17:01:19 <geppetto> #startmeeting fpc 17:01:20 <zodbot> Meeting started Thu Nov 13 17:01:19 2014 UTC. The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 17:01:20 <geppetto> #meetingname fpc 17:01:20 <zodbot> The meeting name has been set to 'fpc' 17:01:20 <geppetto> #topic Roll Call 17:01:24 <tibbs> Howdy. 17:01:28 <geppetto> geppetto limburgher mbooth orionp racor Rathann SmootherFr0gZ spot tibbs|w tomspur: FPC ping 17:01:35 <geppetto> #chair tibbs 17:01:35 <zodbot> Current chairs: geppetto tibbs 17:01:37 <geppetto> Hey 17:01:38 * limburgher here 17:01:39 <orionp> morning 17:01:44 <geppetto> #chair limburgher 17:01:44 <zodbot> Current chairs: geppetto limburgher tibbs 17:01:47 <geppetto> #chair orionp 17:01:47 <zodbot> Current chairs: geppetto limburgher orionp tibbs 17:01:50 * tomspur is here 17:01:52 * Rathann gere 17:01:55 <geppetto> #chair tomspur 17:01:55 <zodbot> Current chairs: geppetto limburgher orionp tibbs tomspur 17:01:56 <Rathann> *here 17:01:58 <geppetto> #chair Rathann 17:01:58 <zodbot> Current chairs: Rathann geppetto limburgher orionp tibbs tomspur 17:02:37 <tibbs> Sorry about last week. 17:02:42 <geppetto> no problem 17:02:49 <geppetto> #chair mbooth 17:02:49 <zodbot> Current chairs: Rathann geppetto limburgher mbooth orionp tibbs tomspur 17:02:49 <mbooth> Sorry I'm late 17:03:27 <limburgher> mbooth: 6 demerits. This is going on your permanent record. 17:03:37 <orionp> mbooth - that doesn't qualify as late by FPC standards :) 17:03:59 <limburgher> Nah. I think up to 45 is "on time". ;) 17:04:05 <limburgher> minutes-----------^ 17:04:14 <mbooth> :-) 17:04:43 <geppetto> SmootherFrOgZ: FPC ping 17:05:52 <geppetto> ok, going to start anyway … we have 7 17:06:06 <geppetto> #topic #467 Consider requiring all files in /usr to be world-readable 17:06:15 <geppetto> https://fedorahosted.org/fpc/ticket/467 17:06:39 * SmootherFrOgZ here 17:06:44 <geppetto> tibbs: You seem to have looked at this during the week … and thoughts 17:06:45 * racor is here 17:06:48 <geppetto> #chair SmootherFrOgZ 17:06:48 <zodbot> Current chairs: Rathann SmootherFrOgZ geppetto limburgher mbooth orionp tibbs tomspur 17:06:50 <geppetto> #chair racor 17:06:51 <zodbot> Current chairs: Rathann SmootherFrOgZ geppetto limburgher mbooth orionp racor tibbs tomspur 17:06:55 <tibbs> Well, my input is all in there. 17:07:10 <tibbs> The current guidelines do seem to cover this, but the language is kind of iffy. 17:07:17 <tibbs> We were less precise way back when. 17:08:20 <tibbs> In summary... 17:08:47 <tibbs> I think cleaning up the language is good, but requiring some committee vote for exceptions is overkill. 17:09:46 <tibbs> I also can't say much about the security implications of this. There's more info in https://fedorahosted.org/fpc/ticket/286 about security stuff. 17:09:49 <limburgher> I'm inclinde to agree. 17:10:08 <geppetto> Do we want to allow people to have non world readable exes in /usr/sbin and/or /usr/bin ? 17:10:24 <tibbs> I guess the best example would be sudo. Why is it mode 4111? What happens if it isn't? 17:11:10 <geppetto> IIRC (it's been at least a couple of years) the security group that dealt with govt. stds. wanted a bunch of exes to not be readable 17:11:18 <tibbs> We already don't allow it, technically. 17:12:00 <geppetto> Yeh, but do we want to say all those apps. are violating it and anyone is free to file bugs and say it's against policy? 17:12:36 <tibbs> That's a fight in which we generally don't involve ourselves.... 17:12:37 <geppetto> I don't really mind that … but then I also don't see the need to have everything be world readable … apps. should handle it better 17:13:01 <tibbs> So there are a couple of arguments, I guess. 17:13:26 <tibbs> One is the security by obscurity thing, which I really don't buy since our binaries are the same all over the planet. 17:13:34 <geppetto> And esp. in the ticket the whole thing about files should be readable but dirs. don't have to be … seemed like insanity, just fix your apps. to treat files like dirs. then 17:14:01 <geppetto> tibbs: To be fair I think this happened when prelink was a thing … so the apps. did technically change. 17:14:33 <tibbs> Well sudo, for example, has been mode 4111 since it was imported into public CVS in 2004. 17:14:51 <tibbs> So I'm guessing it's always been that way. 17:14:54 <Rathann> "tradition"? 17:14:58 <geppetto> yeh 17:16:46 <Rathann> ok, I think there are enough use cases to go ahead with this 17:16:51 <geppetto> Well, as I said … I kind of feel like everyone is wrong here. So I don't really mind who we annoy. 17:16:57 <Rathann> +1 to making everything world readable 17:16:58 <tibbs> sudo doesn't seem to care; it works just fine mode 4555 and mode 4755. 17:17:00 <Rathann> in /usr 17:18:26 <tibbs> So, I'd propose to strike "in the majority of situations" and change should to must in the first paragraph of http://fedoraproject.org/wiki/Packaging:Guidelines#File_Permissions 17:19:58 <orionp> Should we explicitly mention /usr there? 17:20:21 <Rathann> I guess yes 17:20:42 <orionp> non-config and non-state == /usr ? 17:21:27 <geppetto> I'm somewhat worried about anyone using /usr/etc 17:21:29 <geppetto> but meh. 17:21:31 <geppetto> +1 17:22:11 <tomspur> So anything in /usr is a must and the rest a should? 17:22:21 <Rathann> $ ls -l /usr/etc 17:22:21 <Rathann> ls: cannot access /usr/etc: No such file or directory 17:22:30 <tibbs> Nothing in the distro provides it, either. 17:22:31 <Rathann> not in default Fedora install 17:22:33 <geppetto> just looked at util-linux for chfn/chsh … and they both have "always" been non-readable 17:22:56 <geppetto> Ok, cool 17:22:58 <tibbs> But yeah, this guideline does apply to more than just /usr, so I guess special casing /usr for "must"ing would be good. 17:23:02 <geppetto> I thought some weird stuff did 17:23:06 <orionp> ssh-agent is non-readable too, but works if it is 17:26:31 <geppetto> So we have +3 for tibbs proposal, so far? 17:27:01 <mbooth> I'm +1 too, all the reasons against doing this sound like "security theatre" to me 17:27:08 <tomspur> I agree with the latest one with special casing /usr for "must"ing 17:27:11 <tibbs> I'm trying to figure out how to clarify /usr versus other stuff. 17:27:36 * geppetto nods … ok, I'll give tibbs a couple of minutes to do a new proposal and then we can all vote again :) 17:27:53 <tibbs> Can't figure out how to say "unless there is some reason not to do so" in a guidelines-y fashion. 17:28:22 <jsmith> "without prior approval from FPC"? 17:28:30 <tibbs> I sure hope not. 17:28:37 <mbooth> "except under extenuating circumstances" ? 17:28:49 <limburgher> +1 17:28:56 <jsmith> And wouldn't those circumstances need to be vetted by FPC/FESCo? 17:29:04 <tibbs> We don't want to get into the business of having to approve every group-specific permission thing in /etc, for example. 17:30:28 <tibbs> http://fpaste.org/150547/89981314/ 17:30:54 <limburgher> Smells like sanity. 17:31:08 <orionp> I'm pretty sure root:root ownership can't be a must 17:31:42 <orionp> there are setgid bins at least 17:31:47 <Rathann> right 17:31:53 <geppetto> yeh 17:32:11 <tibbs> That's kind of the problem we ran into at the beginning. 17:32:32 <tibbs> It's basically "must do this unless you have one of a huge number of reasons not to do this". 17:33:01 <orionp> let's focus on "must be universally readable " ? 17:33:10 <orionp> which is the question at hand 17:33:23 <tibbs> Drop group ownership entirely? 17:33:39 <tibbs> Or "files should be group root unless setgid" ? 17:33:51 <geppetto> How about: Inside of /usr files should be owned by root:root, unless a more specific user/group is needed for security. They should be writable only by the owner and universally readable (and executable if appropriate). 17:34:44 <tibbs> Sounds good for me. 17:34:50 <tibbs> But, should or must? 17:35:10 <tibbs> It's not like we have precise definitions of either. 17:35:12 <geppetto> The second should is a must, right? 17:35:31 <tibbs> Yeah, I think that's the whole point of this. 17:35:45 <limburgher> Well, though, I thought root ownership was a good security practice for things that run as other users? 17:35:49 <orionp> change user/group to group 17:36:11 <geppetto> How about: Inside of /usr files should be owned by root:root, unless a more specific user/group is needed for security. They must be universally readable (and executable if appropriate). 17:36:59 <geppetto> orionp: I can imagine some packages have myowner:root 17:37:08 <geppetto> orionp: So it seems weird to just say group 17:37:58 <tomspur> +1 17:38:37 <orionp> geppetto - true I guess I was focusing on binaries only 17:39:31 <tibbs> So we're at http://fpaste.org/150551/41590035/ 17:39:36 <tibbs> ? 17:39:39 <tibbs> If so, +1 17:39:45 <limburgher> Ok, +1 17:40:33 <SmootherFrOgZ> +1 17:40:38 <orionp> +1, fixing secirity typo :) 17:40:42 <tibbs> Yeah. 17:40:51 <geppetto> Oh, go on then :) 17:41:01 <Rathann> hm 17:41:40 <geppetto> I dropped the writable bit, as it seemed hard to get correct with all the possabilities 17:41:56 <Rathann> this is a bit contradictory: if a file is not owned by root then current wording will require that it's not writable by that user 17:42:11 <geppetto> yeh 17:48:45 <geppetto> Ok, so: http://fpaste.org/150552/90090314/ 17:49:01 <geppetto> +1 17:49:31 <tibbs> +1 17:49:36 <tomspur> +1 17:50:23 <mbooth> +1 17:51:54 <Rathann> we are retaining the current "shoulds" about default modes (0755/0644 and 2775), right? 17:52:37 <racor> 0 ... I am uncertain and am not sure what to think about this. 17:53:41 <mbooth> Rathann: I understood that we are only re-writing the first paragraph -- the note about group writable dirs should be retained, I think 17:53:46 <geppetto> Rathann: yeh 17:53:50 <Rathann> ok, then 17:53:51 <Rathann> +1 17:54:32 <geppetto> limburgher: vote? 17:55:18 <Rathann> I'd also add a requirement to justify and document non-standard (root:root 644/755) ownership in the specfile 17:58:27 <geppetto> Ok, one last time … now have the whole section: 17:58:30 <geppetto> http://fpaste.org/150558/01488141/ 17:59:31 <geppetto> +1 17:59:38 <Rathann> ehhh, now it looks like the default modes apply only outside /usr 17:59:40 <tibbs> +1 18:00:04 <tibbs> Human languages.... so imprecise. 18:02:12 <Rathann> how about this? http://fpaste.org/150562/41590171/ 18:02:17 <geppetto> Rathann: I didn't want to repeat that bit :( 18:02:23 * geppetto looks 18:03:15 <geppetto> Yeh, that looks fine to me 18:03:15 <geppetto> +1 18:03:16 <racor> I am turning my vote into a -1 18:03:16 <tomspur> +1 18:03:24 <limburgher> Sorry, called away, reading. . . 18:03:39 <Rathann> or s/Default file mode/Files should be mode/ 18:03:42 <geppetto> racor: Want to change anything? 18:03:42 <limburgher> +1 18:03:44 <racor> I don't think we haven't yet fully understood the breadth of the problems 18:03:48 <tibbs> I'm basically +1 to all of these. 18:04:37 <racor> e.g. did you consider the files under /usr/sbin which intentionally are o-r to keep them out of an ordinary user's PATH 18:04:47 <Rathann> racor: all the packaged files are available publicly anyway in Fedora repositories, so what's the point of making them unreadable? 18:05:14 <racor> To keep them out of an ordinary user's PATH 18:05:21 <Rathann> any user can download the package, unpack it and put the same binary in her own $HOME/bin 18:05:27 <racor> This has nothing to do with obsurity 18:05:40 <Rathann> wait wait 18:05:45 <racor> this is about run-time accessabitity 18:05:54 <Rathann> the files can still be non-executable 18:06:04 <Rathann> i.e. 754 or 744 18:06:28 <Rathann> we're not adding MUST be world executable 18:06:33 <Rathann> only world readable 18:06:46 <tibbs> The weirdest example I can think of is apache suexec. 18:07:07 <tibbs> -r-x--x---. 1 root apache 19456 Jul 23 05:31 suexec* 18:07:29 <tibbs> I think that one hits all of the weird spots. What would break if it changed? 18:07:42 <racor> Run "which audispd" as root and as normal user and you'll see the difference 18:07:53 <tibbs> Also, isn't "must be kept out of the user path" something you'd simply document in the spec file as the guideline indicates and move on? 18:08:02 <tibbs> I mean, the guideline doesn't break anything. 18:08:05 <racor> -rwxr-x---. 1 root root 49120 Oct 28 18:13 audispd 18:08:11 <mbooth> tibbs: Hmm, I wonder why suexec is not in libexec? 18:08:27 <tibbs> mbooth: Probably reasons. 18:08:40 <tibbs> racor: And so why should that not be documented in the spec? 18:08:58 <Rathann> racor: which package is that? I can't find it 18:09:13 <tibbs> I mean, this guideline comes down to "unless you have a reason, do this. If you have a reason, document it" 18:09:23 <geppetto> racor: Try adding just readability for the user and try it again … it should act the same way 18:09:29 <tibbs> Not sure how you can really poke holes in that. 18:10:06 <geppetto> racor: We aren't saying all programs should be executable by the user 18:11:04 * Rathann will be away for about 10 minutes 18:12:19 <racor> geppetto: We don't say this, but we force packager to make them act this way. 18:12:19 <geppetto> orionp: mbooth: You want to vote again on http://fpaste.org/150562/41590171/ ? 18:12:30 <orionp> sure, +1 18:12:30 <geppetto> racor: I don't see how 18:12:53 <racor> "They must be universally readable" 18:13:07 <geppetto> racor: Yes, but 754 satisfies that and isn't executable 18:13:08 <mbooth> +1, LGTM 18:14:11 <geppetto> Anyway, moving on 18:14:12 <geppetto> #topic #468 Temporary modernizr packing exception for kimchi 18:14:18 <geppetto> https://fedorahosted.org/fpc/ticket/468 18:15:29 <racor> Ok, I am running out-a-time and have to quit for today. 18:15:31 <geppetto> I guess … why can't you just package modernizr? 18:15:40 * geppetto nods, ok 18:15:42 <tibbs> Is kimchi in the distro? Doesn't appear to be in F20 at least. 18:16:01 <mbooth> geppetto: I had the same thought, I don't see any review open for modernizr 18:16:01 <geppetto> I assume baude is trying to package it now? 18:16:24 <orionp> https://bugzilla.redhat.com/show_bug.cgi?id=1126990 is the review for kimchi 18:16:34 * geppetto nods... was just checking that :) 18:17:33 <geppetto> #action Just package modernizr, instead of bundling it. 18:17:38 <orionp> I'm definitely in the just package modernizr camp 18:17:41 <tibbs> +1 18:17:51 <mbooth> +1, at least show willing 18:17:56 <orionp> +1 18:18:02 <geppetto> #action If still desire to bundle it, please answer the std. bundling questions. 18:18:08 <geppetto> Ok, cool 18:18:16 <geppetto> #topic Open Floor 18:18:31 <mbooth> geppetto: Got time to look at #471? 18:19:28 <geppetto> damn, hadn't seen 469+ 18:19:34 <tibbs> +1 for the gradle thing. 18:19:39 <limburgher> +1 18:19:45 <limburgher> for 468 18:19:56 <limburgher> sorry, keep getting busy. 18:20:12 <geppetto> I don't see 471 … just 470 18:20:39 <geppetto> Oh, nevermind … didn't refresh 18:21:13 <geppetto> #topic #471 Bootstrap exception for Gradle 18:21:34 <geppetto> I think we sitll have 5 … so can vote on this 18:22:14 <geppetto> +1 18:22:23 <mbooth> I am +1 to this 18:22:37 <tomspur> +1 18:23:17 <tibbs> +1 for the record 18:23:35 <geppetto> limburgher: vote for 471? 18:23:38 <orionp> +1 18:27:30 <geppetto> #action Bootstrap exception for Gradle (+1:5, 0:0, -1:0) 18:27:36 <geppetto> #topic Open Floor 18:27:46 <geppetto> Ok, anything else? 18:28:37 * tomspur thought, that it is forbidden to build several versions of a package out of one spec file, but couldn't find it. 18:28:54 <tomspur> Does maybe someone know if that is forbidden and where it is written? 18:29:18 <geppetto> subpackages are allowed and used a lot … so you mean like N different versions of the main package? 18:29:26 <tomspur> i.e.: the package with a correct version and a compat package within the same package 18:29:26 <limburgher> Yeah, sorry, +1 on 471. Attention span of a goldfish. . . . 18:29:32 <tomspur> geppetto, yes 18:29:35 <geppetto> I'm not even sure that's possible … without calling rpmbuild N times. 18:30:11 <geppetto> You have an example? 18:30:15 <tomspur> It is, but I don't like to blame the package at hand right now ... :/ 18:31:18 <tomspur> http://pkgs.fedoraproject.org/cgit/activemq-cpp.git/tree/activemq-cpp.spec?h=el6 :/ 18:32:33 <tomspur> I couldn't find anything that forbids this, but I hope it is... 18:32:35 <geppetto> yeh, those are just subpackages 18:32:49 <geppetto> They have different names etc. 18:33:28 <mbooth> tomspur: I'd allow that, usually the maintainer of the main package is unwilling to maintain additional compat packages so other who want them have to step up and submit a separate package review 18:33:46 <mbooth> So props to this guy willing to support many versions of his package 18:33:52 <geppetto> yeh, plus they might only live for a short time 18:34:17 <geppetto> So don't want to go through a package review for something you'll kill in a few months or whatever 18:34:24 <mbooth> Exactly 18:34:44 <tomspur> hmm, then I could have save also one of mine review requests :( 18:35:11 <geppetto> Now you know the secret ;) 18:35:22 <tomspur> It still doesn't look "right"... 18:35:58 <mbooth> I confess I did the same thing in one of my packages many years ago: http://pkgs.fedoraproject.org/cgit/lpg.git/tree/lpg.spec 18:37:55 <geppetto> tomspur: Yeh, it's not super awesome … it's just often better than the alternatives 18:38:08 <geppetto> Anyone have anything else? 18:38:16 <geppetto> If not I'll close in a couple of minutes 18:40:18 <geppetto> #endmeeting