195 stories
·
5 followers

I'm likely giving up on trying to read Fedora package update information

1 Comment

Perhaps unlike most people, I apply updates to my Fedora machines through the command line, first with yum and now with dnf. As part of that, I have for a long time made a habit of trying to read the information that Fedora theoretically publishes about every package update with 'dnf updateinfo info', just in case there was a surprise lurking in there for some particular package (this has sometimes exposed issues, such as when I discovered that Fedora maintains separate package databases for each user). Sadly, I'm sort of in the process of giving up on doing that.

The overall cause is that it's clear that Fedora does not really care about this update information being accurate, usable, and accessible. This relative indifference has led to a number of specific issues with both the average contents of update information and to the process of reading it that make the whole experience both annoying and not very useful. In practice, running 'dnf updateinfo info' may not tell me about some of the actual updates that are pending, always dumps out information about updates that aren't pending for me (sometimes covering ones that have already been applied, for example for some kernel updates), and part of the time the update information itself isn't very useful and has 'fill this in' notes and so on. The result is verbose but lacking in useful information and frustrating to pick through.

The result is that 'dnf updateinfo info' has been getting less and less readable and less useful for some time. These days I skim it at best, instead of trying to read it thoroughly, and anyway there isn't much that I can do if I see something that makes me wonder. I can get most of the value from just looking at the package list in 'dnf check-update', and if I really care about update information for a specific package I see there I'm probably better off doing 'dnf updateinfo info <package>'. But still, it's a hard to let go of this; part of me feels that reading update information is part of being a responsible sysadmin (for my own personal machines).

Some of these issues are long standing ones. It's pretty clear that the updateinfo (sub)command is not a high priority in DNF as far as bug fixes and improvements go, for example. I also suspect that some of the extra packages I see listed in 'dnf updateinfo info' are due to DNF modularity (also), and I'm seeing updateinfo for (potential) updates from modules that either I don't have enabled or that 'dnf update' and friends are silently choosing to not use for whatever reasons. Alternately they are base updates that are overridden by DNF modules I have enabled; it's not clear.

(Now that I look at 'dnf module list --enabled', it seems that I have several modules enabled that are relevant to packages that updateinfo always natters about. One update that updateinfo talks about is for a different stream (libgit2 0.28, while I have the libgit2 0.27 module enabled), but others appear to be for versions that I should be updating to if things were working properly. Unfortunately I don't know how to coax DNF to show me what module streams installed packages come from, or what it's ignoring in the main Fedora updates repo because it's preferring a module version instead.)

Read the whole story
aranth
11 days ago
reply
Change logs are dying.
Share this story
Delete

"Enjoy your dystopia!"

jwz
1 Comment and 4 Shares
@kmlefranc: I had to get a background check for my job, and it turns out the report is a 300+ page pdf of every single tweet I've ever liked with the work "fuck" in it.

I came home to a package containing a printout of all 351 pages of it! Obv the dystopia cares about wasting paper. [...] The background check company is Sterling Talent Solutions, and it looks like they contracted with Fama Technologies for this part of the report. [...]

To those asking - I did not give them my handle or permission, I'm assuming they just found this via my (old) name. [...] The especially creepy part is this didn't turn up anything at all relevant or incriminating! I keep personal info on my non-public accounts. But their shitty algorithm means that my "reputation" and "character" is flagged as questionable and sent to my boss. [...]

Though I also liked the "positive flags" section that picked up the words donate and volunteer - most of which were critiques of capitalism and charity culture.

Previously, previously, previously, previously.

Read the whole story
aranth
19 days ago
reply
Share this story
Delete
1 public comment
sarcozona
7 days ago
reply
I thought this was satire when I saw the headlines

Take action to save .org and prosecute those who sold out the internet

8 Shares

As many of you have no doubt heard, control of the .org registry has been sold to private interests. There have been attempts to call them to reason, like Save .ORG, but let’s be realistic: they knew what they’re doing is wrong, the whole time. If they were a commercial entity, our appeals would fall on deaf ears and that would be the end of it. But, they’re not a commercial entity - so our appeals may fall on deaf ears, but that doesn’t have to be the end of it.

The level of corruption on display by the three organizations involved in this scam: ICANN (Internet Corporation for Assigned Names and Numbers), ISOC (The Internet Society), and PIR (Public Interest Registry), is astounding and very illegal. If you are not familiar with the matter, click this to read a summary:

Summary of the corrupt privatization of .org

The governance of names on the internet is kind of complicated. ISOC oversees a lot of activities in internet standards and governance, but their role in this mess is as the parent company of PIR. PIR is responsible for the .org registry, which oversees the governance of .org directly and collects fees for every sale of a .org domain. ICANN is the broader authority which oversees all domain allocation on the internet, and also collects a fee for every domain sold. There's a complex web of documents and procedures which govern these three organizations, and the name system as a whole, and all three of them were involved in this process. Each of these organizations is a non-profit, except for PIR, which in the course of this deal is trying to convert to a B corp.

ICANN can set price limits on the sale of .org domains. In March of 2019, they proposed removing these price caps entirely. During the period for public comment, they received 3,300 comments against, and 6 in favor. On May 13, they removed these price caps anyway.

In November 2019, ISOC announced that they had approved the sale of PIR, the organization responsible for .org, to Ethos Capital, for an unspecified amount. According to the minutes, the decision to approve this sale was unanimously voted on by the board. Additionally, it seems that Goldman Sachs had been involved in the sale to some degree.

Fadi Chehadé became the CEO of ICANN in 2012. In 2016, he leaves his position before it expires to start a consulting company, and he later joins Abry Partners. One of the 3 partners is Erik Brooks. They later acquire Donuts, a private company managing domains. Donuts co-founder Jon Nevett becomes the CEO of PIR in December 2018. On May 7th, Chehadé registers EthosCapital.com, and on May 13th ICANN decided to remove the price caps despite 0.2% support from the public. On May 14th, the following day, Ethos Capital was incorporated, with Brooks as the CEO. In November 2019, ISOC approved the acquisition of PIR by Ethos Capital, a for-profit company.

These are the names of the criminals who sold the internet. If you want to read more, Private Internet Access has a good write-up.

Okay, now let's talk about what you can do about it.

If you are familiar with the .org heist, then like me, you’re probably pissed off. Here’s how you can take action: all of these organizations are 501c3 non-profits. The sale of a non-profit to a for-profit entity like this is illegal without very specific conditions being met. Additionally, this kind of behavior is not the sort the IRS likes to see in a tax-exempt organization. Therefore, we can take the following steps to put a stop to this:

  1. Write to the CA and VA attorney general offices encouraging them to investigate the misbehavior of these three non-profits, which are incorporated in their respective states.
  2. File form 13909 with the IRS, encouraging them to review the organization’s non-profit status.

This kind of behavior is illegal. The sale of a non-profit requires a letter from the Attorneys General in both California (ICANN) and Virginia (ISOC, PIR). Additionally, much of this behavior qualifies as “self-dealing”, or leveraging one’s power within an organization for their own benefit, rather than the benefit of the organization. To report this, I’ve prepared a letter to the CA and VA Attorney’s General offices, which you can read here:

I encourage you to consider writing a letter of your own, but I would not recommend copying and pasting this letter. However, this kind of behavior is also illegal in the eyes of the IRS, and a form is provided for this purpose. Form 13909 is the appropriate means for reporting this behavior. You can download a pre-filled form here, and I do encourage you to submit one this yourself:

This only includes complaints for ICANN and ISOC, as PIR is seeking to lose its non-profit status anyway. You can print out the PDF, fill in your details on both pages, and mail it to the address printed on the form; or you can download the ODG, open it up with LibreOffice Draw, and fill in the remaining details digitally, then email it to the address shown on the page.1

Happy Thanksgiving! Funny how this all happened right when the American public would be distracted…

  1. Crash course in LibreOffice Draw: press F2, then click and drag to make a new textbox. Select text and use Ctrl+[ to reduce the font size to something reasonable. The red button on the toolbar along the top will export the result as a PDF. 

Read the whole story
aranth
83 days ago
reply
Share this story
Delete

The problems with piping curl to a shell are system management ones

1 Share

I was recently reading Martin Tournoij's Curl to shell isn't so bad (via), which argues that the commonly suggested approach of using 'curl example.com/install.sh | sh' is not the security hazard that it's often made out to be. Although it may surprise people to hear this, I actually agree with the article's core argument. If you're going to download and use source code (with its autoconfigure script and 'make install' and so on) or even pre-build binaries, you're already extending quite a lot of trust to the software's authors. However, I still don't think you should install things with curl to shell. There are two reasons not to, one a general system management one and one a pragmatic one about what people do in these scripts.

The general system management one is that to manage and maintain your system over time, you need to control what changes are made to it and insure that everything is handled consistently. You don't want someone's install script making arbitrary and unknown changes to your system, and it gets worse when that install script can change over time. The ideal thing to install is an artifact that you can save locally and that makes limited and inspectable changes to your system (if any). Good install options are, for example, a self-contained tarball that you can extract into a directory hierarchy of your choice (and that doesn't even have to be owned by or extracted by root), or a package for the standard package manager on your system that doesn't contain peculiar custom scripts with undesired side effects. An un-versioned shell script fetched from a remote end that you don't save or inspect and that will make who knows what changes on your system is a terrible idea for being able to manage, maintain, and understand the resulting system state.

The pragmatic reason is that for some reason, the people writing these install shell scripts feel free to have them make all sorts of nominally convenient changes to your system on behalf of their software. These shell scripts could be carefully contained, minimal, and unchanging (for a particular release), doing very little more than what would happen if you installed a good package through your package manager, but very often they aren't and you'll wind up with all sorts of random changes all over your system. This is bad for the obvious reason, and it's also bad because there's no guarantee that your system is set up in the way that the install script expects it to be. Of course generally 'make install' has the same problem, which is why experienced sysadmins also mostly avoid running that as root.

(More generally, you really want to manage the system through only one thing, often the system's package manager. This is the problem with CPAN and other independent package systems (althogh there are good reasons why people keep creating them). Piping curl to a shell and 'make install' are just magnified versions of it. See also why package systems are important.)

Read the whole story
aranth
103 days ago
reply
Share this story
Delete

Target of Police Raid Had Been in Jail for Five Years, Plaintiff Alleges

1 Share

In a new lawsuit, a Chicago woman alleges that police conducted an unnecessary no-knock raid on her home in January 2015, throwing flash-bang grenades and then charging in with assault rifles. Police did have a warrant, but it’s not entirely clear how they got one. This is because the department knew, or should have known, that the guy they were after was not inside the home. Or any home. And that is because he was inside a prison, where he had been for more than five years.

The raid did corner three individuals, aged 11, 6, and 4 respectively, and their mom. But it appears none of them were charged, probably due to the fact that three of them are 11, 6, and 4 respectively, and also that none of them have anything at all to do with the target.

According to the complaint, the officers were looking for a man named Derec Bell and/or evidence of illegal drug activity engaged in by the said Derec Bell. And Derec Bell had, in fact, once resided at that address, but not more recently than June 2009, the date at which he began residing at the Hill Correctional Center in Galesburg, Illinois. Bell has resided there ever since, and will almost certainly continue to do so until 2029, when his sentence is up. Because he had been imprisoned 200 miles away for the previous five-and-a-half years, therefore, it is not clear how officers established probable cause to believe that evidence pertaining to him might still be found in his prior abode in January 2015. (The plaintiff had moved in three years after Bell moved out.)

“[D]espite the independent vetting of material [information] … and the methodical process to authenticate addresses, errors can occur and information may not be accurate,” a police spokesperson said, thus blaming the information for its own inaccuracy. Police make “every effort” to verify warrants, he continued. Every effort except for checking to see if the target’s already in jail, apparently, because this one was.

The plaintiff is represented by Al Holfeld, Jr., who has brought several excessive-force lawsuits against Chicago and its police recently. The city settled one such case last year for $2.5 million, the report said.

Some believe that the Chicago police department has unconstitutionally engaged in a pattern of excessive force, and those people include the Justice Department, which reached that conclusion in 2017 after a 13-month investigation. According to one report, between 2004 and 2015 the city spent almost $60 million a year on settling cases alleging police misconduct. And I haven’t read all of this article entitled “Two Decades of Torture by Chicago Police,” but the headline sure doesn’t sound good.

Nobody was physically injured in the Looking for Derec Bell Who Was in Prison incident, but the plaintiff does allege that the grenades terrified her and her children, and that the children also did not enjoy having assault rifles pointed at them by screaming officers. Also, she claims the city has not paid for the damage to the home, nor have officers returned some jewelry and other property they confiscated during the visit.

For more on this topic (generally speaking), you may want to consider taking “A Fun Quiz on Military-Style Police Tactics” (Oct. 14, 2014); read about the incident in Idaho where “Cops Trash Home in 10-Hour Standoff With Dog” (Aug. 29, 2016); or try this one where New Jersey police were held at bay for 90 minutes by a cardboard cutout (Dec. 8, 2008).

Read the whole story
aranth
104 days ago
reply
Share this story
Delete

FBI misused surveillance data, spied on its own, FISA ruling finds

1 Comment
FBI agents ran queries across thousands of US individuals, including potential sources and anyone with access to FBI facilities, against raw metadata from FISA-authorized bulk collection databases.

Enlarge / FBI agents ran queries across thousands of US individuals, including potential sources and anyone with access to FBI facilities, against raw metadata from FISA-authorized bulk collection databases. (credit: Bloomberg via Getty Images)

In an October 2018 ruling unsealed and posted on October 8, 2019 by the Office of the Director of Intelligence, the United States Foreign Intelligence Surveillance Court (FISC) found that the employees of the Federal Bureau of Investigation had inappropriately used data collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The FBI was found to have misused surveillance data to look into American residents, including other FBI employees and their family members, making large-scale queries that did not distinguish between US persons and foreign intelligence targets.

The revelation drew immediate outcry from privacy advocates and renewed calls for the termination of FISA and USA FREEDOM Act that authorized bulk intelligence collection. President Donald Trump signed a bill extending Section 702 collection authorizations for six years in 2018; the Office of the Director of National Intelligence announced earlier this year that the administration would seek the extension of authority for collection of call data granted under the USA FREEDOM Act.

In a statement emailed to Ars Technica, ACLU Senior Legislative Counsel Neema Singh Guliani, said:

The government should not be able to spy on our calls and emails without a warrant. Any surveillance legislation considered by Congress this year must include reforms that address the disturbing abuses detailed in these opinions. Congress and the courts now have even more reason to prohibit warrantless searches of our information, and to permanently close the door on any collection of information that is not to or from a surveillance target.

Let me Intel-Google that

The Foreign Intelligence Surveillance Court ruling found that the FBI's "querying procedures" for intelligence data did not properly record when the database of intelligence data was searched for information about US persons. "The querying procedures did not require FBI personnel to document the basis for finding that each United States-person query term satisfied the relevant standard—i.e., that queries be reasonably designed to return foreign-inteligence information or evidence of crime," the FISC opinion stated. "Without such documentation and in view of reported instances of non-compliance with that standard, the procedures seemed unreasonable under FISA's definition of 'minimization procedures' and possibly the Fourth Amendment."

Among those instances of "non-compliance" were:

  • Between March 24 and 27, 2017, the FBI ran queries against intelligence data "using identifiers for over 70,000 communications facilities 'associated with' persons with access to FBI facilities and systems," the court noted, "notwithstanding advice from the FBI Office of General Counsel (OGC) that they should not be conducted without the approval of the OGC and the National Security Division of the Department of Justice."
  • On December 1, 2017, a redacted FBI division "conducted over 6,800 queries using the Social Security Numbers of individuals" against raw, unredacted FISA data. A week later, the same unit conducted 1,600 queries using another set of identifiers for US persons. The person who conducted the queries "advised he did not intend to run them against raw FISA information, but nonetheless reviewed raw FISA information returned by them."
  • In February of 2018, the FBI searched raw FISA data for information, with about 30 queries regarding "potential [redacted] sources," and conducted about 45 other queries on people "under consideration as potential sources of information."
  • In an undated event, reported to the Department of Justice's National Security Division in April of 2018, the FBI ran queries against raw FISA metadata using identifiers for "approximately 57,000 individuals" where it was not clear that the information would return foreign intelligence information.
  • Queries against individual US persons were run against the FISA data on a number of occasions, including people about to be served a FISA order—and "a small number of cases in which FBI personnel apparently conducted queries for improper personal reasons—for example, a contract linguist who ran queries on himself, other FBI employees, and relatives."

The court found a huge lack of oversight over the FBI's querying of FISA metadata and ordered the FBI to revise its search procedures. The FISC ruling said that the FISA statutory and Fourth Amendment concerns regarding warrantless searches would be cleared if all queries required written documentation of the basis for a belief by the FBI that searching against a US person's metadata would be "reasonably likely to return foreign-intelligence information or evidence of crime" before anyone at the FBI was allowed access to the contents of FISA data that would be returned by such a search.

Read Comments

Read the whole story
aranth
134 days ago
reply
"But definitely trust us with a backdoor into all encryption, tho. We totally promise we won't abuse that one."
Share this story
Delete
Next Page of Stories