Fedora and Red Hat: Good and Bad
-
Fedora Magazine: 4 cool new projects to try in COPR for January 2020
COPR is a collection of personal repositories for software that isn’t carried in Fedora. Some software doesn’t conform to standards that allow easy packaging. Or it may not meet other Fedora standards, despite being free and open source. COPR can offer these projects outside the Fedora set of packages. Software in COPR isn’t supported by Fedora infrastructure or signed by the project. However, it can be a neat way to try new or experimental software.
This article presents a few new and interesting projects in COPR. If you’re new to using COPR, see the COPR User Documentation for how to get started.
-
Robbie Harwood: Fedora Has Too Many Security Bugs
I don't work on Fedora security directly, but I do maintain some crypto components. As such, I have my own opinions about how things ought to work, which I will refrain from here. My intent is to demonstrate the problem so that the project can discuss solutions.
To keep this easy to follow, my data and process is in a section at the end; curious readers should be able to double-check me.
-
Vague proposal: ship prebuilt initramfs images
Measured boot involves generating cryptographic measurements of boot components and configuration and using that to either control access to a local secret (in the case of sealing secrets to a TPM) or proving to another device (eg, a remote server or a local phone) what was booted. We're shipping most of the infrastructure to do this, but we're still left with a pretty fundamental problem - we need to know what the expected values are in order to know whether something's been tampered with or not. For many components this isn't a huge problem (we build and distribute the files - users can extract them and calculate the appropriate measurements, and maybe long term we'll be able to ship the measurements in a digestable way), but our initramfs images are generated on the user system and include system-specific data. This makes it impractical to know the expected measurements in advance. I've been thinking about ways to solve this for a while, and I'm coming to the conclusion that the best plan is probably to just ship pre-built initramfs images. I can think of three main reasons to want to use system-specific images: 1) They're smaller. By default we're already generating a generic image for rescue purposes, so disk space isn't the concern here - we're largely looking at losing boot speed. As machines have got faster this is probably not a huge deal. 2) They contain machine-specific configuration. Some of this can be passed on the kernel command line instead (eg, the machine ID), but we'd need answers for the rest. I can think of a couple of solutions: a) Stick the config in UEFI variables. It's small enough that we wouldn't run out. Extend grub to read some config files and synthesise an initramfs image for them. If we measure the paths that those images use then we don't need to worry about the contents as long as the tools that read the config can't be subverted via that configuration. 3) User customisation, such as including extra tooling. grub supports loading multiple initramfs images. Packages that right now install stuff in the initramfs could instead ship a prebuilt image that grub could append to the main initramfs. This would allow for things like overriding Plymouth themes, and we could ship the measurements for these pre-built images in order to allow them to be validated. Any thoughts on this?
-
Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images
Another alternative to slow initramfs generation could be distributing pre-built initramfs images to users. An additional benefit of that is possibly better security with measured boot capabilities, a matter currently being discussed by Fedora stakeholders.
Fedora from time-to-time has brought up the topic of using pre-built initramfs images and that happened again last week by former Red Hat employee turned Googler Matthew Garrett. He brought up a possible proposal to ship prebuilt initramfs images in the name of better security with measured boot.
-
RHEL 8 Still Vulnerable to “Magellan 2” SQLite Bugs, as Patches Drop
Severe bugs in the ubiquitous SQLite engine – used in thousands of software applications – continue to pose a major security threat, security researchers say, with Red Hat admitting today that its flagship Red Hat Enterprise Linux (RHEL) 8 remains vulnerable, despite patching other products this week.
Red Hat said in a security update it had now inoculated RHEL 7 and its “RHEL 8.0 Update Services for SAP Solutions”, but RHEL 8 itself remains affected by one of the vulnerabilities, first disclosed to the Chromium team by China’s Tencent Blade – which dubbed them “Magellan 2.0” – in October 2019.
-
Communication superstars: A model for understanding your organization's approach to new technologies
The Open Organization Ambassadors have learned a great deal about the ways open principles are impacting organizational practices. In particular, we've developed an Open Organization Definition that specifies the five principles that distinguish open organizations from other types of organization—namely, more transparency, more inclusivity, greater adaptability, deeper collaboration and a sense of purpose teams/community. I've also delivered a presentation on this topic several times since 2016 and learned new insights along the way. So I'd like to update this article with a few comments that reflect those findings. And then, in a follow-up article, I'd like to offer readers some guidelines on how they can determine their organization's level of comfort with communication technology and use it to increase their success relative to industry competitors.
- Login or register to post comments
- Printer-friendly version
- 4371 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
Recent comments
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago