15:00:03 <spot> #startmeeting Fedora Packaging Committee
15:00:03 <zodbot> Meeting started Wed Sep 21 15:00:03 2011 UTC.  The chair is spot. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:03 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:13 <spot> #meetingname fpc
15:00:13 <zodbot> The meeting name has been set to 'fpc'
15:00:15 <tibbs|h> Howdy.
15:00:35 <spot> #topic Roll Call
15:02:22 <tibbs|h> Hmm.
15:03:02 <geppetto> here
15:03:11 <spot> abadger1999, racor, Rathann, rdieter: ping
15:03:18 <rdieter> here
15:03:20 <abadger1999> present
15:03:46 <Rathann> here
15:04:15 <spot> okay, thats 6 of us
15:04:27 <spot> #topic Systemd Socket Activation Update
15:04:40 <spot> I spoke to Lennart about reworking that section
15:05:01 <spot> and he said he was going to write one of his "administrators guide to systemd" entries on socket activation and how to do it
15:05:12 <spot> then he would work with us to convert that into guidelines
15:05:48 <tibbs|h> So in the meantime perhaps we should just remove mention of any prohibition from the guidelines.
15:05:55 <spot> tibbs|h: seems reasonable
15:06:01 <tibbs|h> And leave the "how" up to the reader.
15:06:17 <spot> tibbs|h: perhaps also state that guidelines are coming soonish
15:06:59 <tibbs|h> Sure.
15:07:15 <spot> Lennart also said that in the F17 timeframe, he had a proposal to simplify the scriptlets using macros
15:07:31 <spot> or rather, a combination of macros and the concept of enablement policies
15:07:34 <tibbs|h> Can't really argue with that.
15:07:44 <tibbs|h> Though of course the devil is in the details.
15:07:57 <spot> basically, Fedora 17 would include a list of services that can be on by default (users can override with their own list, of course)
15:08:00 <abadger1999> are enablement policies going to be a new systemd feature?
15:08:04 <spot> abadger1999: yes
15:08:19 <spot> then the macros would be identical for all packages
15:08:32 <spot> it would just check the system list to see if it is supposed to be on
15:08:43 <abadger1999> <nod> and the macros/programs called from macros would check the list to decide what to do.
15:08:47 <tibbs|h> Ah, that gets us spin-specific services, which I guess would be nice.
15:09:06 <tibbs|h> And anything which simplifies packaging is worth looking into.
15:09:17 <spot> but we'll deal with that when it happens, he's going to help us out at that point
15:09:19 * geppetto nods
15:10:04 <spot> tibbs|h: are you willing to go ahead and commit the changes to remove the mention of prohibition and the note about new guidelines coming soon?
15:10:10 <tibbs|h> Sure.
15:10:21 <tibbs|h> Do we want a draft first?
15:10:50 <spot> tibbs|h: I don't think we need that, but if anyone else wants to see one, then...
15:10:58 <abadger1999> No need for draft here.
15:10:59 <rdieter> just_do_it++
15:11:04 <geppetto> +1
15:11:05 <tibbs|h> OK, I'll take care of it.
15:11:19 <abadger1999> I guess we should vote to make the change
15:11:29 <spot> +1
15:11:29 <abadger1999> +1
15:11:31 <rdieter> +1
15:11:32 <Rathann> +1
15:11:34 <tibbs|h> +1
15:11:51 <racor> 0
15:12:13 <spot> okay, thats +5
15:12:29 <spot> #topic PIE
15:12:30 * Rathann counts +6
15:12:56 <spot> nirik: i bet you can guess what I'm going to say.
15:13:05 <nirik> indeed.
15:13:09 <nirik> I updated the page...
15:13:16 <nirik> wanted to doublecheck with ajax on it.
15:13:25 <nirik> https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags
15:26:05 <spot> abadger1999: nice.
15:26:25 <nirik> http://people.redhat.com/sgrubb/security/index.html
15:26:33 <nirik> and http://people.redhat.com/sgrubb/files/rpm-chksec
15:26:50 <nirik> that will check for PIE and relro
15:26:56 <nirik> (note I haven't tested it)
15:26:58 <spot> is that packaged?
15:27:21 <nirik> not that I know of off hand. ;(
15:27:23 <ajax> the gcc specs it adds are /usr/lib/rpm/redhat/redhat-hardened-{cc1,ld} for the compile and link phases, respectively
15:27:47 <geppetto> nirik: My understanding was that it gave false positives or negatives … which is it?
15:28:14 <nirik> not sure. Note that I haven't tested it. ;)
15:28:21 * geppetto nods
15:28:26 <ajax> there are some cases where the FORTIFY_SOURCE checks will give you false negatives, iirc
15:28:44 <spot> maybe i'm misreading the -cc1 file
15:28:51 <spot> but shouldn't -fPIE be in there?
15:28:57 <ajax> since it just checks for the presence of the hardened versions of the fortified symbols; but if you never call sprintf(), there's no need to use the hardened version
15:29:01 <spot> as opposed to just -fPIC ?
15:29:34 <ajax> spot: no.  at cc1 time you don't know if the object will end up in a dso or an exe.  -fPIE will build code that won't work in a dso.  -fPIC works in either.
15:29:42 <spot> ajax: okay.
15:29:56 <geppetto> ajax: yeh, that was probably it
15:29:56 <abadger1999> These macros will be available on F16+ ?
15:30:03 <ajax> abadger1999: yep.
15:30:25 * abadger1999 updates draft
15:30:39 <ajax> this is, in principle, something you could optimize away
15:31:16 <ajax> my ragingly biased opinion is that it's the sort of relocation relaxation that ld should just do for you
15:32:05 <ajax> but failing that... like i said when i first posted the macros.  if performance tuning for this is actually measured to be interesting, i'm happy to elaborate
15:32:20 <ajax> but there's been a stunning lack of data from anyone concerned about the performance impact
15:33:28 <spot> So, perhaps simply adding "This adds -fPIC to the compiler flags, and -z now to the linker flags."
15:34:26 <spot> ?
15:35:33 * nirik thinks that would be good/fine.
15:35:37 <spot> ajax: ?
15:35:58 <geppetto> Yeh, even just referring to the files you get the flags from would be fine to me
15:36:15 <ajax> spot: -fPIC if -fPIE not already given.  otherwise, close enough to not be misleading.
15:36:29 <spot> geppetto: i'm not sure that the average packager will understand those files.
15:36:47 * spot adds ajax's suggestion
15:38:13 <nirik> for the fesco list: https://fedoraproject.org/wiki/Hardened_Packages
15:38:21 <nirik> (open to another name)
15:38:30 <spot> fine by me.
15:39:57 <spot> okay, i will edit to point to that link
15:39:58 <spot> one sec
15:40:11 <racor> I am missing the usual security sensitive targets such as database daemons and httpd daemons
15:41:28 <spot> alright, i think we've got all the pieces for this draft (racor, i think missing items from the Hardened Packages list should be handled separately with FESCo)
15:42:02 <nirik> yeah, the list is small and needs additions for sure.
15:42:05 <racor> ... x-server, cups, samba, ... long term running apps, such as firefox, thunderbird, terminals, ...
15:42:29 <spot> please note that this draft would replace: https://fedoraproject.org/wiki/Packaging/Guidelines#Compiler_flags
15:43:15 <spot> As the draft stands right now, I'm +1
15:43:49 <racor> 0 ... to me, this is all too uncooked
15:44:49 <tibbs|h> Seems OK to me.  +1
15:45:02 <tibbs|h> Bonus points for getting rid of the "as of 2006" language there.
15:45:16 <rdieter> +1
15:45:42 <spot> abadger1999, geppetto, Rathann ?
15:45:47 <abadger1999> +1
15:45:49 <geppetto> +1
15:46:06 <Rathann> hmm
15:46:27 <abadger1999> I assume these interact with manual filtering/other additions to the flags fine?
15:46:43 <Rathann> I was trying to find some reliable source for that disadvantage I mentioned
15:46:46 * abadger1999 can't think of a reason they wouldn't but didn't look at the implementation.
15:47:24 <ajax> abadger1999: _hardened_build adds the appropriate %{_hardening_foo} to %__global_fooflags, yes.
15:48:11 <abadger1999> Rathann: I recall that but I don't recall if it was in reference to -z now or a different, related flag.
15:48:32 <racor> ajax: what is the impact of adding a global -fPIE on libraries?
15:48:38 <spot> Rathann: if you find it, we can always add it to the list of disadvantages
15:49:19 * spot notes we have +5 here, but I'm waiting on Rathann to vote for the record
15:49:21 <ajax> racor: doing that would prevent your libraries from linking.  but we're not doing that, so it's sort of moot.
15:50:08 <abadger1999> Rathann: https://fedorahosted.org/fesco/ticket/563#comment:17
15:50:09 <Rathann> it should also be mentioned that PIE only adds security if there's ASLR active in the OS
15:50:26 <Rathann> I'm guessing Linux has it by default?
15:50:36 <racor> ajax: What we currently are discussing is adding -fPIE to the global CFLAGS a package (which may contain libs) uses. What you say, implies these libs would be unusable.
15:50:45 <spot> Rathann: since 2.6.12
15:50:49 <ajax> racor: we _are_ doing -fPIC on libraries.  on some arches (not including fedora's primaries) that's a minor performance hit relative to -fpic.  but otherwise, libraries _have_ to be position-independent (modulo an i686 misfeature), so.
15:50:54 <ajax> racor: i explained this already.
15:51:07 <ajax> 11:36 < ajax> spot: -fPIC if -fPIE not already given.
15:51:21 <ajax> so we are _not_ adding -fPIE globally.
15:51:36 <Rathann> spot: good to know. Still, I'd feel better if it was mentioned.
15:51:49 <racor> ajax: How so?
15:51:54 <spot> Rathann: you'd really have to go out of your way to have a Fedora without ASLR
15:52:15 <abadger1999> Rathann: note that we usually don't mention things if they don't affect any Fedora or EPEL releases.
15:52:16 <ajax> racor: read redhat-hardened-cc1.  parse it like they're rpm spec macros, it's basically the same syntax.
15:52:28 <Rathann> ah well ok
15:52:33 <Rathann> +1 from me then
15:52:47 <abadger1999> If they only affect EPEL releases, we may not mention it in the main guideline but have it in the EPEL guidelines instead.
15:53:03 <spot> #action PIE draft approved (+1:6, 0:1, -1:0)
15:53:26 <Rathann> abadger1999: EPEL4 could be affected since RHEL4 has 2.6.9
15:53:38 <Rathann> but I don't know if it's patched with ASLR or not
15:53:40 <spot> Rathann: except that RH patched in execshield
15:53:43 <Rathann> ah
15:53:44 <Rathann> ok then
15:53:49 <tibbs|h> Well, simply defining some random thing isn't going to have any effect in any case.
15:53:49 <ajax> Rathann: i didn't have any intention of porting this to EPEL anyway.
15:54:02 <abadger1999> nirik: side note to PIE, may want to ping sgrubb on the fesco ticket to see about packaging his tools.
15:54:05 <spot> #topic Open Floor
15:54:10 <ajax> any of the extant ones at least.  EPEL7 might get it for free i guess.
15:54:14 <geppetto> ajax: I assume you mean before EPEL-7?
15:54:21 <ajax> geppetto: right.
15:54:24 <nirik> abadger1999: sure. I think he's said he doesn't have time, but would welcome someone else doing so.
15:54:26 * geppetto nods
15:54:27 <tibbs|h> As discussed last time, I pinged on all of the old bundling exception requests.
15:54:29 <nirik> (but I could be wrong)
15:54:30 <tibbs|h> Got a couple of responses.
15:54:49 <spot> tibbs|h: any that are ready for us to look at?
15:55:22 <tibbs|h> Not really.
15:55:30 <spot> that was my impression as well
15:55:45 <spot> nirik: didn't fesco have something for the fpc in the last meeting?
15:55:58 <tibbs|h> https://fedorahosted.org/fpc/ticket/28 asks a question that I'm not sure how to answer.
15:55:59 <nirik> hum.
15:56:07 <abadger1999> spot: I think that's what sgallagh set to the list
15:56:19 <abadger1999> and you told him... let's not reopen that can of worms.
15:56:21 <spot> abadger1999: ah. okay then.
15:56:29 <nirik> yeah, the repo files in packages perhaps?
15:56:36 <spot> nirik: aha! thats it
15:56:38 <nirik> https://fedorahosted.org/fesco/ticket/671
15:56:50 <tibbs|h> FESCo banned that way back when I was on FESCo.
15:56:53 * abadger1999 doesn't want to  reopen either... but if sgallagh really wants to work on it, he could bring us a draft and show us how he's tested it.
15:57:03 <nirik> tibbs|h: it was apparently never recorded tho. ;(
15:57:04 * ajax disappears.  let me know if there's anything else needed from me.
15:57:09 <tibbs|h> I wasn't really sure about sgallagh's question.
15:57:23 <tibbs|h> Reading the message it implies that all package upgrades lose the current service status.
15:57:29 <tibbs|h> But I do not believe that to be the case.
15:57:37 <geppetto> It seems pretty dangerous to me … because you are letting users install things which point somewhere out of Fedora control
15:57:41 <abadger1999> tibbs|h: He wants us to revist keeping start/stop state for sysvinit scripts when migating the package to systemd unit files.
15:58:01 <spot> the proposed text from #671:
15:58:06 <spot> "Configuration for package managers in Fedora MUST only reference the official Fedora repositories in their default enabled and disabled state (see the yum repo configuration in the fedora-release package for the canonical list). If the package wishes to include additional repository configuration, those may be included in the package's documentation. Copying the example repository configuration files (or the information within them) from the documentation
15:58:06 <spot> directory to the package manager's configuration location must be an explicit step that the system administrator chooses to make to enable these repositories."
15:58:09 <abadger1999> tibbs|h: It is correct afaik.
15:59:17 * abadger1999 is for the draft in fesco 671; also wrote it :-)
15:59:42 <spot> i'm okay with that text, i just know it will lead to someone trying to include rpmfusion repo files as %doc and forcing me to tell them no.
15:59:43 <abadger1999> and also was part of the discussion with tibbs waaaayy back when this came up before.
15:59:50 <spot> so... +1
16:00:18 <abadger1999> +1
16:00:31 <tibbs|h> Seems to sum up what we decided five years ago.
16:00:32 <tibbs|h> +1
16:00:33 <geppetto> spot: So if people can't include rpmfusion repos … why do we want to say they can include any repos?
16:01:06 <spot> geppetto: because it would be several sentences of legalese on what is acceptable and what isn't.
16:01:09 <tibbs|h> I guess legal issues can trump pretty much anything.
16:01:13 <geppetto> spot: Why not say something like "Those repos must also point to repos.fedorapeople.org, so we know they obey the Fedora legal rules."
16:01:21 * Southern_Gentlem looks at watch
16:01:24 <spot> personally, i'm all for saying "no. you cannot do that. ever."
16:01:31 <geppetto> spot: I'd also +1 that :)
16:01:32 <tibbs|h> We don't explicitly mention all of the trademarks you can't infringe.
16:01:34 * nirik is ok with spot's proposal
16:02:27 <spot> Southern_Gentlem: are we hitting another meeting?
16:02:35 <Southern_Gentlem> yes sir
16:02:43 <spot> okay, we'll revisit this next week
16:02:46 <spot> thanks everyone.
16:02:50 <spot> #endmeeting