News and Editorialsdiscussion on the Fedora-maintainers list calling for an end to the ACL (access control list). A pkg.acl file may exist for every Fedora package, and it lists the maintainer and co-maintainer and possibly others that are authorized to fix, rebuild and upload that package. This file exists by default, but may be modified or removed by the package maintainer.
Here in the northern hemisphere it's summer, a time for vacations, a time when a package maintainer might not be around to maintain those packages. Sometimes you just don't want a package sitting around a week or two with a known (and fixed upstream) security issue. If a soname bump requires several packages to be rebuilt, it's better to have that happen sooner rather than later. Hence the call to remove all pkg.acl files to allow other Fedora maintainers access to all/most packages.
The ACL is in place for security reasons, though. No one ever said, "Let's make it more difficult to get packages fixed when the maintainer is unresponsive." On the other hand, do you want some fairly inexperienced, casual maintainer messing with the kernel package? Even with the best of intentions, mistakes can really mess up the system for many users. Critical packages should have stricter restrictions, but for the vast majority of packages any Fedora maintainer should be able to deal with minor maintenance.
A more important consideration may be security: if any Fedora maintainer can make changes to any package, vast amounts of damage might be done by a single compromised account. There are things that can be done to mitigate this risk, but it is a concern nonetheless.
Some part of the issue is that there are an ever increasing number of Fedora maintainers, and not all of them know that ACLs are enabled by default. As a result of this thread wiki pages are being built which list critical packages, and document the default ACL behavior and how to change it. Also steps are being taken that would allow access to a select set of groups, such as FESCo (Fedora Engineering Steering Committee) and the Fedora Security team, to fix issues as necessary.
New Releasesannounced that the first service pack (SP1) for SUSE Linux Enterprise 10 is now available to customers worldwide. Novell also announced the commercial availability of the SUSE Linux Enterprise Virtual Machine Driver Pack, a bundle of paravirtualized network, bus and block device drivers that enable unmodified Windows* and Linux* guest operating systems to run with near native performance in virtual environments created with the Xen* hypervisor technology. Slackware-current changelog entry for June 14 announces that the first release candidate for Slackware 12.0 is available. "It's that time again, and here we have Slackware 12.0 release candidate 1! :-) If we're lucky, we got it all right the first time. Big thanks to the crew."
Distribution Newsnotes that Red Hat Enterprise Linux has been certified at the EAL4+ security level - at least when properly configured on certain IBM server systems. "A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we've done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. 'Military-strength' security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS." a message stating the Ubuntu is not discussing patent deals with Microsoft. "Allegations of 'infringement of unspecified patents' carry no weight whatsoever. We dont think they have any legal merit, and they are no incentive for us to work with Microsoft on any of the wonderful things we could do together. A promise by Microsoft not to sue for infringement of unspecified patents has no value at all and is not worth paying for. It does not protect users from the real risk of a patent suit from a pure-IP-holder (Microsoft itself is regularly found to violate such patents and regularly settles such suits). People who pay protection money for that promise are likely living in a false sense of security." The first and most visible are the version graphs which are present to the right of all bugs with versioning information. Hopefully these will help resolve some of the queries about why the BTS feels that a particular bug applies to a particular suite." The goal of this list is to make it easy for Fedora contributors to follow changes in that may be pertinent to developers within the Fedora Project. This is intended to be a LOW TRAFFIC announce-only list of development topics, so we hope subscribers wont feel the need to filter it away from their Inbox." announced new enhancements to SUSE Linux Enterprise Real Time and unveiled new partnerships that expand the ecosystem around Novell's low latency Linux solution. It shows that we ship on the media some software which is hardly used (e.g. PlanMaker, SEPsesam etc.). Software which is hardly used we don't neet to ship on our media. Therfor my suggestion is to drop some software totally and offer some software only via ftp. To be discussed on opensuse-project." Ubuntu 7.10 will ship with the latest edition of the GNOME desktop, 2.20, released a few weeks before our own release. Kubuntu 7.10 will ship with KDE 3.5.7, and should also include packages of KDE 4.0 rc 2 available for optional side-by-side installation. We are aiming for Ubuntu to be one of the first distributions to ship the newly merged Compiz and Beryl projects (compcomm/OpenCompositing); and enable it as the default window manager on systems with a supported combination of hardware and drivers."
Distribution NewslettersDistroWatch Weekly for June 18, 2007 is out. "The first release candidate of Slackware Linux 12.0, Linus Torvalds' entertaining exchange with Sun Microsystem's Jonathan Schwartz, and Linspire's promise of a "better Linux" through a partnership with Microsoft were the most interesting headlines of the past week. We comment on these and other events of the week. In other distro-related news, the Debian project announces a tentative release schedule for Debian "Lenny", Max Spevack talks about the upcoming Fedora 8, and, in an exclusive DistroWatch interview, Adam Williamson introduces a number of projects that will shape the future of Mandriva Linux. Finally, don't miss the list of changes and updates to the DistroWatch package list as used for tracking version numbers of important software applications."
Distribution reviewsreviews GoblinX. "GoblinX is a live Linux distribution based on Slackware 11, written by a Brazilian developer who goes by the pseudonym Grobsch. (You can contact Grobsch on the GoblinX forum.) GoblinX differs from other live distributions in two main ways. First, it manages to pack five different window managers/GUIs into a 305 MB ISO image, and uses custom artwork for each of them that's quite unlike anything you've seen before."
Page editor: Rebecca Sobol
Next page: Development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds