Fedora Security FAD: The Results

Well, I think it was quite successful. Probably the most successful Fedora Activity Day I’ve attended. Many things were accomplished toward the goal of two-factor authentication within Fedora Infrastructure:

  • Installed and configured totpcgi authentication on the staging environment. This performs the verification from the clients. There will be several servers doing authentication to prevent a single point of failure.
  • Installed and configured pam_url on each staging client with the intent of connecting to the authentication servers.
  • Enabled yubikey as an alternate second factor.
  • Reviewed RPMs for pam_url and totpcgi (and a few others to help along the way)
  • Setup the totpcgi provisioning web page for google authenticator
  • Fixed fun bugs in pam_url
  • Wrote documentation on how to setup authentication.

A few things were accomplished that were not part of the goals, but good stuff nonetheless:

While I didn’t participate in all of the above activities, I was definitely involved in many of them. It turns out, everyone there was fairly involved at the FAD. It was fun to watch everyone come together to solve this issue. Everyone seemed to have a good sense of satisfaction accomplishing the goals.



Posted in FAD, Fedora, Tech | Tagged , , , , , , , , , , , | Leave a comment

Security FAD This Week

Recently, I’ve been quite busy working at my new job at the Linux Foundation. I’ve really been enjoying it and am excited to be working there.

One of the perks I’ve been able to work out will be to attend the Fedora Activity Day this week in Raleigh, where we’ll be working on two-factor authentication among other things. This has been something I’ve recently set up at LF and am hopefully going to be involved in getting this working for Fedora as well.

Additionally, I have been working on getting a GPG SmartCard token working to accommodate ssh authentication. I think Fedora is going to be using Yubikeys, but I thought it might be cool to show this off as an alternative.

Anyway, it should be a fun week and very busy as well. Watch for more reports here about our progress.




Posted in FAD, Fedora, Tech | Tagged , , , , , , , | Leave a comment

Fedora Ambassadors Update – October 2012

Welcome New Ambassadors

We are happy to welcome our new sponsored Fedora Ambassadors in October:

Fedora Ambassador Statistics

Sun Nov 4 08:57:45 2012 | Approved: 611 | Inactive: 81 | % inactive:13.26



Posted in Ambassadors, Fedora, Tech | Tagged , , , , | Leave a comment

GoOSe Linux 6 Beta Release Candidate 3 (RC3) Available Now!

GoOSe Linux 6 Beta Release Candidate 3 (RC3) is now available for testing. Visit http://get.gooseproject.org/ to obtain the download. Please see the following pages for download links and testing instructions.

Note: The links below are provided by the Fedora Project as a useful pointer to tests the GoOSe Project should be be performing. Please do not modify content on the links below, they are only for reference. It is expected that the GoOSe Project will build its own tests based upon the great tests provided below.





Ideally, all Alpha, Beta, and Final priority test cases for
Installation [1], and Base [2] should pass in order to meet the Final Release Criteria [3]. Help is available on #gooseproject on irc.freenode.net.

[1] https://fedoraproject.org/wiki/QA:Installation_validation_testing
[2] https://fedoraproject.org/wiki/QA:Base_validation_testing
[3] https://fedoraproject.org/wiki/Fedora_17_Final_Release_Criteria

The GoOSe Project thanks the Fedora Project for providing such good testing information and allowing us to ‘stand upon shoulders of giants’ as we grow and learn.

Posted in GoOSe, Tech | Tagged , , , , , , , | Leave a comment

Fedora Ambassadors Update – September 2012

Welcome New Ambassadors

We are happy to welcome our new sponsored Fedora Ambassadors in September:

https://fedoraproject.org/wiki/User:Rodolfoarce from Paraguay mentored by Daniel Bruno
https://fedoraproject.org/wiki/User:Echevemaster from Venezuela mentored by Luis Bazán
https://fedoraproject.org/wiki/User:Andrmak from Brazil — sponsored by dbruno

Fedora Ambassador Statistics

Sun Sep 30 10:47:14 2012 | Accounts checked : 606 | Inactive Accounts : 80 | % inactive : 13.20

For those of you keeping score at home

As you may have noticed, Joerg (kital) has retired from performing the FAMA duties, and I have taken over. I would personally like to thank him for his excellent work.

Since I’m now in charged of FAMA, I’m modifying the process to fit my availability. Essentially, this means two things:

  1. All ambassador applications will be processed on a weekly basis (this usually means a Sunday morning). If I am going to be unavailable on Sunday, I’ll try to get it done as soon as possible before/after that time.
  2. Welcome notices will only go out once a month, in an update email / post. This post is the first of the monthly posts.

If you have any questions, you can email me or find me in #fedora-ambassadors on irc.freenode.net (herlo is my fas and irc nick).



Posted in Ambassadors, Community, Fedora, Tech | Tagged , , , , | Leave a comment

Working with github’s pull request workflow

Recently, I have given a response similar to this at least a half-dozen times and thought it could be useful here.  I work with many github repositories and manage them each and every day.  Below is the workflow I use to make things simple, easy and efficient.

First off, whoever you are pulling from is the ‘upstream’ repo. My example uses the the saltstack repository (git://github.com/saltstack/salt.git). Make sure it’s set to the read only git url so as to not accidentally push to upstream directly. To set this, you can do the following operation in your repository:

git remote add upstream git://github.com/saltstack/salt.git

Next, adjust the origin repository to point to your fork of the saltstack repository. In my case, my username is ‘herlo’ so my ssh-based read-write git url would be ‘git@github.com:herlo/salt.git’. To adjust the values, do the following:

git remote set-url origin git@github.com:herlo/salt.git

It’s possible that ‘origin’ isn’t set, but if you cloned originally from the saltstack repo, it will need to be adjusted.

Finally, it’s good to verify this, run ‘git config –list’ and look for lines similar to what I show below. If you have yours configured this way, you are ready to work with the github pull request structure simply and efficiently.

git config --list

Last step, and this is more of a workflow piece than anything. Simply perform tasks in this fashion and you’ll be able to handle most anything with github’s pull requests.

  1. git pull upstream master/develop –  (the develop branch is likely the one you want)
  2. do some work, make commits to your changes, etc.
  3. git push origin master
  4. submit a pull request at your fork – (for example, https://github.com/herlo/salt/pull/new/master)
  5. once your merged changes are accepted, go back to step one – rinse and repeat.

I hope this helps clarify how the workflow in github could work. It’s simple, easy and effective.

Please let me know of any tweaks as you go through this process. I’d like to hear of any way to improve my process as well.



Posted in Fedora, git, GoOSe, Tech | Tagged , , , , , , , , , , | Leave a comment

‘The Quest for the Golden GoOSe’ Sprint is here!

Alright folks, it’s been decided, determined and is about to be announced! Um, yeah, that’s right everyone, the ‘Quest for the Golden GoOSe’ Sprint is on!

When is this happening you ask? Well it’s very simple and very soon, in fact it’s happening July 27-28, 2012. Yes, that’s Tomorrow and Saturday. It’s a bit unexpected for some of you, to be sure, but if you can make it, we’d love to have you for any time possible. If you can’t make it, take some time this next week and work on the GoOSe. The goal is to get the Golden GoOSe 6.0 release out by the end of August, so we really need to start cranking!

What’s left, you ask? Quite a bit actually, but the biggest piece still remaining is our Quality Assurance testing and reporting components. We’re working on them in our qa repository on github, and you can most definitely fork it and get an idea of what we’re doing. We need some serious help with ABI compliance, validation of RPMS and overall validation that all packages have been built.

Wait! There’s more! We also need help with documentation, code and usability testing of the isos. The documentation is all based upon our
‘How to Cook a Goose’ wiki page on github, the skein code needs to be
updated to the new github v3 api and the Isos can be downloaded and

Some of this is more self-explanatory and some is just plain confusing. This is where we need your help! If you have ever wanted to define how things work, you can jump in now and help us identify things and help us solve problems. That’s the fun part about free and open source software! A good for instance, what is the usability testing requirements for our Isos? Well at the moment, we don’t really have a good handle on this, but you could step in and define some requirements. If you would prefer to help write code, you could clean up things that might look a bit messy. There’s plenty to do!

Please come and help us out this weekend or anytime next week! We’ll be in #gooseproject on irc.freenode.net, or you can work by email, github or ESP. We’re excited to be moving forward and look for your help making the the ‘Quest for the Golden GoOSe’ 6.0 release a reality!



Posted in Collaboration, Community, GoOSe, HackNights, IRC, News, Passion, Tech | Tagged , , , , , , , , , , , , , , , | Leave a comment

Presenting at SELF 2012 and Other Cool Activites

I am excited to be speaking at the SouthEast LinuxFest tomorrow!! The presentation about one of my latest projects, GoOSe Linux – Rebuilding Enterprise Linux the ‘Community’ Way. The presentation will take place at 1:30pm on Friday, June 8. If you ever were curious how Enterprise Linux is built in an open and transparent way, come by and listen. It will be entertaining and enlightening.

The Fedora project will be putting on a Beefy Miracle lunch across the street from SELF on Saturday (I think it’s at noon) so come by and get a Beefy Miracle in honor of Fedora 17.

Also, stop by the Fedora booth sometime during the weekend with your canned goods we’ll be collecting this weekend for the Loaves and Fishes food pantry in Charlotte, NC. Their priority list includes canned meats, canned pasta (such as spaghetti’os, ravioli, etc.), cereal, canned fruit, and 100% fruit juice. Nothing in glass, please!

Plus, you’ll get a little surprise in return. I won’t give it away, but as you might have guessed it’s something that is definitely beefy. :) Hope to see you there!

There are quite a few other goodies on the schedule, so please feel free to peruse. It should be a great weekend!



Posted in Ambassadors, Community, Conferences, Fedora, GoOSe, Presentations, Tech | Tagged , , , , , , , , | Leave a comment

Fedora: Go Vote!

VOTE NOW! Voting period closes promptly at 23:59:59 UTC on June 7th. There are three different elections, FESCO, FAMSCO and the Fedora Board. Do EEET!!

I voted, you should too!

Posted in Ambassadors, Community, Fedora, Geek, Tech | Tagged , , , , , , | Leave a comment

IRC: Private messages considered harmful – or Be considerate to others on IRC

I use IRC a LOT. IRC Clients allow users to send what are called “private messages” (or PMs). Today, I sent a private message to my friend Kevin Fenzi. I received the following reply:

‘(Autoreply) Please consider if what you are sending me needs to be in a Private message. See: http://tinyurl.com/64vdbql‘ (sic)

So I clicked…. and what I read pretty much fit my thought process. I think it’s pretty great, so I thought I would share with all of you.

There are a few cases where PM’s could possibly be acceptable:

  • You have something that NEEDS to be private (account info, phone number, etc). You should ask yourself however if a unencrypted IRC session is the right place to send that info. Perhaps a phone call, a scp to a secure server, or a gpg encrypted email would be better?
  • It’s something you need to impart to JUST that one person. A friendly jibe or conversation with someone you know well perhaps, or a quick note from someone that they are running late or are going to do something for you.

That said, there are a number of cases where they are NOT a good idea (especially in support channels):

  • The person you are PMing might be busy, so you get no answer, but many others in a common channel may know the answer to your question.
  • The person you are PMing might give you a incorrect or incomplete answer, which other people in a common channel could correct or expand on.
  • Other people in a common channel cannot learn from your question or any answers you get. Perhaps they too were interested in doing that? Perhaps they have a related question that comes from that one? It’s good for everyone to ask questions in a common channel.
  • It doesn’t scale. You can’t always ask a person your questions directly. Sometimes people are on vacation or busy and you will not get answers. If 100 people try and ask one person privately each question most IRC clients would go crazy with tabs and trying to keep track of those separate conversations.
  • Some people provide support for things for a living. If you are directly PMing them shouldn’t you pay for private support?
  • IRC is somewhat transitory. Unless someone has setup a bouncer (znc, bip, dircproxy) and set it to record private messages, they can easily be lost (just reboot without checking all of them and many clients won’t show them on restart of the app). So, if you PM someone the message may well not get through anyhow.

Finally there are some modes of interest (on freenode at least):

  • /umode +R – This will prevent people who are unidentified with freenode services from sending you private messages.
  • /umode +g – This will prevent you from receiving private messages from anyone not on a session-defined whitelist. The content of the whitelist can be controlled using the /accept command. When a user not on the whitelist attempts to contact you, you will receive a notice informing you of the fact and you can then use /accept user to speak to them. Users can be removed from the whitelist using /accept -user. Finally, /accept * will print the whitelist.
  • Other clients or IRC bouncers may have ways to log/ignore/etc private messages. See your clients docs.

In some channels/areas it’s polite to ask before PMing: ‘Hey, foo, mind if I PM you my phone number?’ or ‘Hey foo, can I PM’.

So, next time you are in a community channel and want to PM someone, do consider the above before doing so, odds are it would be much better to just ask in the main community channel than PM some particular person.



Posted in Community, Fedora, Geek, IRC, Tech | Tagged , , , , , | 2 Comments