Postings by Nikos Mavrogiannopoulos

starting services in fedora

In [0] it was reported that after installation of pcsc-lite in Fedora,
no smart cards were functioning at the system.

fedora28 and strong crypto settings

regarding the strong crypto change in Fedora28 [0], we have identified
few (usually internal) sites which break under firefox or other tools.
The main reason for this breakage is that these sites only support
Diffie-Hellman with 1024-bit parameters which are considered too weak
by this change.

I believe however that we should gather as many data as we can related
to this security update in Fedora28, and decide after F28 beta is
released on whether to back this change off, or to ignore this
breakage. Any data gathered is very useful in planning a future

gnome-keyring registered tokens in Fedora

I've filled [0] against gnome-keyring, due to it registering PKCS#11
tokens system-wide, which are not generally functional. For example
they are quite limited in the algorithms they support, they pose quite
some obstacles when trying to use them as a generic software smart card
(e.g., like softhsm), and so on.

git package history lost?

Has anyone noticed any commits disappearing from packages around/after
August 16?

Seeing that build for f27:
<a href="" title=""></a>

it contains the message:
* Wed Aug 16 2017 Nikos Mavrogiannopoulos < ... at redhat dot com> - 20170816-
- Updated to latest upstream - Restarts openssh server on policy

However, going to the repo for f27 at:
<a href="" title=""></a>

That message is no longer there.

Commit history has also no mentioning of that date.
<a href="https://src.fedoraprojec" title="https://src.fedoraprojec">https://src.fedoraprojec</a>

orphaned protobuf-c-compiler

I have orphaned this package.

story of kerberos

What's the story between the recently introduced support of kerberos
in koji?

automated packaging

For several packages it is possible to automate build, test and
package updating on multiple fedora releases (+epel) in a single
keypress using the cockpituous (sic) tools [0]. These tools hide quirks
and requirements of the fedora tooling, and allow a very efficient
orchestration of package releases (see [1] for a script which releases
gnutls  for example).

I'm transforming more of the packages I maintain to that form, however,
there is much more value if that is done once for all the Fedora

orphaning: sniproxy

I'm orphaning the sniproxy package because I no longer use it and
haproxy seems to be quite superior in features/performance. If you are
interested please consider adopting it.

<a href="" title=""></a>


f25 buildroot seems to be broken

Any fedpkg scratch-builds or builds fail.

rawhide: Illegal char '-' (0x2d) in: Release: 3.fc26-pending

Any idea on why this happens when attempting to build in rawhide? Is
the buildroot broken?

$ fedpkg build
error: line 6: Illegal char '-' (0x2d) in: Release: 3.fc26-pending
error: query of specfile /home/.../fedora/gnutls/gnutls.spec failed,
can't parse

The line in question has:
Release: 3%{?dist}

Builds in other branches work fine.



 In F26 with the openssl 1.1.0 rebase libp11/engine_pkcs11 will be
compiled only for openssl 1.1.0. That means that there will be no
engine_pkcs11 for the packages linking to openssl 1.0.x. For that I've
created the compat-openssl10-libp11 package which is intended to
provide just that (engine_pkcs11). It will not provide libp11-devel for
these packages, and the shipped libp11 will have different versioned
symbols and soname.

Any objections or issues found with this approach?

duplicate package on fresh install

 A user posted some issue on gnutls [0], and it turned out that after a
fresh install of f24 that user had two versions of the library
installed. I have no idea why this can be or whether that should be
expected from the installer/updater. Any insights?


[0]. <a href="" title=""></a>

updating the fedora defensive guide

 I've realized that the Fedora defensive guide [0] is the only guide we
have to introduce the C TLS and crypto libraries we have, as well as
provide a defensive style in using them. However, it is quite out-
dated, and misses information which may be standard requirement in the
future (e.g., support for HSMs).

heads up: engine_pkcs11 merged with libp11

 The upstream projects libp11 and engine_pkcs11 have been merged under
the libp11 umbrella. As such, I plan to retire engine_pkcs11, and merge
it with libp11. The only drawback that I see from that move, is that
one would not find the engine_pkcs11 package at the packagedb search
<a href="" title=""></a>


notion of base or minimal image

 Is there some notion or definition of a Fedora minimal or base image?
I couldn't find some documentation on that. I would like to modify some
script which a package on the critical path depends on, from bash to
perl and I would like to understand whether that could affect any
fedora images.


rawhide build failed

I attempted a build at rawhide [0] but it fails with:
Error: package gettext-devel-0.19.7-4.fc24.x86_64 requires git, but
none of the providers can be installed
(try to add '--allowerasing' to command line to replace conflicting

Is that an issue at gettext-devel or rawhide building is not broken at
the moment?


[0]. <a href="" title=""></a>

orphaning freeradius-client

 I'm orphaning freeradius-client in rawhide and epel. This is a radius
client library. I orphan it because it is not fun working with upstream
and I switched to radcli for my projects.



 Are there users of website meta-language using fedora? I use it for
some projects and thought it would be a useful addition. If you are a
user of it please do the review for it at:
<a href="" title=""></a>


fedora notifications

 I'm quite lost with the fedora notifications [0] for email. Do you
know which is the option to send me an email once a package is ready to
be pushed to stable? (i.e., when the waiting period has passed or the
feedback reached the threshold).



orphaning radiusclient-ng

I'll orphan radiusclient-ng with the purpose of dropping it from the
next releases of Fedora. This is an old unmaintained library replaced
by any of the following packages (the latter has an API compatible
* <a href="" title=""></a>
* <a href="" title=""></a>


ping6 and other tool6 awkwardness

While working for an updated ipcalc to support ipv6 transparently, I
figured we have more tools which are not IPv6-ready and awkwardly
provide an additional tool with a -6 suffix, supposedly for separate
IPv6 support. That looks like a relic of the past, we still drag. IPv6
support should be transparent in programs (fortunately we don't have
ssh6). Any objection to fill bugs to merge the following tools with
their ipv4 equivalent?

ping6, geoiplookup6, tracepath6, traceroute6

[0]. <a href="" title=""></a>

nettle, gnutls: soname version bump in rawhide

Next week I plan to update nettle to 3.1.1 and gnutls to 3.4.0 in
rawhide. That would require a recompilation of the packages that depend
on them. Any objections?


help needed with python for patching rpmlint

I've attempted modifying rpmlint to assist with detecting the packages
that need to be modified for the system wide crypto policies. However,
although the required functionality is there, I have not managed to make
the patch useful to be included upstream and I am not as fluent in
python to make the last step needed. Is there someone familiar with
python that can address upstream's comment [0]? I'd be really obliged.

(the current patch is attached to bugzilla)


[0]. <a href="" title=""></a>

Harden_all_packages_with_position-independent_code + guile modules

In rawhide building the gnutls guile bindings fails, and that's related
to the new hardening flags being enabled with [0]. The failure is quite
peculiar since the loading of a dynamic module fails [1] which already
is position independent. Could someone explain what do the new flags in
rawhide do (and possibly add this description in [0]). Using the same
hardened flags in F21 has no negative effect in building the module.


<a href="" title=""></a>
[1]. <a href="" title=""></a>

ocaml expert for review?

I've tried to package two ocaml-based packages. I have no idea about
the language and tried to follow the guidelines in [0]. If there any
experts in packaging in that language I'd appreciate a review (in
exchange for another review if needed):
<a href="" title=""></a>
<a href="" title=""></a>


[0]. <a href="" title=""></a>

amending the new package process

I've added few packages last year using the new package process:
<a href="" title=""></a>

I'm not sure which fedora body (FPC or FESCO) is responsible for this
document, that's why that mail is sent here. In all cases, I'm
interested on other's feedback on that issue.

My experience with the new package process is that the review process in
Step 6 doesn't work. For some of my packages it took 3 months for a
reviewer to appear, some others more, some where reviewed faster.

System-wide crypto policy transition tracker

I've created a transition tracker to system-wide crypto policy at:
<a href="" title=""></a>

Currently it contains bugs filled against openssl and gnutls
applications in Fedora. If you use some application which utilizes
SSL/TLS and isn't included in the tracker feel free to request it use
the policy, and include a link to the bug report in the tracker.

The tracker also contains a dependency on NSS respecting the system
crypto policy: <a href="" title=""></a>



I'm happy to review a package in exchange for freeradius-client
library: <a href="" title=""></a>


enhancing crypto policies for other languages than C

The currently proposed fedora maintainer instructions for the
system-wide crypto policy are mainly for the C language. Could some
experienced in other languages (e.g., ruby/python) propose some text for

<a href="" title=""></a>