Stories with Tag Fedora

• Fedora change aims for 99% package reproducibility

  permalink

  Posted: 2025-04-11 13:40:26

  Verbose tl;dr

  Fedora is implementing a change to enhance package reproducibility, aiming for a 99% success rate. This involves using "source date epochs" (SDE) which fixes build timestamps to a specific point in the past, eliminating variations caused by differing build times. While this approach simplifies reproducibility checks and reduces false positives, it won't address all issues, such as non-deterministic build processes within the software itself. The project is actively seeking community involvement in testing and reporting any remaining non-reproducible packages after the SDE switch.

  The Linux Weekly News article titled "Fedora change aims for 99% package reproducibility" details a proposed and largely implemented shift in the Fedora Linux distribution's build system to prioritize and significantly enhance the reproducibility of software packages. Reproducibility, in this context, means that building a given package version from source code, regardless of the build environment or time, should result in bit-for-bit identical binary packages. This has significant implications for security and trust, allowing independent verification of builds and ensuring that malicious modifications haven't been introduced during the build process.

  The article explains that Fedora has been working towards this goal for several years, making incremental improvements to their build infrastructure and tooling. This latest effort focuses on tackling the remaining 1% of packages that are not currently reproducible. These problematic packages often encounter issues stemming from embedded timestamps, build paths leaking into binaries, and non-deterministic behavior in build tools or libraries.

  The proposed solution involves implementing stricter build rules and utilizing techniques like build sandboxing and source date epoch (SDE) usage. Build sandboxing isolates the build process within a controlled environment, minimizing the influence of external factors. SDE sets a consistent timestamp for all files within the build environment, effectively eliminating time-based variations in the resulting binaries.

  The Fedora project aims to achieve 99% package reproducibility by enforcing these practices and systematically addressing the issues in the remaining non-reproducible packages. This ambitious goal necessitates close collaboration between package maintainers and the Fedora build system team. Maintainers will need to adapt their build scripts and potentially modify their software to comply with the new reproducibility requirements. The article highlights the importance of tooling and automation to assist maintainers in this transition, mentioning the development of automated rebuild and comparison tools to identify and diagnose reproducibility issues.

  While the ultimate goal is 100% reproducibility, the article acknowledges the inherent challenges in achieving this for all packages. Some software might rely on inherently non-deterministic processes, making perfect reproducibility impossible. Nevertheless, reaching 99% reproducibility represents a significant milestone in improving the security and trustworthiness of the Fedora distribution. The article concludes by emphasizing the ongoing nature of this work and the community's commitment to continually improving the build process and enhancing package reproducibility.

  • Fedora
  • Linux
  • package management
  • Reproducibility
  • software supply chain
  • Security
  • RPM
  • build system
  • Open Source
  • Operating Systems
  • Software Development

  Summary of Comments ( 195 )
  https://news.ycombinator.com/item?id=43653672

  Verbose tl;dr

  Hacker News users discuss the implications of Fedora's push for reproducible builds, focusing on the practical challenges. Some express skepticism about achieving true reproducibility given the complexity of build environments and dependencies. Others highlight the security benefits, emphasizing the ability to verify package integrity and prevent malicious tampering. The discussion also touches on the potential trade-offs, like increased build times and the need for stricter control over build processes. A few commenters suggest that while perfect reproducibility might be difficult, even partial reproducibility offers significant value. There's also debate about the scope of the project, with some wondering about the inclusion of non-free firmware and the challenges of reproducing hardware-specific optimizations.

  The Hacker News post "Fedora change aims for 99% package reproducibility" generated a moderate discussion with several insightful comments. Many commenters expressed support for the initiative, viewing reproducible builds as a crucial step towards enhancing software security and trustworthiness.

  One compelling comment highlighted the significance of reproducibility in verifying the integrity of downloaded packages, ensuring they haven't been tampered with. This resonates with the broader security concerns around supply chain attacks, where malicious actors compromise software during the build process. Reproducibility offers a mechanism to verify the authenticity of builds by independently recreating them and comparing the results.

  Another commenter delved into the technical challenges of achieving full reproducibility, particularly with aspects like timestamps and build paths embedded within binaries. They emphasized the need for careful consideration of these details to ensure consistent build outputs. This point underscores the complexity of implementing reproducible builds and the meticulous effort required by package maintainers.

  Some users questioned the practicality of aiming for 99% reproducibility, wondering about the remaining 1% and the potential difficulties in achieving perfect reproducibility. This prompted a discussion about the trade-offs between striving for ideal reproducibility and the pragmatic limitations imposed by certain software components or build processes.

  Furthermore, a comment mentioned the importance of tools and infrastructure for verifying reproducibility, suggesting that simply rebuilding packages isn't sufficient. Robust verification mechanisms are essential for ensuring the integrity and consistency of the reproduced builds.

  Several comments also touched upon the broader benefits of reproducible builds beyond security, such as easier debugging, improved transparency, and greater community involvement in the software development lifecycle. These comments showcase the wide-ranging impact of reproducible builds on the software ecosystem.

  Overall, the comments on Hacker News generally demonstrate a positive reception towards Fedora's initiative for reproducible builds, recognizing its potential to improve software security and reliability. The discussion also acknowledges the technical complexities and the need for robust tooling to effectively implement and verify reproducible builds.

• Supply Chain Attacks on Linux Distributions – Fedora Pagure

  permalink

  Posted: 2025-03-19 19:58:37

  Verbose tl;dr

  The blog post details a potential supply chain attack vector targeting Linux distributions, specifically focusing on Fedora's now-deprecated Pagure code hosting platform. The author discovered that Pagure's design allowed maintainers to incorporate external dependencies, such as automatically fetched tarballs from arbitrary URLs, directly into build processes. This posed a significant security risk as compromised external servers could inject malicious code into these dependencies, which would then be incorporated into Fedora packages. While Fedora itself wasn't directly affected due to its use of mock for isolated builds, the author argues the vulnerability highlighted a broader systemic issue in open-source software supply chains where implicit trust in external resources can be exploited. The post concludes by emphasizing the need for stricter dependency management and verification practices within Linux distributions and the open-source ecosystem.

  This blog post details a potential supply chain attack vector targeting Linux distributions, specifically focusing on the Fedora Project's now-deprecated code forging platform, Pagure. The author, known as "fenris," meticulously outlines how a compromised Pagure instance could have devastating consequences for the entire Fedora ecosystem and potentially other distributions that consume Fedora packages.

  Fenris begins by explaining Pagure's role as a git-based code repository and review platform where Fedora developers collaborated on software projects. Crucially, Pagure housed the spec files, the recipes that dictate how software is built into installable RPM packages. Compromising Pagure, therefore, would offer an attacker an ideal position to inject malicious code into these spec files, which would then be incorporated into the final RPM packages distributed to Fedora users.

  The attack scenario envisioned by fenris involves a malicious actor gaining unauthorized access to Pagure’s server infrastructure. This could be achieved through various means, such as exploiting software vulnerabilities, obtaining compromised credentials, or leveraging social engineering tactics. Once inside, the attacker could subtly alter spec files, injecting malicious commands that would execute during the build process or after the package is installed on a user's system. These malicious modifications could range from installing backdoors, exfiltrating sensitive data, or even crippling system functionality.

  The post emphasizes the insidious nature of such an attack. Because the malicious code resides within the spec file itself, it bypasses typical security measures like code review. Developers, trusting the integrity of the Pagure platform, might not detect the subtle changes within the seemingly innocuous spec file updates. Consequently, the malicious code would propagate through the build system, ultimately contaminating the official Fedora repositories and reaching end users.

  Fenris underscores the far-reaching impact of this potential vulnerability. Not only would Fedora users be at risk, but other Linux distributions, like Red Hat Enterprise Linux (RHEL) and CentOS Stream, which often derive packages from Fedora, could also be affected. This cascading effect highlights the interconnectedness of the open-source ecosystem and the potential for a single point of compromise to have widespread ramifications.

  The post concludes by highlighting the significance of securing the software supply chain and advocates for robust security measures throughout the development and distribution process. While acknowledging that Fedora has since migrated from Pagure to GitLab, the post serves as a cautionary tale, emphasizing the need for continuous vigilance against potential supply chain attacks and the importance of implementing secure development practices across the open-source landscape. The author emphasizes that while the specific vulnerability relating to Pagure is no longer relevant, the overall methodology described represents a persistent threat that needs to be considered for any platform hosting build instructions and source code.

  • Supply Chain Security
  • Linux
  • Fedora
  • Pagure
  • software supply chain
  • Cybersecurity
  • Open Source Security
  • Software Repositories
  • package management
  • Vulnerability
  • Security Audit
  • Compromise
  • Attack Vectors

  Summary of Comments ( 67 )
  https://news.ycombinator.com/item?id=43416605

  Verbose tl;dr

  HN commenters discuss the complexities of securing the software supply chain, particularly for Linux distributions. Some express skepticism about the feasibility of perfect security, noting the difficulty in verifying every component and the potential for vulnerabilities to be introduced at various stages. Others suggest focusing on minimizing the "blast radius" of potential attacks through techniques like reproducible builds and better compartmentalization. The conversation also touches on the trade-offs between security and convenience, with some arguing that the current level of risk is acceptable given the benefits of open-source software and rapid development cycles. A few comments delve into specific technical details, such as the use of signed RPM packages and the role of distribution maintainers in verifying software integrity. Finally, there's a discussion about the potential for malicious actors to target infrastructure like package repositories and the importance of robust security measures at that level.

  The Hacker News post "Supply Chain Attacks on Linux Distributions – Fedora Pagure" sparked a discussion with several insightful comments focusing on the complexities and challenges of securing the software supply chain, particularly within the context of Linux distributions.

  One commenter highlighted the inherent difficulty of preventing all forms of supply chain attacks, emphasizing that determined adversaries will always find new and creative ways to exploit vulnerabilities. They suggested that focusing solely on prevention is insufficient and advocated for a multi-layered approach that includes robust detection and mitigation strategies. This commenter also touched on the need for better tooling to help identify and address potential weaknesses.

  Another commenter pointed out the crucial role of reproducible builds in enhancing security. Reproducible builds allow independent verification of the compiled binaries, ensuring they match the source code. This helps detect malicious modifications introduced during the build process, increasing confidence in the integrity of the software. They further mentioned the challenges associated with achieving full reproducibility, particularly with complex software projects and varying build environments.

  The conversation also touched on the specific challenges faced by smaller projects like Pagure, the software discussed in the linked article. A commenter noted that smaller projects often lack the resources and expertise to implement comprehensive security measures. This contributes to a broader ecosystem vulnerability, as even seemingly insignificant projects can become entry points for attackers targeting larger systems.

  Several comments delved into the technical details of potential attack vectors, discussing methods like compromising build servers or injecting malicious code into dependencies. These comments highlighted the intricate nature of the software supply chain and the numerous points where vulnerabilities can arise.

  One commenter questioned the focus on Pagure specifically, suggesting that the issues discussed are widespread and not unique to this particular project. They argued that the broader problem lies in the complexity of modern software development and the interconnectedness of various components, making it challenging to secure every link in the chain.

  Finally, a commenter emphasized the importance of user education and awareness in mitigating supply chain attacks. They suggested that developers and users alike need to be more vigilant about the software they use and the sources from which they obtain it, advocating for a culture of security consciousness throughout the software ecosystem.

  In summary, the comments on the Hacker News post provide a nuanced and multifaceted perspective on the challenges of securing the software supply chain, moving beyond simply acknowledging the problem to explore potential solutions and highlight the need for a comprehensive and collaborative approach.

• Fedora 42 Beta

  permalink

  Posted: 2025-03-18 16:48:17

  Verbose tl;dr

  Fedora 42 Beta is now available for testing, bringing updates across the desktop, server, and cloud. Key features include the GNOME 44 desktop environment with improved quick settings and a redesigned file chooser, the Linux 6.4 kernel, and Golang 1.20. For server users, Fedora 42 defaults to a more minimal install, reducing attack surface and resource usage. The cloud image incorporates these updates and is prepared for deployment on various platforms. Testers are encouraged to download the beta release and provide feedback to help ensure a polished final release.

  The Fedora Project proudly announces the highly anticipated release of Fedora Linux 42 Beta, marking a significant step towards the final stable version. This beta release serves as a crucial testing ground for the community and developers alike, providing an opportunity to identify and address any remaining bugs or issues before the official launch. Fedora 42 Beta showcases a plethora of exciting new features and enhancements across various aspects of the operating system, promising an improved user experience and enhanced performance.

  One of the key highlights of this release is the upgrade to the GNOME 44 desktop environment. This brings a modernized and refined visual experience with improved performance and usability. Users can expect to encounter a more polished and intuitive desktop interface with various enhancements to core applications and workflows.

  Under the hood, Fedora 42 Beta incorporates the robust Linux Kernel 6.4. This latest kernel version brings a wealth of improvements, including enhanced hardware support, performance optimizations, and security fixes. This ensures that Fedora 42 Beta offers a stable and secure foundation for users' computing needs.

  For developers, Fedora 42 Beta ships with the latest toolchain components, featuring GCC 13.1, glibc 2.37, and LLVM 16. These updated tools provide developers with access to the cutting-edge advancements in compiler technology and libraries, enabling them to build and deploy high-performance and optimized applications. Furthermore, the inclusion of Golang 1.20 provides developers with a modern and efficient programming language for building robust and scalable software solutions.

  In addition to these core updates, Fedora 42 Beta introduces various other enhancements across different editions. For instance, the Fedora Workstation edition benefits from improved support for hardware devices and refined desktop settings. The Fedora Server edition receives updates to system management tools and enhanced security features. The Fedora Cloud edition offers improved integration with cloud platforms, allowing for streamlined deployment and management of cloud-based workloads.

  The release of Fedora 42 Beta represents a collaborative effort by the dedicated Fedora community and developers. By actively testing this beta release and providing valuable feedback, users can contribute to the final polish and stability of Fedora 42. This collaborative approach ensures that Fedora continues to deliver a cutting-edge and community-driven Linux distribution. The Fedora Project encourages all users and developers to download and test the Fedora 42 Beta release and report any encountered issues to help refine the operating system before its final release.

  • Fedora
  • Linux
  • Operating System
  • Beta Release
  • Fedora 42
  • Red Hat
  • Open Source
  • Software

  Summary of Comments ( 74 )
  https://news.ycombinator.com/item?id=43401595

  Verbose tl;dr

  HN users discuss the changes in Fedora 42 Beta. Several commenters express excitement about the switch to GNOME 44, praising its improved performance and features like quick settings toggles for Bluetooth. Others appreciate the inclusion of newer kernel and Golang versions. Some users discuss the decision to drop support for i686, with mixed reactions. A few commenters also mention their preferred desktop environments, like KDE and Sway, and their experiences with Fedora Kinoite. The transition to a new bootloader, BLS, is also mentioned but doesn't generate extensive discussion.

  The Hacker News post "Fedora 42 Beta" discussing the release of Fedora 42 Beta (linked to a Red Hat blog post) has several comments exploring various aspects of the new release.

  A prominent thread discusses the switch to GNOME 44. Users express excitement about new features, particularly the improved Quick Settings menu offering more customization options. Some users also appreciate the enhanced support for WebP image format. However, there's also discussion about potential regressions or missing features, with some users missing the ability to easily switch between sound output devices in the redesigned sound menu.

  Another user notes the transition of the Raspberry Pi spin to a new build system. This change, while viewed positively in the long run, has introduced some temporary limitations, like the absence of a 64-bit image for the Raspberry Pi 4 in the beta release. The user expresses hope for the availability of a 64-bit image in the final release.

  A few comments touch upon the inclusion of a newer Linux kernel (6.4), appreciating the continuous updates and improvements Fedora offers. One user specifically mentions improved Bluetooth functionality with this kernel version.

  Package updates, such as the inclusion of Golang 1.20 and the upgrade to the latest LLVM toolchain, also garnered attention and positive comments.

  There's a short discussion regarding the availability of Kinoite (KDE spin) and the benefits of immutable desktop distributions.

  Overall, the comments reflect a positive reception of the Fedora 42 Beta. Users express interest in the new features, particularly those within GNOME 44, while also acknowledging and discussing minor issues and limitations anticipated to be addressed in the final release. The thread also showcases the community's engagement with technical details like specific package versions and build system changes.