section the people, personalities and debates on the
@fedora-devel mailing list are summarized.

Contributing Writer: Oisin Feeley
Approaches to a Minimal Fedora

Luya Tshimbalanga alerted[1] the list to a post on FedoraForum.org in
which a user “stevea” had produced a 67MB “minimalFedora” system. Jeff
Spaleta worried[2] that the bare-bones system was unable to receive
updates and that this was something which “we as a project might not
officially want to endorse.” One way out of that suggested by Jef was
that interested parties could produce a derived distribution which
pushed out entire updated images. Recent changes in the trademark
guidelines make such a move easier.



A parallel to the minimal OS appliance image used in the oVirt project
was discerned[3] by Daniel Berrange. Daniel reported their ‘oVirt
managed node’ as being less than 64MB and built entirely from the Fedora
9 repositories. Later Daniel posted[4] that the similarities ended with
the desire for a small image. The oVirt goal was to use only Fedora as
upstream whereas stevea’s approach had been to substitute coreutils with
busybox. Daniel acknowledged “[…] finding the bits which aren’t needed
is fun in itself & somewhat of a moving target. So wherever possible
we’ve been filing BZ to get some RPMs split up into finer grained
sub-RPMs” and included a link to his project’s kickstart %post stanza.
Richard Jones suggested[5] that KDE’s filelight was useful for finding
bloated files and Vasile Gaburici added[6] that there was a GNOME
equivalent called baobab. Vasile also included[7] a script which he uses
to “keep track of bloatware”.






A follow-up post from Daniel concluded[8] that the only bits of upstream
Fedora actually used in stevea’s approach were the kernel and busybox as
even glibc and initscripts had been ditched. Daniel wondered “So not
really much trace of Fedora left at all. Not sure why you’d go to the
trouble of doing the initial anaconda install at that point – might as
well just ‘rpm *no-deps’ install kernel + busybox RPMs into a chroot &
add the custom init script.”


Doubt on the advantages of stripping down Fedora to make it run on
embedded targets was cast[9] by Patrice Kadionik when he argued that
using the Fedora kernel with all its patches and modules was too
bloated. Instead he preferred to use the vanilla kernel with busybox
with the result that “[…] you have a Linux kernel (about 1MB) with its
root [filesystem] (about 1-2 MB) adapted completely to the target
platform.” Alan Cox replied[10] that the ability to receive updates and
benefit from the maintained and tested code was desirable if there were
enough extra space.



W. Michael Petullo added a link[11] to his “FedoraNano” project which
has the goal of reducing redundancies, identifying probable cases for
sub-packaging and documenting a method to install a small Fedora onto
solid state drives.

[11] http://www.flyn.org/fedoranano/fedoranano.html

Using PackageKit Without NetworkManager-Controlled Interfaces

A question from Martin Langhoff asked[1]: “[i]s there anything
preventing PK from connecting to the network over

controlled network interfaces?” This question
appeared to be predicated on the assumption that PackageKit had a
dependency on NetworkManager.


Jeremy Katz clarified[2] that PackageKit depended on NetworkManager-glib
and not on NetworkManager. He added that this was because PackageKit
attempted to determine the status of the network connection prior to
checking for updates. Dan Williams confirmed[3] that this was the case
and expanded on the explanation: “If talking to NM fails, the app should
either (a) assume a connection, or (b) could be more intelligent by
asking SIOCGIFCONF/netlink for interfaces, and if at least one interface
is IFF_UP | IFF_RUNNING and has an IP address, then try.” Using
NetworkManager in this way allows PackageKit to be restricted to
sensible choices about the type of networks over which it is acceptable
to receive updates.



A further point raised by Martin was that there were a surprising number
of dependencies and Dan pointed[4] to bugzilla entry#351101[5] while
noting that “[PackageKit] should only depend on NetworkManager-glib,
which itself should not pull in NetworkManager in the future.” That bug
specifically affects multilib systems, that is x86-64 systems with i386
packages on them, and prevents the simple removal of the older version
of NetworkManager-glib and replacement with a re-factored one. This will
be fixed for Fedora 10 using the installer anaconda.


[5] https://bugzilla.redhat.com/show.bug.cgi?id=351101

In a separate thread Martin asked[6] what debugging facilities were
available for network scripts beyond using bash -x. He detailed his
“hack du jour” by which /etc/udev/rules.d/60-net.rules invokes
net.hotplug.debugger which in turn uses bash -x net.hotplug with STDIN
and STDOUT redirected to a logfile. It appeared from the lack of further
suggestions that this is a good strategy. He also provided[7] a note
which explained that he was upgrading the “School Server” spin to Fedora
9 from Fedora 7.


Git-1.6.0 Commands to be Moved Out of PATH

A response by Todd Zullinger to a “cvsextras” commit[1] of changes to
git questioned[2] whether setting gitexecdir=%{_bindir} was a justified
deviation from upstream intent. According to Todd “[..] we’ve
effectively negated upstream’s intent to present less binaries in the
users path”. Currently there are 137 git-commands in the /usr/bin
directory. Todd suggested that it was better that individual users added
the output of $(git *exec-path) to their PATH environment variable. As a
precaution against breaking scripts upon update to git-1.6.0 Todd
suggested that this addition to PATH should be made by the package.



The package maintainer responsible for the change, James Bowes
replied[3] that he had recently attempted to do as Todd suggested and
that had resulted in complaints. He was worried that although Todd’s
change made sense there had been no due diligence conducted to see what
would break if the git-* commands were moved in such a way. Josh Boyer
replied[4] that the original complaint had been about “yank[ing] out
commands […] from a stable release [Fedora 9]”. Todd Zullinger
discounted such complaints and dreamt[5] that “[…] a warning could be
hand delivered by a beautiful naked person of whatever gender the user
prefers and many would still scream when the change finally landed. :)”
He suggested that in order to achieve predictability and consistency
across distributions it was best to follow upstream and use the update
to 1.6.0 as a flag day.




In response to queries as to whether there was a need to update Fedora 9
also Josh Boyer replied[6] that a security bug was fixed by git-1.6.0
but that he thought that this might have also been fixed by “a later
release of 1.5.6.x.”

Resurrecting Multi-Key Signatures in RPM

Spurred on by the disquiet caused by the recent signing of Red Hat
packages (but not as far as is known any Fedora packages)[1] it was
suggested[2] by Bojan Smojver that multiple GPG signatures of RPM
packages would be a good idea. Distributing the signing could include
using alternate buildsystems “[…] with no public access […] to
verify package checks before signing[.]”



Andrew Bartlett thought that the checksum part would be a problem
because a build often includes hosts, build times and other specifics
and Chris Adams added[3] that even individual files within a package had
such information embedded. Bojan decided to find out how many packages
were so constrained and Seth Vidal suggested[4] a useful rpm command rpm
– -qp *dump pkg.rpm to list all available information about each package.



Seth was dubious about the general idea and upon being pressed doubted
the security gain and noted the cost incurred on users trying to verify
that a package was signed correctly. Bojan expanded[5] upon the idea
that for a “[…] multi-key, multi-build system, an attacker would need
to get his hands on a lot of private key passwords, break multiple
independent build systems […] It is similar to what a reporter does to
confirm a story. One source, not so reliable. Two sources, more
reliable. Many sources, most likely reliable.” Stephen Smoogen
described[6] this a logical fallacy and argued that due to the number of
packages all signing would need to be automated and thus probably each
of the multiple sources would “[…] get their information from the same
top level source.”



A useful post by Nils Philippsen laid out[7] four practical objections.
Prime among these was that there were additional pieces of data, besides
those mentioned above, embedded in a specific build even though the
source package may have the same tag. The possibility of making the
build system vulnerable to a DoS attack was also mentioned. A sub-thread
on German banking practices and the value of multiple credentials
developed[8] as did one[9] on the problems of determinism in producing
identical binaries.




Tom Lane was also among those that expressed[10] a general skepticism
that the increased burden of such a scheme was realistic: “Most of us
[packagers] are overworked already. We aren’t going to jump through any
hoops for third-party signatories.” Bojan argued[11] that if the system
were automated then it probably would be vulnerable but suggested that
it would be better if a community effort to absorb the extra
non-automatic work would be a solution in line with “open source”
practices. Reluctantly he concluded “[n]ever mind, it was just an idea.
Probably not even a good one. Back to the drawing board… ;-)”


Intrusion Recovery Slow and Steady

A politely phrased request[1] was made on 25-08-2008 by Mike Chambers
for information about when normal service would resume in the Fedora
Project after the disruptions[1a]. Enigmatically Dominik ‘Rathann’
Mierzejewski observed[2] that there had been “some speculation on
fedora-advisory-board that might explain the information blackout, so
please don’t jump to conclusions until you really know what happened”
This led Chris Adams to observe that the list archives appeared to be
offline and to restate the request for information “[…] in the absence
of information, rumors and speculation fill the gap (which is not good).”




Several days later (on 28-08-2008) a similar request was made[3] by Alan
Dunn. He wondered whether bodhi was pushing updates out again, and Josh
Boyer responded[4] that planning and implementation of “how to revoke
the current gpg key used to sign RPMs” were in progress. Jesse Keating
cautioned[5] that the migration to a new key would be slow “I’m
currently re-signing all of the 8 and 9 content with these new keys so
that we can make them available along with the new updates with the new
key for these product lines. This is going to take some time due to the
nature of how our signing works.”




A proposal mooted[6] on @rel-eng by Warren Togami and others provided
some insight into at least the part of the plans that involve the
problem of how to distribute a new package signing key.

[6] http://lists.fedoraproject.org/pipermail/rel-eng/2008-August/001627.html

“nodata” asked[7] whether the new plans included a means to push out
critical security updates even while there was a general outage. The
thinking behind this seems to be that an attacker could decide to knock
out Fedora infrastructure in order to gain some time to exploit a known
vulnerability even if a simple fix existed. Jesse Keating replied[8]
confidently that in such a scenario the Fedora Project would do
“whatever it takes […] to get a critical update onto a public
webserver should the need arise” and cautioned against wasting time
trying to plan for every possible scenario. Toshio Kuratomi added[9]
that although it might be possible to speed up recovery “[…]
unfortunately if the infrastructure problem is bad enough, there’s no
way we can push package X out until the problem is at least partially




On 27-08-2008 Paul Johnson noted that it was possible to “compose and
build” and asked “when will updates via yum become available for
rawhide?” Jeremy Katz responded[10] that “[a]t the moment, the compose
is falling over for new reasons unrelated to the infrastructure changes.
Hopefully we’ll see a rawhide make its way out to the masses real soon now.”


Later Mike Chambers and Ola Thoresen reported[11] that updating from
Fedora 9 to Rawhide seemed to be working. Several Rawhide Reports also



= Infrastructure =

This section contains the discussion happening on the


Contributing Writer: HuzaifaSidhpurwala
Some noteworty praise

Paul W. Frields writes for fedora-infrastructure-list [1]

Paul forwarded a mail [2] send by Tim Burke, who is the Director of
Linux Development inside Red Hat, praising the efforts of fedorans who
rose to the occasion to bring things back on track after the recent
incidents in Fedora infrastructure.


Maintaining a partial cvs workarea

Axel Thimm writes for fedora-infrastructure-list [3]

Axel described how he was keeping a partial check-out of packages, ie
the ones which he was maintaining. Now he would like to be able to cvs
up and have all updates flow in, but if he does do so cvs will want to
get all other thousand packages in. He is currently using a for loop
with pushd/popd, but this process is extremely slow. Axel asked if there
was a better way of doing this?

rawhide, /mnt/koji and /pub/fedora

Jesse Keating writes for fedora-infrastructure-list [4]

Jesse created a user “masher” to have the ability to write to
/mnt/koji/mash/ but not any of the other koji space. This is useful to
prevent too much damage from a horribly wrong rawhide compose. To make
things easier in the rawhide compose configs, they decided to run the
cron/scripts as the masher user. This is also good because it means
things run unprivileged. However he ran into a snag. They have another
user, ‘ftpsync’ that has write access to /pub/fedora/. Previously the
rawhide script was ran as root, and thus it was no problem to su ftpsync
for the rsync calls. The masher user does not possess the capability of
doing this.

New Key Repo Locations

Warren Togami writes for fedora-infrastructure-list [5]

Warren proposed the latest draft of New Key repo locations. Jesse
Keating points out that the deep levels are necessary because mirrors
exclude releases by directory name like “9/”


= Artwork =

In this section, we cover the Fedora Artwork Project.


Contributing Writer: Nicu Buculei
The Echo icon theme and Fedora 10

NicuBuculei asked[1] on @fedora-art about the plans to use the new Echo
icon set as a default on Fedora 10: “considering the feature freeze, the
Beta release and as Echo is not a feature proposed for F10, is correct
the assumption that we won’t have Echo as a default for F10, staying
with Mist [at least] one more release cycle?”


In reply LuyaTshimbalanga pointed[2] out that it is still possible, due
to a slip in the release cycle: “Shall we try to make it as Fedora 10
feature. Thanks to, in some extend, the incident, feature freeze has
been moved on September 9th.”


MartinSourada shared[3] his experience “It seems like artwork things are
preferred to be decided by the Art Team rather than Fesco. I have a
feeling it might be same for Echo.” and proposed that this decision
should be made together by the Art and Desktop teams “In this case I
personally think Echo should be put on evaluation by Art Team and
Desktop Team. If both agree it’s ready for default we can roll it in
;-)” while NicuBuculei stressed[4] the importance of having Art features
listed “from a marketing POV, if we list it as a “feature” it will be
picked by more news source and help building the excitement around the
new release.”


Automating the One Canvas workflow

In the last FWN[1] issue we covered ‘One Canvas workflow’, an innovative
way to create icons, this week it continued to be a topic on @fedora-art
and MartinSourada introduced[2][3] a script that makes the work easier.
“[It] greatly simplifies life for Echo artist, since all they need is to
make the Source SVG, run the script on it, select which branches they’d
like to push it to and write commit message(s) – i.e. it automates most
of the process”. He also wrote a blog post[4] about this and created a
screencast[5] illustrating the process.

[1] http://fedoraproject.org/wiki/FWN/Issue140




[5] http://mso.fedorapeople.org/screencasts/echo-add-icon-screencast.ogg

= Security Advisories =

In this section, we cover Security Advisories from fedora-package-announce.


Contributing Writer: David Nalley

As there have been disruptions to the infrastructure of the Fedora
Project this week there are no Security Advisories to report. Please see
the Announcements and Development sections for more information.
Fedora 9 Security Advisories

Fedora 8 Security Advisories


= Virtualization =

In this section, we cover discussion on the @et-mgmnt-tools-list,
@fedora-xen-list, @libvirt-list and @ovirt-devel-list of Fedora
virtualization technologies.

Contributing Writer: Dale Bewley
Enterprise Management Tools List

This section contains the discussion happening on the et-mgmt-tools list
Fedora Xen List

This section contains the discussion happening on the fedora-xen list.
virt-what Script Detects Running in a Virtual Machine

Richard W.M. Jones announced[1] version 1.0 of | virt-what which is a
simple shell script that detects if you are running inside a virtual
machine, and prints some “facts” about that virtual machine.

[1] https://www.redhat.com/archives/fedora-xen/2008-August/msg00039.html
Xen 3.3.0 Released

Pasi Kärkkäinen forwarded[1] from xen-devel an announcement of Xen
3.3.0. Pasi also followed up[2] on a thread from July where Daniel P.
Berrange said about Fedora 10, “Even though we don’t have any Dom0 I’ll
update it to 3.3.0 for the xen RPM and hypervisor. This will at least
let people build their own legacy Xen kernel from upstream’s 2.6.18 xen

[1] https://www.redhat.com/archives/fedora-xen/2008-August/msg00038.html

[2] https://www.redhat.com/archives/fedora-xen/2008-August/msg00029.html
Testing LiveCD Distros as DomU Guests

jean-Noël Chardron posted[1] a howto for testing live cd images by
booting them in a DomU with virt-install.

[1] https://www.redhat.com/archives/fedora-xen/2008-August/msg00024.html
Libvirt List

This section contains the discussion happening on the libvir-list.

Daniel P. Berrange posted[1] a todo list for libvirt which was the
product of a brainstorming session at Red Hat. Daniel offered this list
as a good starting point for those wishing to assist in the development
of libvirt.

[1] https://www.redhat.com/archives/libvir-list/2008-August/msg00718.html
Live Migration Sanity Checks

Chris Lalancette described[1] a feature that oVirt would like to see.
The feature would be a set of sanity checks a caller could make to
determine if live migration of a given virtual machine would be likely
to succeed.

[1] https://www.redhat.com/archives/libvir-list/2008-August/msg00757.html
sVirt: XML Representation of Security Labels

James Morris continued[1] work on the sVirt project by investigating how
and when to label the resources accessed by domains and proposed an XML
representation of these labels.

[1] https://www.redhat.com/archives/libvir-list/2008-August/msg00740.html
LXC: Making the Private Root Filesystem More Secure

After committing the private root filesystem code for LXC Daniel P.
Berrange noted[1] that cgroups supports device ACLs which could defend
against ‘mknod’ escapes into the host OS devices.

[1] https://www.redhat.com/archives/libvir-list/2008-August/msg00734.html
Exposing Unique Hypervisor Features

Nguyen Anh Quynh asked[1] how libvirt can expose the unique features of
a given hypervisor such as the monitor interface of Qemu. Daniel P.
Berrange responded[2] by stating the policy for adding new APIs to
libvirt is that the conceptual representation has to be applicable to
multiple hypervisors and unique concepts may be exposed if they can be
represented in a way which would also make sense for other hypervisors
in the future. This goal is also stated in the libvirt architecture

[1] https://www.redhat.com/archives/libvir-list/2008-August/msg00693.html

[2] https://www.redhat.com/archives/libvir-list/2008-August/msg00701.html

oVirt Devel List

This section contains the discussion happening on the ovirt-devel list.

Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat – http://enigmail.mozdev.org


Infrastructure report, 2008-08-22 UTC 1200

August 22, 2008

Last week we discovered that some Fedora servers were illegally
accessed. The intrusion into the servers was quickly discovered, and the
servers were taken offline.

Security specialists and administrators have been working since then to
analyze the intrusion and the extent of the compromise as well as
reinstall Fedora systems. We are using the requisite outages as an
opportunity to do other upgrades for the sake of functionality as well
as security. Work is ongoing, so please be patient. Anyone with
pertinent information relating to this event is asked to contact

One of the compromised Fedora servers was a system used for signing
Fedora packages. However, based on our efforts, we have high confidence
that the intruder was not able to capture the passphrase used to secure
the Fedora package signing key. Based on our review to date, the
passphrase was not used during the time of the intrusion on the system
and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been
compromised, because Fedora packages are distributed via multiple
third-party mirrors and repositories, we have decided to convert to new
Fedora signing keys. This may require affirmative steps from every
Fedora system owner or administrator. We will widely and clearly
communicate any such steps to help users when available.

Among our other analyses, we have also done numerous checks of the
Fedora package collection, and a significant amount of source
verification as well, and have found no discrepancies that would
indicate any loss of package integrity. These efforts have also not
resulted in the discovery of additional security vulnerabilities in
packages provided by Fedora.

Our previous warnings against further package updates were based on an
abundance of caution, out of respect for our users. This is also why we
are proceeding with plans to change the Fedora package signing key. We
have already started planning and implementing other additional
safeguards for the future. At this time we are confident there is little
risk to Fedora users who wish to install or upgrade signed Fedora

In connection with these events, Red Hat, Inc. detected an intrusion of
certain of its computer systems and has issued a communication to Red
Hat Enterprise Linux users which can be found at
http://rhn.redhat.com/errata/RHSA-2008-0855.html. This communication
states in part, “Last week Red Hat detected an intrusion on certain of
its computer systems and took immediate action. While the investigation
into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network
(RHN) and its associated security measures. Based on these efforts, we
remain highly confident that our systems and processes prevented the
intrusion from compromising RHN or the content distributed via RHN and
accordingly believe that customers who keep their systems updated using
Red Hat Network are not at risk. We are issuing this alert primarily for
those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.”

It is important to note that the effects of the intrusion on Fedora and
Red Hat are *not* the same. Accordingly, the Fedora package signing key
is not connected to, and is different from, the one used to sign Red Hat
Enterprise Linux packages. Furthermore, the Fedora package signing key
is also not connected to, and is different from, the one used to sign
community Extra Packages for Enterprise Linux (EPEL) packages.

We will continue to keep the Fedora community notified of any updates.

Thank you again for your patience.

Paul W. Frields
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
http://paul.frields.org/ –  –   http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

Infrastructure status, 2008-08-19 UTC 0200

August 19, 2008

Our team has been hard at work for several days now, restoring services
in the Fedora infrastructure. We started with what we identified as
Fedora’s “critical path,” those systems required to restore minimum
daily operation. That work to be completely finished by the end of the
day. We then move on to our other value services to complete them as
soon as possible.

Please give the infrastructure team the time they need to do this
demanding work. They have been doing a spectacular job and deserve the
absolute highest credit.

The systems that are now back online and usable include the following:
* Puppet, Xen and FAS hosts
* app1, app3, and app4
* database and proxy servers
* the majority of the Xen guest machines
* serverbeach5, serverbeach4
* Fedora Hosted**

The systems that should be available very soon:
* asterisk1 and collab1
* cvs1
* builders, x86 and ppc
* Fedora People

We know the community is awaiting more detail on the past week’s
activities and their causes. We’re preparing a timeline and details and
will make them available in the near future. We appreciate the
community’s patience, and will continue to post updates to the
fedora-announce-list as soon as possible.

= = =
** New SSH fingerprint for Fedora Hosted:

Paul W. Frields, Fedora Project Leader
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://paul.frields.org/ – – http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

Infrastructure status, 2008-08-16 UTC 1530

August 17, 2008

The Fedora Infrastructure team continues to work on the issues we
discovered earlier this week.  Right now, we’re getting the account
system restored to service, along with some of the application servers.
We’re also taking advantage of the outages to upgrade a few systems at
the same time.

Some services such as the Account System and the wiki should return to
normal over the weekend, but we expect outages to continue for some
other systems.  Please be patient as we continue to work the problem.

Paul W. Frields
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
http://paul.frields.org/ –  –   http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

Important infrastructure announcement

August 15, 2008

The Fedora Infrastructure team is currently investigating an issue in
the infrastructure systems. That process may result in service outages,
for which we apologize in advance. We’re still assessing the end-user
impact of the situation, but as a precaution, we recommend you not
download or update any additional packages on your Fedora systems.

We’ll share updates as we develop more information. Those updates will
be published here on the public fedora-announce-list:

Thanks for your patience as we continue working on this.

Paul W. Frields
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://paul.frields.org/ – – http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

[Fwd: bugzilla.redhat.com Web UI, Database, XMLRPC Planned Outage | August 2nd, 2008 – 9:00 AM EST – 7:00 PM EST]

July 31, 2008

Reminder: This Weekend

——– Original Message ——–
Subject: bugzilla.redhat.com Web UI, Database, XMLRPC Planned Outage |
August 2nd, 2008 – 9:00 AM EST – 7:00 PM EST
Date: Tue, 29 Jul 2008 00:05:42 -0400
From: Dave Lawrence


Severity Two (High)

Scheduled Date:
August 2nd, 2008

Scheduled Time:
9:00 AM EST – 7:00 PM EST

Estimated Time Required:
10 hours

Performed By:
Red Hat Engineering Operations

People/Groups Impacted:
Users of bugzilla.redhat.com and any services that rely on

Site/Services Affected:
bugzilla.redhat.com Web UI, Database, XMLRPC

bugzilla.redhat.com will be unavailable during the posted
time on August 2nd, 2008.

On August 2nd, bugzilla.redhat.com will go down for an
update to the latest upstream code base. During this time
the web servers will be reinstalled with the latest OS
updates as well as the latest Bugzilla code. Also the
database servers will undergo a data migration to be made
compatible with the latest Bugzilla code. The web UI,
database, and all XMLRPC services will be unavailable during
the migration. Services that rely on bugzilla.redhat.com may
not function properly during this time so please let your
users know about the outage as well.

Also please take time to point your services/scripts at our
test server https://partner-bugzilla.redhat.com to make sure
that they will still work with the new system once it goes
live. Care has been taken to make the new system backwards
compatible as much as possible with the old XMLRPC API but
still confirm that they work properly. If you encounter any
problems, please contact bugzilla-owner redhat com or file a
bug at

kbaker redhat com

fedora-announce-list mailing list

Fedora Weekly News Issue 136

July 29, 2008

=== Fedora Weekly News Issue 136

Welcome to Fedora Weekly News Issue 136 for the week ending July 26, 2008.


Fedora Weekly News keep you updated with the latest issues, events and
activities in the fedora community.

If you are interested in contributing to Fedora Weekly News, please see
our ‘join’ page. Being a Fedora Weekly News beat writer gives you a
chance to work on one of our community’s most important sources of news,
and can be done in only about 1 hour per week of your time.

We are still looking for a beat writer to summarize the Fedora Events
and Meetings that happened during each week.


* 1 Fedora Weekly News Issue 136

o 1.1 Announcements
+ 1.1.1 FESCo Election Results
+ 1.1.2 Cast your vote for the Fedora 10 Codename!
+ 1.1.3 Fedora 10 Alpha Freeze
+ 1.1.4 Announcing the Fedora OLPC Special Interest Group
+ 1.1.5 Fedora Unity releases updated Fedora 9 Re-Spin
+ 1.1.6 Feature Process Improvements
+ 1.1.7 FUEL opens up collaborative standardization of localization terms

o 1.2 Planet Fedora
+ 1.2.1 Shameless Recruiting Pitch
+ 1.2.2 Intel’s Moblin moves to Fedora
+ 1.2.3 Events
+ 1.2.4 Tech Tidbits
+ 1.2.5 Other Interesting Posts

o 1.3 Marketing
+ 1.3.1 Linus Torvalds’ personal Linux distro? Fedora 9, of course
+ 1.3.2 Asus Eee PC Fedora Respin
+ 1.3.3 Zimbra changes license to address Fedora concerns
+ 1.3.4 Seneca College teams with FOSS projects for hands-on learning
+ 1.3.5 Intel’s Moblin switches from Ubuntu in favor of Fedora
+ 1.3.6 Fedora launches OLPC group
+ 1.3.7 Ring. Ring. It’s Fedora calling
+ 1.3.8 Linux Symposium Proceedings Available
+ 1.3.9 Video: Fedora Live

o 1.4 Ambassadors
+ 1.4.1 FAD EMEA 2008 – Date & Location Determined
+ 1.4.2 Planning for Fedora 10 Release Parties
+ 1.4.3 Event Reports Reminder

o 1.5 Developments
+ 1.5.1 Erratum: FWN#133 “Shark” is a JIT not a VM
+ 1.5.3 XULRunner Security Update Breakage Stimulates Bodhi Discussion
+ 1.5.4 Broken Upgrade Paths Due to NEVR
+ 1.5.5 Application Installer “Amber” Provides Browser Interface to Packages
+ 1.5.6 RPM Inspires Intel Moblin2 Shift From Ubuntu

o 1.6 Artwork
+ 1.6.1 Nodoka development
+ 1.6.2 Gathering feed-back about Fedora 10 theme proposals
+ 1.6.3 A possible Bluecurve revival

o 1.7 Security Advisories
+ 1.7.1 Fedora 9 Security Advisories
+ 1.7.2 Fedora 8 Security Advisories

=== Announcements

In this section, we cover announcements from the Fedora Project.



Contributing Writer: Max Spevack

=== FESCo Election Results

Brian Pepple announced the results of the Fedora Engineering Steering
Committee election[1]:

“The results of the Fedora Engineering Steering Committee (FESCo)
election are in: Bill Nottingham, Kevin Fenzi, Dennis Gilmore, Brian
Pepple, and David Woodhouse have been elected to full two-release terms,
and Jarod Wilson, Josh Boyer, Jon Stanley and Karsten Hopp have been
elected to a one-release term.”


=== Cast your vote for the Fedora 10 Codename!

Josh Boyer reminded folks to vote[1]:

“As long as you have signed the CLA and belong to one additional group
in the Fedora Account System, you can cast your vote.

Voting will end and be tallied at 23:59:59 28 July 2008 UTC.”


=== Fedora 10 Alpha Freeze

Jesse Keating announced[1]:

“We have our first development freeze of the Fedora 10 cycle tomorrow.
This is the alpha freeze, which is non-blocking. Release Engineering
will be making a freeze inside the buildsystem of tomorrow’s rawhide
content. This will be the basis of the Fedora 10 Alpha release.”


=== Announcing the Fedora OLPC Special Interest Group

Greg DeKoenigsberg announced[1]:

“Thus, I am proud to announce the formation of the Fedora OLPC Special
Interest Group. Our mission: to provide the OLPC project with a strong,
sustainable, scalable, community-driven base platform for innovation.

Immediate Goals:

1. To identify and take responsible ownership of as many OLPC base
packages as possible.

2. To maintain an excellent Sugar environment for Fedora, including a
dedicated Sugar spin.

3. To identify useful opportunities for collaboration (infrastructure,
localization, etc.)”


=== Fedora Unity releases updated Fedora 9 Re-Spin

Jeroen van Meeuwen informed us[1]:

“The Fedora Unity Project is proud to announce the release of new ISO
Re-Spins (DVD) of Fedora 9.

These Re-Spin ISOs are based on the officially released Fedora 9
installation media and include all updates released as of July 18th,
2008. The ISO images are available for i386 and x86_64 architectures via
Jigdo starting Sunday, July 20th, 2008.”


=== Feature Process Improvements

John Poelstra had some excellent news on the feature front[1]:

“I was recently talking with Paul Frields about how to make the feature
process more accessible… this combined with feedback in the rpm thread
have led to a (hopefully) clearer presentation of how the feature
process works.”


=== FUEL opens up collaborative standardization of localization terms

FUEL (Frequently Used Entries for Localization) aims at solving the
problem of inconsistency and lack of standardization in computer
software translation across the platform for all Languages. It will try
to provide a standardized and consistent look of computer for a language
computer users.


=== Planet Fedora

In this section, we cover the highlights of Planet Fedora – an
aggregation of blogs from Fedora contributors worldwide.


Contributing Writer: Max Spevack

=== Shameless Recruiting Pitch

We begin this week’s summary of Planet Fedora with a recruitment pitch
for Fedora Weekly News beat writers, scribed by Karsten Wade.

=== Intel’s Moblin moves to Fedora

The topic that took Planet Fedora by storm on Friday and Saturday was
the announcement of Intel’s Moblin moving from Ubuntu to Fedora as its
base OS. Yaakov Nemoy, John Palmieri, Seth Vidal, and Karsten Wade all
weighed in with their thoughts.

=== Events

A number of event reports were posted on Planet Fedora this week.

* LUG Radio Live UK, attended by Max Spevack.
* Ottawa Linux Symposium (day 1), as reported by Dennis Gilmore.
* LTSP Hackfest (day 1), which included hackers from numerous Linux
distros, and Fedora’s own Warren Togami.
* A GUADEC trip report (including pictures) from Dimitris Glezos.
* A second place finish in the 2008 RoboCup World Championships,
with a report from Tim Niemueller.

In other event news:

* Sandro “red” Mathys has posted details about the upcoming Fedora
Ambassador Day EMEA.
* James Morris shared his Ottawa Linux Symposium paper with us,
which is a detailed update on SELinux.

=== Tech Tidbits

Transifex 0.3 has been released. “Transifex 0.3 is a major release,
including a lot of under-the-hood changes. We’ve added full i18n
support, and now in addition to the templates, per-module information
stored in the database, such as names and descriptions, can be
translated as well,” explains project lead Dimitris Glezos.

Lorenzo Villani is working on adding the ZYpp stack into Fedora. He
explains, “It seems that with the latest releases of sat-solver, libzypp
and zypper, the whole stack has become more stable on Fedora,
especially, in the past few weeks I wasn’t able to update packages due
to various resolver’s problems, but now it seems that ‘zypper up’ does
its job smoothly.”

Fedora Electronics Lab now has its own mailing list, and there has been
lots of discussion about this particular respin on Planet Fedora over
the past few days.

Red Hat Magazine has a great article about NetworkManager, written by
Kyle Gonzales.

=== Other Interesting Posts

Nicu Buculei gave us a detailed look at the first round of themes that
have been developed by the Art Team for Fedora 10.

David Nalley authored what might be the first in a four part series
about Fedora’s new “Freedom, Friends, Features, First” marketing focus.
This post focuses on the Freedom topic.

=== Marketing

In this section, we cover the Fedora Marketing Project.


Contributing Writer: Pascal Calarco

=== Linus Torvalds’ personal Linux distro? Fedora 9, of course

Larry Cafiero reported[1] that the creator of Linux, Linus Torvalds,
currently uses Fedora 9 “on most of his computers” as reported in a
recent interview[2]. “I’ve used different distributions over the years
… Fedora had fairly good support for PowerPC back when I used that, so
I grew used to it. But I actually don’t care too much about the
distribution, as long as it makes it easy to install and keep reasonably
up-to-date,” Torvalds added.



=== Asus Eee PC Fedora Respin

Valent Turkovic asked[1] if there was interest in working on a Fedora
spin for the Eee PC. Clint Savage reported[2] that his kickstart for the
Eee is working almost perfectly, and Mathieu Bridon pointed[3] to the
[EeePc wiki page] for this activity.




=== Zimbra changes license to address Fedora concerns

Rahul Sundaram reported[1] that Yahoo has responded[2] to the suggestion
that the license language for Zimbra be modified to allow it to be
consonant with the Fedora project, which now paves the way for Zimbra to
be made available in Fedora. “Our colleagues in the Fedora community
were concerned that the old version of 6.2 did not give licensees enough
certainty that they could keep exercising their license, even if they
followed its requirements. We thought this change was a reasonable
request, and we were very pleased that we were able to respond to the
Fedora community in the way they asked. Many thanks to our Fedora
friends for their input,” the Yahoo spokesman explained. Jeroen Van
Meeuwen added[3] that efforts are already underway to package Zimbra for


[2] http://www.zimbra.com/forums/announcements/19581-license-5-0-7-foss.html


=== Seneca College teams with FOSS projects for hands-on learning

Rahul Sundaram shared[1] a feature[2] from Linux.com detailing the
growth of the free and open source software program at Seneca College in
Toronto, Canada. Beginning this fall, thanks to Fedora, it will add the
graduate-level Linux/Unix System Administration program. The article
continues with Greg DeKoenigsberg, Fedora’s liaison with Seneca, saying,
“There’s a lot of knowledge that’s just not taught that you need [in
order] to participate in an open source project. There’s a difference in
how open source is approached [compared to] traditional software, and
it’s not like you can learn it in a book. It’s very much an
apprenticeship model.”


[2] http://www.linux.com/feature/140097

=== Intel’s Moblin switches from Ubuntu in favor of Fedora

Rahul Sundaram shared[1] news reported in the UK’s Register that Intel
has shifted from use of Ubuntu to Fedora. “Under the changes, the
existing Ubuntu-based kernel is out and Fedora is in, along with a set
of Gnome-compatible mobile components that updates Moblin’s previous
Gnome implementation.” Intel’s director of Linux and open-source
strategy explained that “there was no falling out with Ubuntu, but the
move to Fedora was a technical decision based on the desire to adopt RPM
for package management.” Rahul followed up with more information on this
development[3], reported later in heise open source[4].


[2] http://www.theregister.co.uk/2008/07/23/moblin_reworked/



=== Fedora launches OLPC group

Rahul Sundaram forwarded[1] news[2] that the Fedora Project has started
a Open Laptop per Child[3] Special Interest Group to help with the
educational computing effort. Fedora will offer increased help with
package maintenance for OLPC, “maintain an excellent Sugar environment
for Fedora, including a dedicated Sugar spin; to identify opportunities
for collaboration on things such as infrastructure and localisation.” A
discussion list has also been established[4] for this, and all are
welcome to join these efforts.


[2] http://www.tectonic.co.za/?p=2647

[3] http://www.laptop.org/

[4] https://www.redhat.com/mailman/listinfo/fedora-olpc-list

=== Ring. Ring. It’s Fedora calling

Rahul Sundaram shared[1] a story in CNET News[2] this week about Fedora
Talk[3], a VOIP project that “allows Fedora contributors to use any
standard VoIP hardware or software to sign into the Fedora system and
make and receive calls to other Fedora contributors.” CNET added, “It’s
an intriguing way for the Fedora community to tighten the development
process by bringing developers together. IM, mailing lists, and e-mail
are great, but talking with someone is sometimes the best way to make
things happen.”


[2] http://news.cnet.com/8301-13505_3-9998526-16.html

[3] http://talk.fedoraproject.org/

=== Linux Symposium Proceedings Available

Rahul Sundaram posted[1] that the 2001-2008 proceedings of the Linux
Symposium[3] were now freely-available[4], along with the GCC Summit


[2] http://ols.fedoraproject.org

[3] http://www.linuxsymposium.org/

[4] http://ols.fedoraproject.org/

=== Video: Fedora Live

Rahul Sundaram shared[1] a recent article in Red Hat Magazine[2]
featuring the Fedora Project’s Paul Frields talking with developer
Jeremy Katz “to discuss the Live USB feature debuted in Fedora 9 … See
a live demo of the persistent desktop, and find out how to get more
involved in the next Fedora release.”


[2] http://www.redhatmagazine.com/2008/07/23/video-fedora-live/

=== Ambassadors

In this section, we cover Fedora Ambassadors Project.


Contributing Writer: Jeffrey Tadlock

=== FAD EMEA 2008 – Date & Location Determined

Sandro Mathys announced[1] that the data and location for FAD EMEA 2008
have been determined. It will take place in Basel, Switzerland from
2008-11-14 to 2008-11-16. Additional information is available on the FAD
EMEA 2008 wiki page[2].


[2] https://fedoraproject.org/wiki/FAD/FADEMEA2008

=== Planning for Fedora 10 Release Parties

Francesco Ugolini posted[1] to the ambassadors list a request for
feedback for planning for Fedora 10 release parties. We had great
success with out Fedora 9 release parties – be sure to get your
suggestions in for planning Fedora 10 release parties in the future.


=== Event Reports Reminder

Max Spevack posted[1] a reminder that event reports are required if you
were the leader of an event. Event reports are also encouraged from
attendees of events as well. The event reporting guidelines page[2]
covers what should be included in an event report.


[2] https://fedoraproject.org/wiki/FedoraEvents/ReportingGuidelines

=== Developments

In this section the people, personalities and debates on the
@fedora-devel mailing list are summarized.

Contributing Writer: Oisin Feeley

=== Erratum: FWN#133 “Shark” is a JIT not a VM

Gary Benson kindly corrected an error in FWN#133 “Java, So Many Free
Choices”[1] which reported on the work being done by Red Hat engineers
to expand the availability of a FOSS Java across more architectures. The
gist of the correction is that Shark is not a Virtual Machine(VM) as
stated in the article. Gary explained that OpenJDK is composed of a VM
named HotSpot and a class library. HotSpot runs on a limited number of
architectures and so there have been two independent attempts to
increase VM coverage. One of these is pre-existing project named CACAO
which is a VM whose maintainers are implementing the OpenJDK class
interface. The other is a Red Hat initiative, named zero, to remove
architecture-specific code from HotSpot in order to make compilation on
diverse platforms easier. As zero is slow and in need of a JIT. This JIT
could well end up being Shark. Thanks to Gary for taking the time to
clarify this point. We encourage readers to correct important technical
issues and misunderstandings and can be contacted via

[1] http://fedoraproject.org/wiki/FWN/Issue133#Java.2C_So_Many_Free_Choices

=== New libraw1394 Rebuild Exposes Closed ACLs

A simple warning made[1] by Jarod Wilson of a soname bump of libraw1394
(which among other things allows easy switching between juju and the
older drivers) revealed that Fedora’s KDE maintainers are not using open
ACLs for their packages. The issue of whether open ACLs should be used
to allow any interested community member (e.g. with a FAS account) to
start making changes without bureaucracy has been visited several times
on @fedora-devel and has been argued[1a] to be one of the exciting
“post-merge” aspects of the FedoraProject. Objections have included
those based on security (see FWN#112 “Open By Default: New FAS Groups
Proposed”[1b]) and the logistics of co-ordinating such open access (see
FWN#91 “Community Control And Documentation Of New Workflows”[1c]). At
times it has appeared that those who were non-Red Hat employees and
contributing to the pre-merge “Extras” repository were the strongest
advocates for open ACLs.


[1a] http://lwn.net/Articles/237700/


Jarod provided a short list of affected packages including kdebase and
kdebase3 and wondered whether he should “do a fancy chainbuild[2], or
just let rawhide be busted for a day?” Following advice received[3]
offlist he decided that the procedure would be to first bump and tag
each of the packages, and then from within the devel-branch of a
dependent package issue a:

[jwilson foo fedora-cvs/pkg11/devel]$ make chain-build CHAIN=”libraw1394
pkg1 … pkg10″



This eventually worked[4], but first Jarod had to contact maintainers
that disallowed commit access using open ACLs and get them to do the
bump and tag in order to use the above method.


Early on in the chain of events Kevin Koffler noted[5] the necessity to
do this for the KDE packages. “Drago01” wondered why there were closed
ACLs to which Rex Dieter replied[6] that it was not necessary for
non-core development platform bits and he would try to change the ACLs
for them. Konrad Meyer defended[7] the choice on the basis that “KDE is
a major system component and the KDE team (which is something like 6-8
people) does a very good job of fixing things as soon as they need
fixing.” Further probing for an actual reason by Rahul Sundaram resulted
in Konrad stating[8] that it was necessary to prevent people from making
mistakes and that the kernel package was handled similarly. Rahul was
unconvinced by this and Jon Stanley agreed[9] it should be possible, as
with GNOME, to use open ACLs to allow anyone to help.






=== XULRunner Security Update Breakage Stimulates Bodhi Discussion

After Michael Schwendt published[1] a summary of broken dependencies for
Fedora 9 it was noticed[2] by Martin Sourada that most of the problems
were due to a recent update of xulrunner which now provides gecko-libs
(see FWN#110[3].) Martin discovered that gxine, which was his particular
responsibility, did not depend on a specific version of gecko-libs and
thus removed the versioned dependencies. He suggested that a review by
carried out of the other affected packages to determine whether this was
also the case for them.




Martin was further concerned that the policies for pushing security
updates for a stable release be examined in the light of this particular
case because it would fail to install due to all the broken
dependencies. He suggested that it ought to be possible to use chain
builds (the Koji buildsystem allows packages to be grouped into sets
during the build process and to only report success if all the packages
complete perfectly) to ensure that such breakage does not occur. He also
wondered why the security update was not mentioned on the
“-devel(-announce) list?”

Nicolas Mailhot agreed[4] strongly wondering: “why the hell is this
stuff not tested in -devel first? […] When the update process is not
streamlined in -devel, it’s no surprise it bombs in -stable when
security updates are due.” The answers to these questions came from Adel
Gadllah (drago01) who replied[5] that as it was a security fix it had to
go to updates-stable immediately instead of following the normal
procedure[6]. David Nielsen interjected[7] that this method did not
deliver a quick security fix because those using, for example, epiphany
failed to get the update because the dependencies had not been properly
handled. Michael Schwendt also made[8] the same point: “Doesn’t matter.
It doesn’t install at all if it breaks dependencies of *installed*
packages. Not even *skip-broken helps in that case.” Adel clarified[9]
that he was explaining “why it was done, not that it was the right thing
to do. As I already said, bodhi should block updates that break deps.”



[6] Generally bleeding-edge changes for the next version of Fedora are
published in the “fedora-rawhide” repository, which is derived from a
CVS branch named “-devel”. The “fedora-updatestesting” repository
contains bleeding edge changes for the current maintained release, the
idea being that volunteers will test them and provide feedback before
they are pushed to the “fedora-updates” repository for general consumption.




=== Broken Upgrade Paths Due to NEVR

A report listing packages which failed to upgrade smoothly was
emailed[1] to the list on Mon 21st. This would appear[2] to be the
output of Jesse Keating’s revamped version of the old Extras script
upgradecheck (previously discussed in FWN#108 “Package EVR Problems”[3])
which examines Koji tags[4] to determine whether upgrades from one
package version to another will work.



[3] http://fedoraproject.org/wiki/FWN/Issue108#Package.EVR.Problems

[4] http://fedoraproject.org/wiki/Koji

Michael Schwendt noticed[5] that at least one reported failure, of
audacity to upgrade from “dist-f8-updates-testing” to “dist-f9-updates”
was a false positive because it omitted to take the possible
intermediate tag “dist-f9-updates-testing” into account. Jesse Keating
pondered[6] the idea and while admitting the possibility that someone
might “at one time [have] installed F8 testing updates, and then
upgraded to F9 + updates, but without F9 updates-testing. However, it’s
more plausible that if they were using updates-testing on F8 that they
would upgrade to F9 + updates + updates-testing.” He suggested that he
would break the testing down into two separate paths: “F8, F8-updates,
f9-updates” and “F8-updates-testing, F9-updates-testing” and also list
the person that built the broken instance instead of listing the owners
of the broken packages.



As the owner can change per branch Michael Schwendt suggested that the
pkgdb could be queried for branch-specific ownership data, but Jesse
thought that it was more interesting to know who built the package
rather than who owned it. He hoped that “the -contact fedoraproject
org or some such gets created soon so that the script can just email
that + the person whom built the problematic package” and Seth Vidal
quickly implemented[7] this after Toshio Kuratomi made some changes to


=== Application Installer “Amber” Provides Browser Interface to Packages

A description was posted[1] by Owen Taylor of a visual means to rate,
browse and install packaged applications in a repository. The discussion
around this revealed some differences over the advisability of providing
separate ways for ordinary end-users on the one hand and package
maintainers on the other to discover and discuss the software available
from the FedoraProject. Owen’s post was to announce that he had hacked
up a web-browser plugin (a detailed README is available[2] which
includes discussion of security and cross-browser support) which used
PackageKit to allow the installation of packages selected from this
website. He had hopes that this would be “robust against inter-distro
differences in package names” and wondered “[w]hat do people think…
does this make sense as part of the PackageKit project?”


[2] http://git.o/shsoup.net/cgit/packagekit-plugin/tree/README

Following a suggestion from Tom Callaway that it be integrated with
PackageDB (this is the central repository of meta-information on
packages and is currently targeted to the needs of package maintainers
and release-engineering[3] to track ownership and ACLs[4]) there were
questions from Jeff Spaleta about what that meant. Owen replied[5] with
more detail, and explained that the web application would take
information from PackageDB but that the plugin would use PackageKit (and
YUM and hence comps.xml) to display actual installable packages. He
listed other possible operations beyond simple installation of packages.
It would be possible to offer installation to any anonymous user, but
after authentication rating and commenting on packages could be
authorized for users in the FAS[6] class. Similarly, the ability to edit
package information could be authorized for package owners.

[3] https://admin.fedoraproject.org/pkgdb

[4] https://fedorahosted.org/packagedb/


[6] https://admin.fedoraproject.org/accounts/

Jeff emphasized[7] that he would prefer to see Owen’s interface replace,
or augment, the existing PackageDB one[8] in order to increase
user-maintainer communication by simplifying and reducing the number of
interfaces. Bill Nottingham wondered[9] “Does anyone actually use
packagedb to browse for available software?” and although there were a
couple of affirmative replies there was no aggregate data presented to
answer this question. Nicolas Mailhot replied[10] with some possible
uses for expanded meta-information based upon the experience of the
Fonts SIG.


[8] https://admin.fedoraproject.org/pkgdb



Robin Norwood explained[11] to Jeff that the PackageDB was for one
audience “(mostly) targeted at people interested in the plumbing of
Fedora” while the new interface was “targeted at people who are looking
for applications to install and ‘do stuff’ with.” He posted[12] a link
to the Feature page for this ApplicationInstaller. Work seems to have
progressed quite far with both the web-application side, which is
tentatively named “Amber” and is available for proof-of-concept
testing[13] and also with Owen’s plugin.


[12] http://fedoraproject.org/wiki/Features/ApplicationInstaller

[13] http://publictest10.fedoraproject.org/amber

Jeff re-iterated[14] his point that “driving users to a different site
than the package maintainers… and allowing them to comment [is] going
to cause a communication gap” and characterized this as “driveby
commenting and rating.” Matthias Clasen did not accept that the use
cases and requirements were the same as those for PackageDB and argued
that “[t]his is not an effort to improve package quality or gain new
contributors. This is an effort to make life of users better. It is not
about packages, but about applications.” Robin was[15] against Jeff’s
idea of a “monolithic app” and emphasized that he was using existing
infrastructure to provide a new interface and also planning easy export
of the data. He envisioned this data as providing, for example, a feed
of comments about each package to PackageDB: “More of a semantic web
type idea than an isolated database or a ‘one-stop shop’.”



=== RPM Inspires Intel Moblin2 Shift From Ubuntu

An excited Peter Robinson copied[1] a link to “The Register” to the
list. The article claimed that Intel’s next version of “Moblin”[2]
(cunningly codenamed Moblin2) would be replacing the “Ubuntu-based
kernel” with the Fedora kernel and cited Dirk Hohndel. Specifically it
attributed a desire to “move to Fedora [as] a technical decision based
on the desire to adopt RPM for package management [and also that] having
a vibrant community push is the winning factor.” The article has since
been rebuffed[3] by Hohndel in a comment on one of his blogs as “not
only low on detail, it’s also high in content that’s made up or blown
out of proportion” but he does confirm that “we decided to move to an
rpm based distribution as that gave us better build tools and most
importantly a better way to manage the licenses under which the
individual packages are released.”


[2] Moblin is a GNU/Linux-based software stack for Mobile Internet
Devices which includes Xorg,GStreamer,ALSA,the MatchboxWM, GTK, Cairo,
Pango, D-Bus, Avahi, Evolution Data Server and more. In order to make
life easy for developers a Moblin Image Creator makes it easy to create
a small 350-600MB binary image for a particular architecture. Moblin
explicitly aims to provide an alternative to GNOME and KDE.

[3] http://www.hohndel.org/communitymatters/moblin/moblin-at-oscon/

Commentary on @fedora-devel tended to cautious optimism mixed with a
desire for a lot more information. Jeff Spaleta asked[4] whether the
idea was to have Moblin2 be a “part of the larger Fedora project or is
it going to be a downstream derived distribution that will include
components such that it can not carry the Fedora name?” and broached the
idea that Moblin2 might be a candidate for a Secondary Architecture (see
FWN#90[5] and FWN#92[6].) DavidWoodhouse (posting with an Intel.com sig)
also liked[7] the idea of a Moblin2 SIG producing a Fedora spin for MIDs
(Mobile Internet Devices.)



[6] http://fedoraproject.org/wiki/FWN/Issue92#Secondary.Arch.Proposal.Cont


While “yersinia” thought that the emphasis on RPM was interesting Hansde
Goede was intrigued[8] by the emphasis on community activity. Hans
suggested that Jeff Spaleta contact Dirk Hohndel to emphasize the
dynamic nature of the FOSS community behind Fedora. Jeff suggested that
Karsten Wade could meet with Dirk at this week’s OSCON[9]. Ex-Red Hat
star employee Arjanvande Ven volunteered[10] to do what he could to help
make contact with Dirk, describing himself as “on the other side of a
cube wall” from him. In response to Rahul Sundaram’s request for
concrete information from Intel Arjan responded[11] that he would do his
best to get the right people to make contact, but that much of the
speculation on @fedora-devel concerned topics which have an “eh we don’t
know yet” answer. He also repeated cautions against believing anything
which journalists write.


[9] http://en.oreilly.com/oscon2008/public/content/home



Paul Frields followed up[12] with details of a meeting at OSCON with
senior Fedora hackers. It seemed that the ability to use OpenSuSE’s Open
Build System (which is based on RPM) was one of the main motivations
behind Intel’s move. Apparently Koji (the Fedora Project’s buildsystem)
lacks some specific functionality. Discussion between Paul Frields and
Jeff Spaleta centered[13] around whether the apparent Moblin2 plan of
acting as a downstream derivative of the Fedora kernel would allow them
to garner community contributions and whether this mattered anyway given
Intel’s vast resources.



Arthur Pemberton thought that this was a good opportunity to take on
some of the anti-RPM and anti-YUM misinformation which had been spread
about. David Nielsen thought it was best to merely demand proof from
those spreading FUD. Seth Vidal conceded[14] that perhaps not enough had
been done to publicize the improvements in YUM and RPM over the last few
years and cited[15] a particular case-study of a smartpm user comparing
it with YUM to the advantage of the latter.



=== Artwork

In this section, we cover the Fedora Artwork Project.


Contributing Writer: Nicu Buculei

=== Nodoka development

After Martin Sourada laid out some plans last week for the Nodoka GTK2
theme engine development, he updated the Fedora Art list with news about
the topic: “Considering that the Feature freeze for F10 is nearing and I
haven’t finished yet with the sketching, I’ll push it for Fedora 11,
while in Fedora 10 we’ll have new notification theme [1], maybe the Echo
icons and some minor improvements to the gtk theme/engine.”

[1] https://www.redhat.com/archives/fedora-art-list/2008-July/msg00217.html

=== Gathering feed-back about Fedora 10 theme proposals

After the first round of the theme creation process for Fedora 10 ended,
Nicu Buculei started gathering[1] feed-back from the community (everyone
is invited to participated, including the Fedora Weekly News readers):
“Since the first round for F10 themes just ended, I wrote to my
(infamous) blog an article[2] listing all the proposals, including
thumbnails and descriptions and asked for feedback (noting that the
preferred way is this mailing list). Also posted about it on

[1] https://www.redhat.com/archives/fedora-art-list/2008-July/msg00222.html

[2] http://nicubunu.blogspot.com/2008/07/fedora-10-themes-round-1.html

[3] http://forums.fedoraforum.org/showthread.php?p=1050722

=== A possible Bluecurve revival

Andy Fitzsimon shared[1] on the Fedora Art list a theme mockup “I didn’t
design it specifically for fedora but I hope someone here finds it
useful for future mocks” and very quickly Hylke Bons expressed his
interest[2] and idea about using it in combination with his own
project[3] “I think this will fit well in my attempt to ressurect
Bluecurve” (Bluecurve is the venerable theme introduced in Red Hat Linux
8 and used as a default until Fedora 6).

[1] https://www.redhat.com/archives/fedora-art-list/2008-July/msg00225.html

[2] https://www.redhat.com/archives/fedora-art-list/2008-July/msg00226.html

[3] http://bomahy.nl/hylke/wip/bluetwist.png

=== Security Advisories

In this section, we cover Security Advisories from fedora-package-announce.


Contributing Writer: David Nalley

=== Fedora 9 Security Advisories

* mantis-1.1.2-1.fc9 –
* dbmail-2.2.9-1.fc9 –
* libetpan-0.54-1.fc9 –
* php-5.2.6-2.fc9 –
* ruby- –
* gnutls-2.0.4-3.fc9 –
* licq-1.3.5-2.fc9 –
* perl-5.10.0-27.fc9 –
* linuxdcpp-1.0.1-3.fc9 –
* sipp-3.1-2.fc9 –

=== Fedora 8 Security Advisories

* wireshark-1.0.2-1.fc8 –
* asterisk- –
* mantis-1.1.2-1.fc8 –

fedora-announce-list mailing list

Unofficial Fedora FAQ Updated for Fedora 9

July 29, 2008

Hi there Fedora land! The Unofficial Fedora FAQ has been
updated for Fedora 9!


For this update, I reviewed and revised almost every single
question in the FAQ to be up-to-date and even simpler than before. Of
course the new FAQ contains an updated yum configuration, and also
working Java plugin instructions, but it also has a whole bunch of
other small improvements!

The Fedora 8 FAQ is still available at:


In other news, I’d really like somebody who’s willing to help
me answer incoming email for the FAQ. I really like being able to get
back to everybody who emails me, but I do a lot of different things,
and having somebody else who could handle that email would be great.
Eventually this would probably evolve into helping me edit and update
the FAQ. If you’re interested, send me a mail with the subject “FAQ

The guidelines for contributing to the FAQ are here:


As always, translations are welcome! If you would like to
translate the FAQ, send me an email with “FAQ Translation” in the
subject line and tell me what language you’d like to translate it to.

I hope that you all enjoy this update of the FedoraFAQ, and my
thanks to everybody in the Fedora community who keep on making each
release so much better than the last.🙂


Everything Solved: Friendly & Helpful Bugzilla, Linux, and Perl Services

fedora-announce-list mailing list