Distributions
News and Editorials
Fedora's privilege escalation policy proposal
Back in November, when Fedora 12 was released, there was something of an uproar over a new feature that allowed unprivileged package installation. While there are differing opinions on how sensible it was to add that feature, Fedora developers would much rather argue about that before a release is made—rather than shortly after, as happened with Fedora 12. To that end, Adam Williamson has been drafting a "Fedora privilege escalation policy" that seeks to clearly identify the types of package behavior that should either be avoided for unprivileged users, or undergo more thorough review.
There are two principles to guide the policy, which essentially encapsulate the idea that unprivileged users should not be able to "break" things for other users:
An unprivileged user without administrative authentication must not be able to bypass or override other users' reasonable expectation of privacy of their data, where "reasonable" is limited by what computers can do, what Linux can express, AND explicit actions by the "other user" to configure access permissions.
The policy then gives examples of package elements that are likely to make a package subject to the policy, such as setuid programs, PolicyKit policies, or udev rules. It also lists nearly two dozen actions that should only be allowed for privileged users. Privileged users, for the purposes of the policy, are those that authenticate with the root password, use sudo if that is configured by the administrator, or are the first user account added—without an additional password check—for approved Fedora spins that grant administrative privileges to that account. The latter is in keeping with the idea of a "desktop spin" that would be targeted at single-user systems, where the user and the administrator are one and the same.
The list of privileged-only actions is fairly comprehensive. Earlier drafts, like one posted to the fedora-testers mailing list, were discussed with additions and wording changes made. One somewhat puzzling omission is the ability to upgrade an installed package. Though it appears as a privileged operation in an earlier draft announced on fedora-devel, that was an oversight, which Williamson corrected. The PackageKit policy for Fedora 12 allows unprivileged upgrades, and the intent is to continue that policy.
Allowing unprivileged upgrades, while much less potentially dangerous than the original Fedora 12 policy, still has its share of pitfalls. Allowing regular users the ability to upgrade assumes that security vulnerabilities are not introduced in package upgrades. It may also run counter to an administrator's policies as Davide Cescato points out in a comment on the original Fedora 12 bug:
Overall, though, the policy is well thought-out and covers the kinds of problems that new or updated packages might cause. There has been some resistance to the enforcement and approval elements of the policy, but that seems to be based on a misunderstanding. The intent of the policy is that new mechanisms which affect privileges need review, not new users of existing mechanisms (such as PolicyKit, kdesu, etc.). As Miloslav Trmač put it:
The purpose of these announcements is to allow the QA team and people working on Fedora security to maintain a list of such mechanisms. If the QA team or someone working on security knows there is userhelper or DBus, they can search for packages that use it, and check the configuration of the packages, do code reviews etc. If they don't know about the mechanism, they can't check the users of the mechanism are secure.
As a set of guidelines to help packagers, testers, and reviewers, the proposed policy is quite useful. Williamson plans to present the draft to the Fedora board at its meeting on February 9, so it may become Fedora policy in the very near future. Beyond that, though, it would also be a good starting point for other distributions that are considering policies to help tighten up the security of their packages.
New Releases
Debian GNU/Linux 5.0 updated
The Debian project has announced the fourth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). "This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included."
Its here! openSUSE 11.3 Milestone 1
The first openSUSE 11.3 Milestone release is available for testing. "This is the first step toward the next openSUSE release. The most important goal of this first milestone is to test the build interactions between newly added features in openSUSE Factory, also known as "get the snapshot to build". It is in no way feature complete or ready for daily usage. There is no code freeze for any component yet, so many major changes are still to come."
New Owl ISOs, OpenVZ container templates; Debian integrates new passwdqc
Click below for some announcements from the Openwall Project. Fresh ISO images and pre-created OpenVZ container templates of Owl-current for x86 and x86-64 are available. Also Martin F. Krafft adopted the passwdqc Debian package and brought it up to date.Tiny Core Linux for XO-1 and XO-1.5
A build of Tiny Core Linux for XO-1 and XO-1.5 (based on OLPC build 802 and os108) has been announced. This build is based on the Tiny Core 2.8 microcore variant and uses the OLPC kernel for hardware support.Ubuntu 8.04.4 LTS released
The Ubuntu team has announced the release of Ubuntu 8.04.4 LTS, the fourth maintenance update to Ubuntu's 8.04 LTS release. "This release includes updated server, desktop, and alternate installation CDs for the i386 and amd64 architectures. Ubuntu 8.04 LTS continues to be maintained through 2011 for desktops and 2013 for servers through online updates, but this is the final maintenance release of 8.04 LTS."
Distribution News
Debian GNU/Linux
Debian policy update (3.8.4.0)
Debian policy 3.8.4.0 has been uploaded. Click below for a list of changes.
Mandriva Linux
Noteworthy Mandriva Cooker changes 18 January - 31 January 2010
Frederik Himpe covers some recent changes in Mandriva development. "Linux kernel 2.6.33 rc6 is now the default kernel in Mandriva Cooker. In this kernel, the anticipatory I/O scheduler has been removed, and there were again various performance improvements to the CFQ I/O scheduler, which is the default already for a long time. There were also different performance improvements to KVM virtualization (such as improved kernel context switching speed and IRQ scaling). There are power saving improvements in the Intel i915 driver (render standby and LVDS downclock, the latter being disabled by default for now), a new driver supporting VMware's paravirtualized SCSI device, better support for ALPS DualPoint touchpad/trackpoint on some Dell laptops, and many other improvements to hardware support."
Mandriva Brazil launches its brand new website
Mandriva has announced the launch of a new website for its Brazilian subsidiary: www.mandriva.com/br. "With www.mandriva.com/br, Brazilian will be able to download Mandriva Linux free solutions, and buy Mandriva Linux's products and goodies on the Mandriva Online Store. You will find: videos and detailed features, informations on training courses, contributions to Mandriva. Each visitors can create its very own Mandriva account, access to Mandriva forums and community resources, as well as our web-support contact details."
Ubuntu family
Jono Bacon: Connecting The Opportunistic Dots
Ubuntu community manager Jono Bacon writes about a software stack that is geared towards "opportunistic developers" on his blog. The stack is based on Python and GNOME, using GTK, GStreamer, Glade, and DesktopCouch. Ubuntu developers have been adding tools like Quickly and Ground Control to integrate it more closely with features like Launchpad, Bazaar, and Personal Package Archives. "We have been seeing a growing movement inside the Ubuntu community in helping to make Ubuntu a rocking platform for opportunistic developers. While all the components are Open Source and can be shipped on any distribution, I am really keen for Ubuntu to really optimize and integrate around the needs of opportunistic programmers and I just wanted to highlight some of the work that has happened here."
International Women's Day stories about Ubuntu and the computing longevity meme
The latest initiative by the Ubuntu Women Project is a contest to collect "How I discovered Ubuntu" stories written by women. The winner will be announced on March 8th, International Women's Day. "One of the goals of this initiative is to try and answer the "How can I get $woman to use Ubuntu?" question that we often get by demonstrating that there is no single answer for it. Women get involved and interested in Ubuntu for all kinds of reasons, and without knowing anything about her there is really no way to know what specific spark will get her interested in involvement. (For what it's worth, a much better question is "$woman is interested in $subject and is tied to Windows for $reason but doesn't like it for $another_reason, she currently uses her computer for $thing0 and $thing1, do you have any suggestions as to how I can try and convert her to Ubuntu?")"
Distribution Newsletters
DistroWatch Weekly, Issue 338
The DistroWatch Weekly for February 1, 2010 is out. "User-friendliness of computer operating systems is something that gets often discussed in open-source software circles. But adding features that are designed to attract more new users isn't always viewed positively in some hard-core geek communities. This week's feature story examines a case of a developer who was met with a hostile reception when he tried to present his easy-to-use live CD to an unforgiving group of OpenBSD hackers. In the news section, Sun Microsystems closes its corporate web site, but what does that mean for some of its popular products? Also in this week's issue, we investigate the idea of converting the ext3 file system to the newer ext4, take a look at Ubuntu's controversial deal with Yahoo, and link to an article that reveals a little-known, but useful Mandriva feature. All this and more in this week's issue of DistroWatch Weekly - happy reading!"
Fedora Weekly News #211
The Fedora Weekly News for January 31, 2010 is out. "Our issue kicks off with a couple development announcements related to the Fedora 13 Feature Freeze last week for Feature and Spin submissions. In news from the Fedora Planet, several posts about opensource.com, coverage of a "State of the Union" from Red Hat's Jim Whitehurst, progress on Máirín Duffy's Inkspace course to a Boston area middle school, coverage of a discussion around Fedora's goals from several Fedora Project leaders, and enthusiasm for Gource, "an amazing program for visualizing commit history in a git-based code project." In Ambassador news, an event report for the Cerea Fair contributed by several people from Italy that drew 20,000, including blog postings and photos. In news from the Design team, details on preparation for Fedora 13 Alpha, with upcoming decisions this week on Fedora 13 wallpaper, and coverage of some ideas for Fedora 13 overall designs. The Security Advisories beat brings us current with last week's Fedora 11 and 12 security patches. We hope you enjoy FWN 211!"
openSUSE Weekly News/108
This issue of the openSUSE Weekly News covers * openSUSE News: Wanted: Linux Community Manager, * Sirko Kemter: Art-Team meeting, * Worldlabel.com/Dmitri Popov: OpenOffice.org Extensions for Business Users, * Ben Kevan: Installing KDE 4.4 RC2 on openSUSE and Kubuntu Linux, and * LinuxFoundation: Sign Up for the Free Linux Training Webinar Series.Ubuntu Weekly Newsletter #178
The Ubuntu Weekly Newsletter for January 30, 2010 is out. "In this issue we cover: Contribute with Ubuntu One Bug Day, Lucid changes to Firefox default search provider, Announcement: Ubuntu Server update for Lucid Alpha3, Interview With Ubuntu Manual Project Leader Ben Humphrey, Ubuntu Honduras, Back up old sources from PPA's, Improved Bug Patch Notifications, Getting your code into Launchpad, Ubuntu Developer Week Recap, Canonical Voices, Ubuntu Community Learning Project Update, NZ school ditches Microsoft and goes totally open source, Full Circle Magazine #33, and much, much more!"
Newsletters and articles of interest
Martin F. Krafft: DistroSummit 2010
Martin Krafft covers the Distrosummit at linux.conf.au. "The theme of the day was cross-distro collaboration, and we started the day a little bit on the Debian-side with Lucas Nussbaum telling us about quality assurance in Debian, alongside an overview of available resources. We hoped to give people from other distros pointers, and solicit feedback that would enable us to tie quality assurance closer together."
Fedora vs. Ubuntu: Is Either Better? (Datamation)
Bruce Byfield looks at Fedora and Ubuntu. "In the last five years, both Fedora and Ubuntu have attracted large and rapidly growing communities, often governed by codes of conduct and having their own in-person meetings -- FUDCon for Fedora and the Ubuntu Developer Summit for Ubuntu. Members of both are also active in other free and open source software meetings, especially GNOME's GUADEC. In short, Fedora and Ubuntu have evolved surprisingly similar structures. The main difference lies in their goals: Ubuntu aims to provide "an open-source alternative to Windows and Office," and is currently focusing on usability improvements, while Fedora's goal is to create "a Linux-based operating system that showcases the latest in free and open source software.""
Page editor: Rebecca Sobol
Next page:
Development>>