Welcome to Fedora Weekly News Issue 84 for the week of April 15th through April 21st, 2007.
= Fedora Weekly News Issue 84 =
Welcome to Fedora Weekly News Issue 84 for the week of April 15th
through April 21st, 2007. The latest issue can always be found here
and RSS Feed can be found here.
1. Fedora Weekly News Issue 84
1. F7T4 and SATA/IDE Testing (This Means You!)
2. Multi-Lingual Release Announcement
3. [e-mail:email@example.com] is going away
2. Planet Fedora
1. The XO in the Real World
2. PIdgin hits Rawhide
3. Design a Linux logo for an Indy Racing Car
4. Volunteers Needed on Fedora Docs Project
1. Packaging Extensions for Mozilla Applications:
2. L10N Issue With system-sonfig-samba, Support or Bugreport?
3. Fedora 7 Release Notes Freeze: Going, going ...
4. Broken Dependencies in Fedora Extras. Mikmod To Be
Reverted. Packagers: Watch For Dlopens!
5. KDE LiveCD -- English Only, And Which parted GUI?
6. Mass Package Rebuilds - Papering Over Cracks or
Shaking the Tree?
7. Extras i386 Mock Rebuild -- Large Number of Failures
Due to Yum Bug
8. How To Deal With Binary Incompatibility Introduced
By Compiler Changes
9. The Great PERL Package Split
10. Add Option To Experiment With updates-testing To Firstboot?
1. How To Handle GPL Exceptions
2. Release Notes Freeze For Fedora 7
1. FDSCo Meeting Minutes
2. Invite a Member
3. Default Home Page Links
4. Virtualization Guide
1. Entity Switchback
1. Fedoraproject.org Email
1. Echo SVGs
2. Default Test 4 Icon Theme
9. Security Week
1. Risk report: Two years of Red Hat Enterprise Linux 4
2. Macbook hacked at CanSecWest
10. Security Advisories
1. Fedora Core 6 Security Advisories
2. Fedora Core 5 Security Advisories
11. Events and Meetings
1. Release Engineering Meeting: 2007-04-16
2. Release Engineering Meeting: 2007-04-19
3. Packaging Committee Meeting: 2007-04-17
4. FESCo Meeting Summary for 2007-04-19
5. Event Report: ICT Week - PETRONAS University of
6. Event Report: FISL 8.0 (Brazil)
== Announcements ==
In this section, we cover announcements from various projects.
=== F7T4 and SATA/IDE Testing (This Means You!) ===
WillWoods announces in fedora-test-list - This is your early
warning that F7 Test4 - the last of the pre-F7 test
releases - is coming out NEXT WEEK.
IF YOU HAVE BEEN HAVING PROBLEMS WITH DISK DETECTION AND/OR OTHER
DISK-RELATED THINGS, please read this!
One of the biggest changes in F7 is the new IDE driver stack, which uses
libata (like the SATA drivers do). Not only are IDE hard drives now
called /dev/sdX, but they're using new and interesting code. This could
be (and has been) causing some problems relating to drive detection at
boot time and install time, especially with upgrades from FC6 and
=== Multi-Lingual Release Announcement ===
KarstenWade announces in fedora-marketing-list - The time has come
to produce the final list of talking points we want
covered in the F7 release.
By producing this list, we are enabling writers to write a
native-language, region-specific version of the Fedora 7 release
=== [e-mail:firstname.lastname@example.org] is going away ===
MikeMcGrath announces in fedora-announce-list - Please note that in
one week (April 25th)
[e-mail:email@example.com] email addresses are going away.
These reasons are purely technical. People that need exceptions should
contact someone on the infrastructure team or stop by #fedora-admin on
irc.freenode.net for consideration on a case by case basis.
== Planet Fedora ==
In this secton, we cover a highlight of Planet Fedora - an aggregation
of blogs from world wide Fedora contributors.
=== The XO in the Real World ===
JohnPalmieri points out in his blog - "The FISL congress is over
and it was great talking to the enormous amount of people who showed
interest in the XO learning laptop and the OLPC project. It was
nice to see people's interest turn into large smiles by the time I was
done explaining the project and answering their questions. Many stayed
for fifteen minute or more and some even came back multiple times to
play around with the machines and ask more questions."
"The experience made the long hours working the booth worth it. It
also affirmed to me the real reasons I decided to work on the project
when given the chance to switch from Red Hat's desktop group."
=== PIdgin hits Rawhide ===
WarrenTogami points out in his blog - "A pre-beta7 snapshot of
pidgin-2.0.0 is in FE7, and gaim is now removed from Core. This
gives us a small window for gaim-* plugin package maintainers to
rename the plugin packages, and for everyone to test that an upgrade
from gaim to pidgin goes smoothly for the core application and all
"nautilus-sendto seemed to be the only package within Core with a dep
on gaim. I have rebuilt nautilus-sendto without that gaim dep for
now. We will be able to re-add it later only after the distributions
are merged, since pidgin is now in Extras. We have put pidgin
directly into Extras in order to avoid issues where it must build
against other packages in Extras like meanwhile-devel."
=== Design a Linux logo for an Indy Racing Car ===
MairinDuffy points out in her blog - "Thought you open source
artists out there might be interested: Tux 500 Logo Contest"
=== Volunteers Needed on Fedora Docs Project ===
JohnBabich points out in his blog - "I am reading with concern
regarding the great work that three individuals are doing on the
Fedora 7 Release Notes: Paul, Rahul and Karsten. They do a terrific
job with the result being best-in-class documentation for each
release of Fedora Linux. They are three highly-committed people who
work behind-the-scenes to do a mostly thankless job."
"Therefore, I am appealing to the Fedora community (and beyond) to
contribute time and talent to help keep Fedora one of the best
community distros available."
== Developments ==
In this section, we cover the problems/solutions,
people/personalities, and ups/downs of the endless discussions on
=== Packaging Extensions for Mozilla Applications: Security Implications ===
Firefox, Thunderbird, and other applications often have optional and
popular functional extensions available. The code for these does not
pass through the Fedora packaging process, and updating/removing them
is not recorded in the rpmdb, leading to external code (in the
applications with the most security problems ) being installed
VilleSkyttä remembered  a conversation from the past that suggested
there was some interest in packaging the extensions. He was
specifically interested in making it easier to obtain a 64-bit version
of enigmail. ChristopherAillon responded that the only way he could
see of doing it was a bit ugly , by querying RPM in %post and
requiring triggers. OwenTaylor had some opposite experience with
mugshot, which uses triggers but avoids the RPM queries; it might be
useful to anyone seeking to package Firefox extensions .
EnricoScholz wondered [4a] why Firefox was packaged in a way that
seemed inimical to an rpm-based system (using versioned directories in
/usr/lib). Christopher explained that this was because of a
non-stable ABI, and that Enrico's proposed alternatives seemed a bit
hackish [4b], but Enrico remained unconvinced based on his experience
with packaging 15 extensions for Firefox-1.5. OwenTaylor agreed with
Enrico that the packaging of Firefox seemed to have no advantage other
than for parallel installs of different versions [4c].
Owen was further of the opinion that actual binaries were profitably
was best to leave the end-user to deal with it themselves.
Countering, EnricoScholz brought up the security angle  and also
the simplicity and ease of use that we've all grown accustomed to from
Fedora's repositories. ChristopherAillon introduced a distinction
between trust and security and referenced the recent Mozilla
Developer's Summit that discussed this issue, leading AndrewOverholt
to request further details to aid in a similar problem facing Eclipse
This was an interesting discussion that could affect a large number of
projects. Extensibility through scripting is something that many
applications offer, and if there's an easy way to re-use other
people's code, then that will be taken by many end users regardless of
=== L10N Issue With system-sonfig-samba, Support or Bugreport? ===
In a pleasant and productive exchange, AlainPortal pointed out some
problems with the presence of two strings in a pot file, leading to
a non-translatable interface for system-config-samba. His attempts to
get the attention of the maintainer prompted a gentle caution  from
GilboaDavara that @fedora-devel was not a support list and that it
would be better to file a bugzilla entry.
The developer, NilsPhillipsen, wasn't disturbed and didn't think that
he was being pestered for support  and encouraged a bugzilla entry.
 ''pot'' files are a standard, human-readable way of providing for
localization of string in software.
=== Fedora 7 Release Notes Freeze: Going, going ... ===
KarstenWade announced  on Friday April 20th 2007 that there were
only 24 hours to get changes to the release notes incorporated into
the ISO. The good news is that the Web-based release notes can be
updated any time, so if you miss(ed) this deadline, then you can still
communicate essential information.
For those of us that have suffered with weird Sony VAIO cdrom install
issues in the past, ChuckAnderson raised a very useful question 
about whether the current information in the release notes was useful
(after the move to libata).
AlanCox was worried that anyone that had one of these VAIOs (with
external CDROM) would not be able to install F7 and asked that if
anyone does have one, to do an "lspci -vxxxx" with the cardbus
controller inserted and to send it to him .
=== Broken Dependencies in Fedora Extras. Mikmod To Be Reverted.
Packagers: Watch For Dlopens! ===
The April 19th 2007 automatically generated report of broken
dependencies in Fedora Extras  revealed that an update of mikmod
was playing havoc with a lot of packages. HansdeGoede was one of the
maintainers of many of these and along with others argued that it was
far too late in the release cycle to introduce a change like this.
JindrichNovy agreed, and while admitting to being the guilty party,
explained that mikmod was pretty stagnant and that the beta fork had
some worthwhile improvements . He suggested making this change
after the release of F7.
DominikMierzejewski ('Rathann') was bitten  by the perl packaging
problems mentioned in this same FWN issue.
After HansdeGoede suggested that the list might be incomplete,
MichaelSchwendt asserted that the tool that generates these reports
(repoclosure) was pretty smart. Hans didn't deny this but wondered if
it would miss some specific cases , such as a library being
explicitly loaded within code by dlopen, and thus avoiding rpm's
autodependency generation. Michael assented to this and said that it
was the responsibility of the packager to look out for this sort of
=== KDE LiveCD -- English Only, And Which parted GUI? ===
The KDE LiveCD team has been making great strides to showcase what
this highly polished desktop environment can bring to the Fedora user
SebastianVahl was concerned that this LiveCD is only available in
English and he proposed two directions in which localized versions
might be made available . These boil down to either making a huge
DVD, or else to making a good tutorial so that users of other
languages can localize the CD for themselves. Comments are solicited.
A decision also needs to be made about whether to go with gparted or
qtparted. According to CallumLerwick, GilboaDavra, and
FrankSchmitt, ntfs-formatted partitions can be resized with gparted
but not with qtparted (which is seemingly unmaintained since 2004),
and that gparted is going into the LiveCD on that basis.
=== Mass Package Rebuilds - Papering Over Cracks or Shaking the Tree? ===
JohnPoelstra posted details of the Release Engineering Meeting.
ThorstenLeemhuis was against one of the decisions made in the meeting:
the rebuilding en masse of all packages at Test2 release time. His
worries about the bandwidth impact versus the potential gains were
discussed with DaveJones , who wondered if those that could be
affected were likely to be running rawhide. Thorsten argued that
while they might not, they could still be affected if they simply
tried to upgrade from a stable release of Fedora N to Fedora N+1. A
brief exchange with AxelThimm unearthed the difficulty of obtaining
concrete historical data as to what extent Fedora was rebuilt in the
past, but the figures looked high.
In a separate branch of the same discussion, Axel came out very
strongly in favor of the rebuilds , asserting that in essence
avoiding rebuilds is just papering over the cracks and shifting bugs
from development to maintenance, and that it is better to identify
security and other problems and fix them prior to release.
Following input from JakubJelinek , JesseKeating noted that
rebuilds should not be carried out merely to shake the tree and see
what falls out, but when there are specific problems expected due to
large changes in some critical components.
=== Extras i386 Mock Rebuild -- Large Number of Failures Due to Yum Bug ===
MattDomsch posted the latest report on Dell's rebuilding of Extras
packages in mock. As usual, this report contains details of how
many packages built/failed to build succesfully. MamoruTasaka noticed
that one of the reported failures actually built succesfully for
HansdeGoede and MarcinZaj±czkowski were also surprised to see their
names appear  and didn't think there was a reason for their
packages to break. JesseKeating noticed that the version of yum being
used by Matt was lacking a crucial bug fix and that many of the
failures were a result of that rather than a problem with the packages
themselves. The errors were false-negatives rather than
false-positives and Matt wasn't too concerned about having to rebuild
the tiny fraction compared to the thousands that had been succesfully
=== How To Deal With Binary Incompatibility Introduced By Compiler Changes ===
As always, Fedora aggressively pursues the latest stable versions of
software, including essential components of the compiler toolchain.
PatriceDumas was worried about the potential for binary
incompatibility resulting from the introduction of gfortran as a
replacement for the aging g77. AndrewHaley sought
clarification of the problem that Patrice was trying to solve,
suggesting that using an "soname" was the usual way to track changes
in the Application Binary Interface (ABI) [2a]. Patrice argued that
this would lead to using a different soname version in Fedora than was
being used upstream .
It seemed that there was some confusion and JakubJelinek helpfully
suggested that what was at issue was not the binary compatibility
of essential compiler libraries, but rather the potential for creating
a namespace clash between sonames of other libraries that have been
built with different ABI versions of the compiler. This would make
user-compiled binaries made with older versions of the library fail to
link properly to the library, but it would not be possible to detect
the error because the soname would be the same. Jakub clarified that
what should be done is to talk to upstream for each library about a
LinusWallej, EmmanualSeymann, and AndrewHaley further clarified that
rebuilding all these user-compiled programs dependent on a library
with a non-stable ABI was The Fedora Way. Linus also suggested
that getting the programs into Fedora if they were generally useful
would be a good idea and observed that many vendors target RHEL
instead because they like the stability of the ABI whereas Fedora will
do (within reason) whatever is innovative. Patrice seemed happy with
the outcome, but also believed that more documentation about ABI
practices was required.
=== The Great PERL Package Split ===
In line with the principle of modularizing packages as much as
possible, RobinNorwood announced the splitting of development
packages out of the main perl package. The current situation is that
each current perl package has a "BuildRequires:perl-devel" dependency.
This results in users being concerned and confused that they have a
"devel" package on their system when they did not request it.
Robin outlined the two main ways of fixing this as discussed on
@fedora-perl-devel: 1) fix each package by removing the requires; 2)
fix each package and also split out 5, or so, other development
related packages and add them to the buildroots. Robin sought
feedback from maintainers on their preferred option.
Some early feedback from key project members indicated that such major
restructuring would be preferred after the release of F7. Robin,
while apologizing for the late timing, pointed out the benefits and
relatively low cost as he saw it. MattDomsch wondered how
widespread the breakage would be and JasonLTibbitts and ChrisAdams
made some estimates, noting that it wasn't only every perl-
package, but at least 100 others. MattMiller and others argued
that such breakage would quickly alert the package owner who could
then fix it easily. VilleSkyttä and RalfCorsepius raised problems
with this fix.
RalfCorsepius and ChrisAdams wondered  about the problem of a
package that was generated using autoconf, which would just leave any
optional perl dependencies out and build the package without failure,
but with reduced functionality. This was agreed to be a corner-case
that could be neglected.
JesseKeating and ChrisWeyl  were concerned with the problem of what
might be, in effect, a Fedora-centric redefinition of what could be
considered to be "core" PERL modules. Jesse's over-riding concern was
that anyone wanting to rebuild from shipped SRPMs should be able to do
=== Add Option To Experiment With updates-testing To Firstboot? ===
Following up on a suggestion of DaveJones', ChrisBrown suggested that
firstboot be modified to ask users whether they wanted access to the
updates-testing packages. WillWoods thought that it would be
better to draw attention to, and inform users about, repoman. One of
the concerns that Chris sought to address is that updates-testing gets
little actual testing. LukeMacken and JackTanner discussed the
problem of removing packages from update-testing that had failed
community QA; in passing, Luke noted that in future all non-security
updates would have to pass through testing, which might help to
revitalize it. Luke also drew attention to bodhi, which should make
pushing updates easier in the future.
== Maintainers ==
In this section, we cover Fedora Maintainers, the group of people who
maintain the software packages in Fedora
=== How To Handle GPL Exceptions ===
Starting off the week on the fedora-maintainers-list was a question
from a concerned Fedora package reviewer who was unsure how to handle
an exception clause in the GPL license. Rahul Sundaram chimed in
saying that if the GPL exception restricts the license it may cause
problems, but if it's more lax then it should be fine.
=== Release Notes Freeze For Fedora 7 ===
This week also marked the freeze for the ISO-based release notes.
Changes to the release notes now only affect the web-based release
notes as the process of converting the release notes from the Wiki to
XML has started.
== Documentation ==
In this section, we cover the Fedora Documentation Project.
=== FDSCo Meeting Minutes ===
Both the log and the summary for the 2007-04-15 meeting are
The main topics included updates to the Desktop User Guide for Fedora
7, Fedora 7 Test 4 release notes, some more Google Summer of Code
thoughts and also some discussions about the Administration Guide.
=== Invite a Member ===
The new Fedora accounts system will have the ability for existing
members to invite friends, or others they think would be interested in
helping out with Fedora, to join the project. MikeMcGrath requested
ideas on the best phrasing for these e-mail invites. PaulWFrields
replied with his suggestion of an appropriate message.
=== Default Home Page Links ===
There was a proposal that it might be a good idea to include links to
some sites related to Free Culture, in a broader sense than software
alone, on the default Fedora 7 home page. The original proposal
suggested that sites such as Jamendo or Magnatune would be a
worthwhile addition. Concerns were raised that this might transform
the home page in to an advertising medium, resulting in some users
losing faith in the standards of the home page. Perhaps this is an
opportunity to define exactly what criteria are required for inclusion
in the homepage.
=== Virtualization Guide ===
The Virtualization Guide needed updating for Fedora 7 to include
information on KVM, which was promptly addressed.
== Translation ==
This section, we cover the news surrounding the Fedora Translation
=== Entity Switchback ===
PaulFrields posted this message which detailed the changes to
xml2po (now xml2po -e). He also mentioned that the number of fuzzy
entries appears to be fewer than initially thought.
== Infrastructure ==
In this section, we cover Fedora Infrastructure Project.
=== Fedoraproject.org Email ===
MikeMcGrath made the email changes discussed last week so that the
[e-mail:firstname.lastname@example.org] are no longer valid. The change
was made because of duplicity and processing problems.
== Artwork ==
In this section, we cover Fedora Artwork Project.
=== Echo SVGs ===
MatthiasClasen reports that, while investigating the possibility of
including SVGs in the Echo package to improve coverage of smaller
icons, the size of the echo-icon-theme package increases to 70MB.
This lead to the discovery that some of the larger icons suffer from a
number of bloat problems revolving around jpeg thumbnails and excess
XML tags. A script was written that removes a lot of this bloat
reducing the size of some icons considerably: 416K to 18K in one
case. There are still some problems with this script, resulting in
some icons not rendering correctly, but it is being worked on
=== Default Test 4 Icon Theme ===
As a result of the inclusion of Echo SVGs not being the quick-fix for
smaller size coverage that was hoped, MatthiasClasen proposed that
Bluecurve/Clearlooks may have to fall back to the default Fedora 7
icon theme. This led to some discussion about possible alternative
icon themes for Fedora 7 and Mist appeared as a popular choice;
Mist has now been made the default icon theme for Fedora 7 Test 4.
== Security Week ==
In this section, we highlight the security stories from the week in Fedora.
=== Risk report: Two years of Red Hat Enterprise Linux 4 ===
MarkCox wrote an interesting article looking at the last two years of
security flaws in Red Hat Enterprise Linux 4. The information in
this article is interesting to anyone who tracks open source security
flaws. There is not a lot of public analysis of open source security
flaws. The article does focus on Red Hat Enterprise Linux 4, but the
trends represented apply to any Linux distribution.
=== Macbook hacked at CanSecWest ===
Apple's OS X is currently gaining attention in the security world.
Historically people have considered OS X to be very secure and mostly
virus and hack free. This is starting to change as researchers have
been paying attention to the Mac lately. Part of this is probably the
challenge it presents. Those of us in the Linux world have been
enjoying a similar situation. There is little fear of viruses, and as
long as one applies security updates, there isn't much fear of being
There are many people who will argue that the real reason for this is
that Linux is more secure by design. I believe it's a combination of
things. Historically Linux users have been a bit more savvy, this is
starting to change. In the past, the desktop was also very simple.
This too is changing. As Gnome and KDE gain functionality, they also
gain more security flaws. For example, the fact that the desktop will
display a thumbnail of many different file types gives an attacker a
doorway into a system. They of course need to convince a user into
downloading a file, but as we've seen from many viruses, this is not
as hard as it sounds. I hope that various technologies such as
SELinux and Exec-Shield will help keep most of the trash away, the
human factor cannot be fixed as easily. As long as people are willing
to open attachments, and visit random web sites, viruses will exist.
As a friend of mine used to say "We're OK until the toaster people
start using it." The "toaster people" are the normal people confused
by the knob on their toasters :)
== Security Advisories ==
In this section, we cover Security Advisories from fedora-package-announce.
=== Fedora Core 6 Security Advisories ===
* FEDORA-2007-453: tcp_wrappers-7.6-40.3.fc6 -
* FEDORA-2007-436: coreutils-5.97-12.5.fc6 -
* FEDORA-2007-434: hplip-1.7.2-3.fc6 -
* FEDORA-2007-452: openoffice.org-2.0.4-5.5.22 -
* FEDORA-2007-451: scim-tables-0.5.7-2.1.fc6 -
* FEDORA-2007-442: selinux-policy-2.4.6-57.fc6 -
* FEDORA-2007-447: openoffice.org-2.0.4-5.5.21 -
* FEDORA-2007-428: yum-3.0.6-1.fc6 -
* FEDORA-2007-444: Fmc-4.6.1a-36.20070124cvs.fc6 -
* FEDORA-2007-415: php-5.1.6-3.5.fc6 -
* FEDORA-2007-440: [SECURITY] gstreamer-0.10.11-1.fc6 -
* FEDORA-2007-383: rhythmbox-0.9.8-2.fc6 -
* FEDORA-2007-410: tk2-2.10.8-3.fc6 -
=== Fedora Core 5 Security Advisories ===
* FEDORA-2007-455: [SECURITY] php-5.1.6-1.5 -
* FEDORA-2007-454: tcp_wrappers-7.6-40.3.fc5 -
* FEDORA-2007-414: [SECURITY] Image''Magick-18.104.22.168-4.2.1.fc5.8 -
* FEDORA-2007-445: mc-4.6.1a-36.20070124cvs.fc5 -
== Events and Meetings ==
In this section, we cover event reports and meeting summaries from
=== Release Engineering Meeting: 2007-04-16 ===
=== Release Engineering Meeting: 2007-04-19 ===
=== Packaging Committee Meeting: 2007-04-17 ===
=== FESCo Meeting Summary for 2007-04-19 ===
=== Event Report: ICT Week - PETRONAS University of Technology (Malaysia) ===
=== Event Report: FISL 8.0 (Brazil) ===
== Feedback ==
This document is maintained by the Fedora News Team. Please feel
free to contact us to give your feedback. If you'd like to contribute
to a future issue of the Fedora Weekly News, please see the Join
page to find out how to help.
fedora-announce-list mailing list