[opensuse-project] Pro-active security announcement question
Marcus, I just became aware of a data loss bug for all win8 / opensuse dual booters. The only "fix" is for users to turn off a new win8 feature. As the ntfs-3g maintainer, I will try to incorporate the patch that blocks mounting of ntfs / fat filesystems if the feature is found to be in use, but that is just a stop gap solution to stop users from shooting themselves. Again, the only real solution is for users to disable the feature in win8. Is there a way to announce that now instead of waiting for a ntfs-3g security patch? See below for details of the bug. Thanks Greg ---------- Forwarded message ---------- From: Greg Freemyer <greg.freemyer@gmail.com> Date: Fri, Jan 25, 2013 at 9:40 AM Subject: Data loss bug for win8 dual booters (including opensuse dual booters) To: suse <opensuse@opensuse.org> All, (someone should forward this to the forums if its not already there). Just a heads up that win8 introduced a (on by default) feature that can cause data loss for all dual booters. From what I understand, the only real solution is to disable the feature in win8. http://www.h-online.com/open/features/Linux-and-Windows-8-Fast-Startup-puts-... There is a opensuse bug: Bug 798337 - ntfs and fat filesystem corruption with windows 8 systems - ntfs-3g vfat state saved across shutdowns But the opensuse solution I suspect will just be to fail mount attempts if the new win8 cache file is found. (I'm the volunteer maintainer for the bug, so I have to research exactly what the best fix is. This affects all versions of opensuse including factory. Once I have a potential fix, I will make a call for testers since I don't have a win8 machine to test with). -- Greg Freemyer Intelligent Avatar Corporation Chief Technology Officer http://www.linkedin.com/in/gregfreemyer CNN/TruTV Aired Forensic Imaging Demo - http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retriev... (678) 653-4860 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:03:21AM -0500, Greg Freemyer wrote:
It is not a security issue, even though it is a critical bug. "security issue" would mean that an attacker could cause damage by doing something unintended. This seems intended breakage. But yes, we should put out updates that somehow detect this and refuse to mount the fs if present. Ciao, Marcus
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:07 AM, Marcus Meissner <meissner@suse.de> wrote:
The question still stands. Is there a pro-active way to announce this to opensuse users other than waiting a for a update that only detects the problem and hopefully advises the user to disable the feature in win8. Greg -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:20:21AM -0500, Greg Freemyer wrote:
In a mail to the opensuse-announce list, or a news article on news.opensuse.org or so. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, 2013-01-25 at 16:26 +0100, Marcus Meissner wrote:
Those are low-hanging fruit outlets which would certainly work for those who follow openSUSE in some way. However, I don't think there is a more aggressive way that can reach the many thousands who use openSUSE but do not follow any news outlet. And I doubt there will ever be a way, short of a pop-up window on your system, which I don't think is the route we want to go. Bryen -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, 25 Jan 2013 10:20:21 -0500, Greg Freemyer wrote:
This question came up in the forums a couple of weeks ago - we didn't stick the post, but if an announcement were made on news.o.o, we pick that up from the RSS feed already in our announcements forum. We could also put something on the Facebook page and group (and I think we can pin the posting on the group so it stays at the top) to help raise awareness. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:03:21AM -0500, Greg Freemyer wrote:
It is not a security issue, even though it is a critical bug. "security issue" would mean that an attacker could cause damage by doing something unintended. This seems intended breakage. But yes, we should put out updates that somehow detect this and refuse to mount the fs if present. Ciao, Marcus
-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:07 AM, Marcus Meissner <meissner@suse.de> wrote:
The question still stands. Is there a pro-active way to announce this to opensuse users other than waiting a for a update that only detects the problem and hopefully advises the user to disable the feature in win8. Greg -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, Jan 25, 2013 at 10:20:21AM -0500, Greg Freemyer wrote:
In a mail to the opensuse-announce list, or a news article on news.opensuse.org or so. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, 2013-01-25 at 16:26 +0100, Marcus Meissner wrote:
Those are low-hanging fruit outlets which would certainly work for those who follow openSUSE in some way. However, I don't think there is a more aggressive way that can reach the many thousands who use openSUSE but do not follow any news outlet. And I doubt there will ever be a way, short of a pop-up window on your system, which I don't think is the route we want to go. Bryen -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Fri, 25 Jan 2013 10:20:21 -0500, Greg Freemyer wrote:
This question came up in the forums a couple of weeks ago - we didn't stick the post, but if an announcement were made on news.o.o, we pick that up from the RSS feed already in our announcements forum. We could also put something on the Facebook page and group (and I think we can pin the posting on the group so it stays at the top) to help raise awareness. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
participants (4)
-
Bryen M Yunashko -
Greg Freemyer -
Jim Henderson -
Marcus Meissner