Language Selection

English French German Italian Portuguese Spanish

Fedora and Red Hat Leftovers

Filed under
Red Hat

  • A possible step toward integrity measurement for Fedora

    The Fedora 34 release is planned for April 20 — a plan that may well come to fruition, given that the Fedora project appears to have abandoned its tradition of delayed releases. As part of that schedule, any proposals for system-wide changes were supposed to be posted by December 29. That has not stopped the arrival of a late proposal to add file signatures to Fedora's RPM packages, though. This proposal, meant to support the use of the integrity measurement architecture (IMA) in Fedora, has not been met with universal acclaim.
    The purpose of IMA is to measure whether the integrity of the system is intact, where "integrity" means that the important files in the system have not been corrupted. At its core, this measurement is carried out by reading a file's contents, computing a hash, and comparing that hash to the expected value; if the values match, the file has not been altered. This measurement can be used to prevent the execution (or reading) of corrupted files; it can also be used as part of a remote attestation scheme to convince a remote party that the local system has not been subjected to unauthorized modifications.

    To perform this measurement, IMA clearly must know what the expected hash for each file is; those hashes are signed with a key trusted by the kernel and stored as extended attributes. Generally, the private key used to sign these hashes is kept in some secure location, while the public key is either stored in a device like a trusted platform module (TPM) or built into the kernel binary. If all works as intended, IMA can thus be used to ensure that systems only run executables that have been blessed by some central authority, that those executables only read configuration files that have been similarly blessed, and so on. It is a mechanism for ensuring that the owner of a system keeps control of it; whether this is a good thing or not depends entirely on who the "owner" is defined to be.

    The actual proposal does not go so far as to implement IMA on Fedora systems; it is limited to including signatures with every file that is shipped in Fedora packages. These signatures "will be made with a key that’s kept by the Fedora Infrastructure team, and installed on the sign vaults". Fedora users would then be able to use IMA to keep their systems from using files that have been modified since they were packaged. An actual IMA setup for Fedora can be expected to come at some future time.

  • Fedora Loves Python 2020 report – Fedora Community Blog

    Inspired by a similar report from the Copr team, I’ve decided to look back at 2020 from the perspective of Python in Fedora (and little bit in RHEL/CentOS+EPEL as well). Here are the things we have done in Fedora (and EL) in 2020. By we I usually mean the Python Maint team at Red Hat and/or the Fedora’s Python SIG.

  • Introducing the Red Hat build of Eclipse Vert.x 4.0 - Red Hat Developer

    If you are interested in reactive, non-blocking, and asynchronous Java development, you are likely familiar with Eclipse Vert.x. The project started in 2011 and successfully moved to the Eclipse Foundation in 2013. Since then, Vert.x has undergone nine years of rigorous development and grown into a thriving community. It is one of the most widely used reactive frameworks, with support for multiple extensions, including extensions for messaging or streaming with Kafka or Artemis, developing applications with gRPC and GraphQL, and so much more.

    The Red Hat build of Eclipse Vert.x 4.0 is now generally available. This release improves Vert.x’s core APIs and handling. Developers who migrate can expect enhancements to futures and promises, distributed tracing, and deployment on Red Hat OpenShift. In this article, I introduce these updates and offer tips for migrating and deploying your Eclipse Vert.x 4.0 applications on OpenShift.

  • Implementing the ACSC "Essential Eight" baseline for security automation in Red Hat Enterprise Linux

    Achieving compliance with a security policy and maintaining compliance can be tedious. At Red Hat, we believe that such things should be automated and not become an unnecessary burden. To this end, we offer a whole ecosystem of services that automate security compliance.

    We ship several widely used security policies with our products. Today, we will go over the "Essential Eight" baseline in a bit more detail.

    The "Essential Eight" is a set of mitigation strategies created by the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD) that leads the Australian Government’s efforts to improve cybersecurity.

  • Painless services: implementing serverless with rootless Podman and systemd

    Serverless is an event-driven computing paradigm where applications are allocated dynamically to serve a request or consume events. When the application is not in use, there are no computing resources allocated.

    The serverless ecosystem offers a large number of runtimes, which start/stop/monitor software (e.g., Knative, Kubeless and many others). They come with different features, and they can trigger applications based on different kind of events (e.g., HTTP requests, messages, etc.).

    Even if systemd cannot be considered a real serverless runtime, the socket activation feature provides a foundation for a serverless architecture.

  • Convert your Windows install into a VM on Linux | Opensource.com

    I use VirtualBox frequently to create virtual machines for testing new versions of Fedora, new application programs, and lots of administrative tools like Ansible. I have even used VirtualBox to test the creation of a Windows guest host.

    Never have I ever used Windows as my primary operating system on any of my personal computers or even in a VM to perform some obscure task that cannot be done with Linux. I do, however, volunteer for an organization that uses one financial program that requires Windows. This program runs on the office manager's computer on Windows 10 Pro, which came preinstalled.

    This financial application is not special, and a better Linux program could easily replace it, but I've found that many accountants and treasurers are extremely reluctant to make changes, so I've not yet been able to convince those in our organization to migrate.

  • Red Hat's StackRox Acquisition Bolsters Its Hybrid Multi-Cloud Strategy

    The startup has container security capabilities that are missing in Red Hat's OpenShift Kubernetes platform.

    [...]

    "We are working on looking at a few things, and that will have to be run through them because they're the bank now," he said. "They're a partner, but they're also our shareholders."

    It's doubtful that Red Hat would have to go to the IBM bank to finance this purchase. Although no details of the deal were made public, most media reports are putting the price tag at just north of $100 million, far less than the $250 million it paid for CoreOS in 2018.

    As to be expected from Red Hat, which has traditionally insisted that all of its software be open source, Red Hat plans to open source StackRox’s proprietary software after the acquisition closes sometime in the first quarter of 2021. Red Hat said it will continue to support the existing KubeLinter open source community, as well as the new communities that form around StackRox’s other offerings as soon as they are open sourced.

More in Tux Machines

IBM/Red Hat: Kafka Monthly Digest, Red Hat Upselling, and Cockpit 239

  • Kafka Monthly Digest – February 2021

    This is the 37th edition of the Kafka Monthly Digest! In this edition, I’ll cover what happened in the Apache Kafka community in February 2021.

  • 5 ways Red Hat Insights can improve your sysadmin Life

    The way we do things is changing fast. This has become a necessity as our systems get more complex, our workloads evolve, and our deployments rapidly grow in size. Thanks to the innovations brought about by openness and collaboration, we can develop tools and services to cope with these quickly evolving times. For us to reap the benefits of these advancements, we should open ourselves to carefully exploring how various tools suit our requirements and fit into or change our norms. By doing so, we may simplify a lot of our mundane tasks, reduce overhead, and address the major pain points in our operations. Having worked as a sysadmin in the past, I've discovered many automation tools and services that have made my life easier. One of the most recent is Red Hat Insights. In this article, I share five ways this service that is included with your Red Hat Enterprise Linux (RHEL) subscription can improve your life as an admin.

  • Cockpit Project: Cockpit 239

    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from Cockpit version 239.

LibreOffice 7.1.1 Community available for download

LibreOffice 7.1.1 Community, the first minor release of the LibreOffice 7.1 family, targeted at technology enthusiasts and power users, is available for download from https://www.libreoffice.org/download/. LibreOffice 7.1.1 includes over 90 bug fixes and improvements to document compatibility. For enterprise-class deployments, TDF strongly recommends the LibreOffice Enterprise family of applications from ecosystem partners, with long-term support options, professional assistance, custom features and Service Level Agreements: https://www.libreoffice.org/download/libreoffice-in-business/. LibreOffice Community and the LibreOffice Enterprise family of products are based on the LibreOffice Technology platform, the result of years of development efforts with the objective of providing a state of the art office suite not only for the desktop but also for mobile and the cloud. Products based on LibreOffice Technology are available for major desktop operating systems (Windows, macOS, Linux and Chrome OS), mobile platforms (Android and iOS) and the cloud. They may have a different name, according to each company brand strategy, but they share the same LibreOffice unique advantages, robustness and flexibility. Read more

croc Is A Tool For Resumable, Encrypted File And Folder Transfers Between Computers (Command Line)

croc is a free and open source command line tool for secure file transfers between computers. It uses relay-assisted peer-to-peer transactions and end-to-end encryption via password-authenticated key exchange. The program is written in Go and is available for Microsoft Windows, macOS, Linux and *BSD. The idea behind croc is being able to transfer files and folders between cross-platform computers securely, fast and easy. With support for resumable, peer-to-peer transfers. As a bonus feature, croc is also able to securely transfer a short text or URL directly. The data transfer is done using a relay, either using raw TCP sockets or websockets. When the sender and the receiver are on the same LAN, croc uses a local relay, otherwise a public relay is used. Thanks to this, croc can send files between computers in the same LAN, or over the Internet, without having port-forwarding enabled. The data going through the relay is encrypted using a PAKE-generated session key. For this, croc uses code phrases, a combination of three random words. By default, a code phrase can only be used once between two parties, so an attacker would have a chance of less than 1 in 4 billion to guess the code phrase correctly to steal the data. Read more

Linux distributions: All the talent and hard work that goes into building a good one

I regularly read the Linux Mint Blog, not only because it is useful to keep up with what is happening with the Linux Mint distribution but also because it occasionally gives very interesting insights into the development and maintenance of a Linux distribution in general, and the Linux Mint distribution(s) in particular. To be honest, I was disappointed some years ago when Clem (Clement Lefebvre) discontinued his Segfault blog, because it always contained good technical information and interesting insights. Read more