DevHeads.net

Postings by Nikos Mavrogiannopoulos

starting services in fedora

In [0] it was reported that after installation of pcsc-lite in Fedora,
no smart cards were functioning at the system.

fedora28 and strong crypto settings

Hi,
regarding the strong crypto change in Fedora28 [0], we have identified
few (usually internal) sites which break under firefox or other tools.
The main reason for this breakage is that these sites only support
Diffie-Hellman with 1024-bit parameters which are considered too weak
by this change.

I believe however that we should gather as many data as we can related
to this security update in Fedora28, and decide after F28 beta is
released on whether to back this change off, or to ignore this
breakage. Any data gathered is very useful in planning a future
strengthening.

gnome-keyring registered tokens in Fedora

Hi,
I've filled [0] against gnome-keyring, due to it registering PKCS#11
tokens system-wide, which are not generally functional. For example
they are quite limited in the algorithms they support, they pose quite
some obstacles when trying to use them as a generic software smart card
(e.g., like softhsm), and so on.

git package history lost?

Hi,
Has anyone noticed any commits disappearing from packages around/after
August 16?

Seeing that build for f27:
<a href="https://koji.fedoraproject.org/koji/buildinfo?buildID=956210" title="https://koji.fedoraproject.org/koji/buildinfo?buildID=956210">https://koji.fedoraproject.org/koji/buildinfo?buildID=956210</a>

it contains the message:
* Wed Aug 16 2017 Nikos Mavrogiannopoulos < ... at redhat dot com> - 20170816-
1.git2618a6c
- Updated to latest upstream - Restarts openssh server on policy
update

However, going to the repo for f27 at:
<a href="https://src.fedoraproject.org/rpms/crypto-policies/blob/f27/f/crypto-policies.spec#_102" title="https://src.fedoraproject.org/rpms/crypto-policies/blob/f27/f/crypto-policies.spec#_102">https://src.fedoraproject.org/rpms/crypto-policies/blob/f27/f/crypto-pol...</a>

That message is no longer there.

Commit history has also no mentioning of that date.
<a href="https://src.fedoraprojec" title="https://src.fedoraprojec">https://src.fedoraprojec</a>

orphaned protobuf-c-compiler

Hi,
I have orphaned this package.

story of kerberos

Hi,
What's the story between the recently introduced support of kerberos
in koji?

automated packaging

Hi,
For several packages it is possible to automate build, test and
package updating on multiple fedora releases (+epel) in a single
keypress using the cockpituous (sic) tools [0]. These tools hide quirks
and requirements of the fedora tooling, and allow a very efficient
orchestration of package releases (see [1] for a script which releases
gnutls  for example).

I'm transforming more of the packages I maintain to that form, however,
there is much more value if that is done once for all the Fedora
maintainers.

orphaning: sniproxy

Hello,
I'm orphaning the sniproxy package because I no longer use it and
haproxy seems to be quite superior in features/performance. If you are
interested please consider adopting it.

<a href="https://admin.fedoraproject.org/pkgdb/package/rpms/sniproxy/" title="https://admin.fedoraproject.org/pkgdb/package/rpms/sniproxy/">https://admin.fedoraproject.org/pkgdb/package/rpms/sniproxy/</a>

regards,
Nikos

f25 buildroot seems to be broken

Any fedpkg scratch-builds or builds fail.

rawhide: Illegal char '-' (0x2d) in: Release: 3.fc26-pending

Any idea on why this happens when attempting to build in rawhide? Is
the buildroot broken?

$ fedpkg build
error: line 6: Illegal char '-' (0x2d) in: Release: 3.fc26-pending
error: query of specfile /home/.../fedora/gnutls/gnutls.spec failed,
can't parse

The line in question has:
Release: 3%{?dist}

Builds in other branches work fine.

regards,
Nikos

compat-openssl10-engine_pkcs11

Hi,
 In F26 with the openssl 1.1.0 rebase libp11/engine_pkcs11 will be
compiled only for openssl 1.1.0. That means that there will be no
engine_pkcs11 for the packages linking to openssl 1.0.x. For that I've
created the compat-openssl10-libp11 package which is intended to
provide just that (engine_pkcs11). It will not provide libp11-devel for
these packages, and the shipped libp11 will have different versioned
symbols and soname.

Any objections or issues found with this approach?

duplicate package on fresh install

Hello,
 A user posted some issue on gnutls [0], and it turned out that after a
fresh install of f24 that user had two versions of the library
installed. I have no idea why this can be or whether that should be
expected from the installer/updater. Any insights?

regards,
Nikos

[0]. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1378781" title="https://bugzilla.redhat.com/show_bug.cgi?id=1378781">https://bugzilla.redhat.com/show_bug.cgi?id=1378781</a>

updating the fedora defensive guide

Hi,
 I've realized that the Fedora defensive guide [0] is the only guide we
have to introduce the C TLS and crypto libraries we have, as well as
provide a defensive style in using them. However, it is quite out-
dated, and misses information which may be standard requirement in the
future (e.g., support for HSMs).

heads up: engine_pkcs11 merged with libp11

Hi,
 The upstream projects libp11 and engine_pkcs11 have been merged under
the libp11 umbrella. As such, I plan to retire engine_pkcs11, and merge
it with libp11. The only drawback that I see from that move, is that
one would not find the engine_pkcs11 package at the packagedb search
<a href="https://admin.fedoraproject.org/pkgdb/" title="https://admin.fedoraproject.org/pkgdb/">https://admin.fedoraproject.org/pkgdb/</a>

regards,
Nikos

notion of base or minimal image

Hi,
 Is there some notion or definition of a Fedora minimal or base image?
I couldn't find some documentation on that. I would like to modify some
script which a package on the critical path depends on, from bash to
perl and I would like to understand whether that could affect any
fedora images.

regards,
Nikos

rawhide build failed

I attempted a build at rawhide [0] but it fails with:
Error: package gettext-devel-0.19.7-4.fc24.x86_64 requires git, but
none of the providers can be installed
(try to add '--allowerasing' to command line to replace conflicting
packages)

Is that an issue at gettext-devel or rawhide building is not broken at
the moment?

regards,
Nikos

[0]. <a href="https://kojipkgs.fedoraproject.org//work/tasks/6309/14186309/mock_output.log" title="https://kojipkgs.fedoraproject.org//work/tasks/6309/14186309/mock_output.log">https://kojipkgs.fedoraproject.org//work/tasks/6309/14186309/mock_output...</a>

orphaning freeradius-client

Hi,
 I'm orphaning freeradius-client in rawhide and epel. This is a radius
client library. I orphan it because it is not fun working with upstream
and I switched to radcli for my projects.

regards,
Nikos

wml

Hi,
 Are there users of website meta-language using fedora? I use it for
some projects and thought it would be a useful addition. If you are a
user of it please do the review for it at:
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1295710" title="https://bugzilla.redhat.com/show_bug.cgi?id=1295710">https://bugzilla.redhat.com/show_bug.cgi?id=1295710</a>

regards,
Nikos

fedora notifications

Hi,
 I'm quite lost with the fedora notifications [0] for email. Do you
know which is the option to send me an email once a package is ready to
be pushed to stable? (i.e., when the waiting period has passed or the
feedback reached the threshold).

regards,
Nikos

[0]. https://apps.fedoraproject.org/notifications

orphaning radiusclient-ng

Hello,
I'll orphan radiusclient-ng with the purpose of dropping it from the
next releases of Fedora. This is an old unmaintained library replaced
by any of the following packages (the latter has an API compatible
subpackage).
* <a href="https://admin.fedoraproject.org/pkgdb/package/freeradius-client/" title="https://admin.fedoraproject.org/pkgdb/package/freeradius-client/">https://admin.fedoraproject.org/pkgdb/package/freeradius-client/</a>
* <a href="https://admin.fedoraproject.org/pkgdb/package/radcli" title="https://admin.fedoraproject.org/pkgdb/package/radcli">https://admin.fedoraproject.org/pkgdb/package/radcli</a>

regards,
Nikos

ping6 and other tool6 awkwardness

While working for an updated ipcalc to support ipv6 transparently, I
figured we have more tools which are not IPv6-ready and awkwardly
provide an additional tool with a -6 suffix, supposedly for separate
IPv6 support. That looks like a relic of the past, we still drag. IPv6
support should be transparent in programs (fortunately we don't have
ssh6). Any objection to fill bugs to merge the following tools with
their ipv4 equivalent?

ping6, geoiplookup6, tracepath6, traceroute6

[0]. <a href="https://github.com/nmav/ipcalc" title="https://github.com/nmav/ipcalc">https://github.com/nmav/ipcalc</a>

nettle, gnutls: soname version bump in rawhide

Hello,
Next week I plan to update nettle to 3.1.1 and gnutls to 3.4.0 in
rawhide. That would require a recompilation of the packages that depend
on them. Any objections?

regards,
Nikos

help needed with python for patching rpmlint

Hi,
I've attempted modifying rpmlint to assist with detecting the packages
that need to be modified for the system wide crypto policies. However,
although the required functionality is there, I have not managed to make
the patch useful to be included upstream and I am not as fluent in
python to make the last step needed. Is there someone familiar with
python that can address upstream's comment [0]? I'd be really obliged.

(the current patch is attached to bugzilla)

regards,
Nikos

[0]. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1156313#c14" title="https://bugzilla.redhat.com/show_bug.cgi?id=1156313#c14">https://bugzilla.redhat.com/show_bug.cgi?id=1156313#c14</a>

Harden_all_packages_with_position-independent_code + guile modules

In rawhide building the gnutls guile bindings fails, and that's related
to the new hardening flags being enabled with [0]. The failure is quite
peculiar since the loading of a dynamic module fails [1] which already
is position independent. Could someone explain what do the new flags in
rawhide do (and possibly add this description in [0]). Using the same
hardened flags in F21 has no negative effect in building the module.

regards,
Nikos

[0].
<a href="https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code" title="https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code">https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position...</a>
[1]. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1196556" title="https://bugzilla.redhat.com/show_bug.cgi?id=1196556">https://bugzilla.redhat.com/show_bug.cgi?id=1196556</a>

ocaml expert for review?

Hi,
I've tried to package two ocaml-based packages. I have no idea about
the language and tried to follow the guidelines in [0]. If there any
experts in packaging in that language I'd appreciate a review (in
exchange for another review if needed):
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1200384" title="https://bugzilla.redhat.com/show_bug.cgi?id=1200384">https://bugzilla.redhat.com/show_bug.cgi?id=1200384</a>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1200389" title="https://bugzilla.redhat.com/show_bug.cgi?id=1200389">https://bugzilla.redhat.com/show_bug.cgi?id=1200389</a>

regards,
Nikos

[0]. <a href="https://fedoraproject.org/wiki/Packaging:OCaml?rd=Packaging/OCaml" title="https://fedoraproject.org/wiki/Packaging:OCaml?rd=Packaging/OCaml">https://fedoraproject.org/wiki/Packaging:OCaml?rd=Packaging/OCaml</a>

amending the new package process

Hi,
I've added few packages last year using the new package process:
<a href="https://fedoraproject.org/wiki/New_package_process_for_existing_contributors" title="https://fedoraproject.org/wiki/New_package_process_for_existing_contributors">https://fedoraproject.org/wiki/New_package_process_for_existing_contribu...</a>

I'm not sure which fedora body (FPC or FESCO) is responsible for this
document, that's why that mail is sent here. In all cases, I'm
interested on other's feedback on that issue.

My experience with the new package process is that the review process in
Step 6 doesn't work. For some of my packages it took 3 months for a
reviewer to appear, some others more, some where reviewed faster.

System-wide crypto policy transition tracker

Hello,
I've created a transition tracker to system-wide crypto policy at:
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1179209" title="https://bugzilla.redhat.com/show_bug.cgi?id=1179209">https://bugzilla.redhat.com/show_bug.cgi?id=1179209</a>

Currently it contains bugs filled against openssl and gnutls
applications in Fedora. If you use some application which utilizes
SSL/TLS and isn't included in the tracker feel free to request it use
the policy, and include a link to the bug report in the tracker.

The tracker also contains a dependency on NSS respecting the system
crypto policy: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1157720" title="https://bugzilla.redhat.com/show_bug.cgi?id=1157720">https://bugzilla.redhat.com/show_bug.cgi?id=1157720</a>

regards,
Nikos

review-swap

Hi,
I'm happy to review a package in exchange for freeradius-client
library: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1171129" title="https://bugzilla.redhat.com/show_bug.cgi?id=1171129">https://bugzilla.redhat.com/show_bug.cgi?id=1171129</a>

regards,
Nikos

enhancing crypto policies for other languages than C

Hello,
The currently proposed fedora maintainer instructions for the
system-wide crypto policy are mainly for the C language. Could some
experienced in other languages (e.g., ruby/python) propose some text for
them?

<a href="https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies" title="https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies">https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies</a>

regards,
Nikos