Re: Change of cronie and crontabs CIS compliance

On Wed, Dec 6, 2023 at 1:19 PM Daniel P. Berrangé wrote: > > On Wed, Dec 06, 2023 at 11:16:44AM +0100, Ondrej Pohorelsky wrote: > > Hi everyone, > > > > For F40 I would like to change file permissions of few files that are > > provided by cronie and crontabs and swap deny list for allow list. I'm

Re: F40 Change: Privacy-preserving Telemetry for Fedora Workstation (System-Wide)

Assuming the goal is to improve fedora, that would be pointless as telemetry rarely produces useful results as opt-in. It makes sense to have it opt-out, but I'd expect the telemetry output and inputs to be open and available for fedora developers. Regards, Nikos On Thu, Jul 6, 2023 at 8:19 PM

default network attack surface, networkmanager stands out

Hi, I've been looking at Fedora's default --after installation-- attack surface in terms of servers running, and I see chrony, and NetworkManager running. NetworkManager runs as root, while chrony runs as a dedicated user. NetworkManager according to lsof listens at the bootpc and dhcpv6-client

Re: systemd-resolved in a container

On Wed, Nov 18, 2020 at 2:23 PM Alexander Bokovoy wrote: > > On ke, 18 marras 2020, Nikos Mavrogiannopoulos wrote: > >Hi, > > I realized my fedora-based containers have an /etc/resolv.conf which > >claims it is managed by resolved, and nsswitch.conf has "resolve

Re: systemd-resolved in a container

On Wed, Nov 18, 2020 at 6:37 PM Paul Wouters wrote: > > On Wed, 18 Nov 2020, Alexander Bokovoy wrote: > > >> Is there a way to use systemd resolved in a container? > > > > I figured this out yesterday -- at least in Rawhide, dbus-daemon is now > > replaced by dbus-broker which is not active by

systemd-resolved in a container

Hi, I realized my fedora-based containers have an /etc/resolv.conf which claims it is managed by resolved, and nsswitch.conf has "resolve" in hosts. However, doing something like # systemd-resolve --status results to: sd_bus_open_system: No such file or directory Trying to start dbus claims

Re: Fedora 33: pcscd and xrdp issue

On Mon, Oct 12, 2020 at 3:55 PM Nikos Mavrogiannopoulos wrote: > > Second thing to chance: just ask, if a usable hw is found. Asking > > permission for an impossible task is the definition of madnes > > > > Back to your request to change the policy: > > &g

Re: Fedora 33: pcscd and xrdp issue

On Fri, Oct 9, 2020 at 4:16 PM Marius Schwarz wrote: > > Am 09.10.20 um 13:18 schrieb Nikos Mavrogiannopoulos: > > LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu > --color | tee log.txt > > This the unchanged output: > 00492770 [140407774111296] auth.

Re: Fedora 33: pcscd and xrdp issue

/usr/share/polkit-1/actions/org.debian.pcsc-lite.policyOn Thu, Oct 8, 2020 at 11:06 AM Marius Schwarz wrote: > > Hi, > > this is a topic since a lot of time and it's still hits the user in it's > face for no reason. > > Found: while presenting Fedora 33 changes to an audience and >

Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

On Tue, Sep 29, 2020 at 3:43 PM Lennart Poettering wrote: > > On Di, 29.09.20 04:03, John M. Harris Jr (joh...@splentity.com) wrote: > > > > Search domains on VPNs are an indicator that these domains are handled > > > by the VPN, that's why we use them also as routing domains. But this > > >

Re: Fedora 33 - ssh clients - drop of PubkeyAcceptedKeyTypes=ssh-rsa

On Tue, Sep 22, 2020 at 8:40 AM Pavel Raiskup wrote: > > I hit that two week ago for bitbucket and other servers. In my case I got it > > connecting to lyx git server. At the time I wrote about it in the > > fedora-test > > mailing list. > > > > My workaround solution was to add to

Re: Can we use emulation of other architectures to run integration tests?

On Thu, Jul 30, 2020 at 12:25 PM Aleksandra Fedorova wrote: > > Hi, all, > > I'd like to get some understanding on the current state of emulation > of other architectures. > > In the current CI infra we have infinite(*) access to x86_64 compute > resources, but we haven't yet got our hands on any

orphaned nuttcp

Hi, I've orphaned the nuttcp component. It is long time since I last used it, and I do not plan updating it again. If you like networking tools this may be a package for you! regards, Nikos ___ devel mailing list -- devel@lists.fedoraproject.org To

Re: Is 50+ RPM Subpackages too extreme?

On Wed, Nov 27, 2019 at 4:46 AM Sam Varshavchik wrote: > > Chris writes: > > > Hi guys, > > > > > > I just wanted to poll you for some advice. My notification tool I maintain > > supports more than 50+ services now, but the only package isolation I do > > You should really count the number of

[EPEL-devel] Re: libssh2 issues in EPEL8 buildroot

On Wed, Aug 14, 2019 at 10:01 PM Orion Poplawski wrote: > My zabbix40 build for epel8 failed: > > https://koji.fedoraproject.org/koji/taskinfo?taskID=37041678 [...] > The other odd thing is that I cannot install libssh2-devel on my RHEL8 vm > because it does not appear to exist: It does not. It

Re: nettle: heads up soname bump

On Tue, 2019-07-16 at 06:37 -0400, Nico Kadel-Garcia wrote: > On Tue, Jul 16, 2019 at 5:34 AM Björn 'besser82' Esser > wrote: > > Am Dienstag, den 16.07.2019, 00:20 +0200 schrieb Kevin Kofler: > > > Miro Hrončok wrote: > > > > gnutls now cannot be rebuilt: > > > > > > > > nothing provides

nettle: heads up soname bump

Hi, The latest nettle (3.5.1) update will break ABI on rawhide. The API remains the same hence recompilation will be sufficient to address any issues. regards, Nikos ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email

Re: rpmlint warning: crypto-policy-non-compliance-gnutls-1

On Mon, May 27, 2019 at 3:00 PM Tomas Mraz wrote: > > Anderson, FYI. Could you please answer the question below? > > On Fri, 2019-05-24 at 17:58 +0100, Richard W.M. Jones wrote: > > > libnbd.x86_64: W: crypto-policy-non-compliance-gnutls-1 > > > /usr/lib64/libnbd.so.0.0.0

Re: Can we maybe reduce the set of packages we install by default a bit?

On Wed, Apr 24, 2019 at 12:24 PM Lennart Poettering wrote: > > > But why do that in userspace at all? the "Trust CPU RNG" kernel > > > compile time option shows that these things are trivial to solve if > > > people just want to. Instead of involving rngd at all, why not add a > > > similar

Re: Can we maybe reduce the set of packages we install by default a bit?

On Thu, Apr 18, 2019 at 10:23 AM Lennart Poettering wrote: > Sure, you can invoke rngd before systemd, in which case it would have > to be able to run as PID 1 itself pretty much and then hand over > things. > > But why do that in userspace at all? the "Trust CPU RNG" kernel > compile time option

Re: F30 Self-Contained Change proposal: krb5 crypto modernization

On Fri, 2018-12-21 at 15:35 -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization > > krb5 will be removing support for DES, 3DES, crc-32, and MD4 > entirely; > they will not be allowed in session keys or long-term keys. > Additionally, RC4 and MD5 will be

new maintainer needed: vpnc-script

Hi, I'm the main contact point for vpnc-script (used by vpnc and openconnect VPN), however I no longer spend time in maintaining it. If someone would like to pick it up, please let me know. The main outstanding issue on that package is: https://bugzilla.redhat.com/show_bug.cgi?id=1648108

Re: Unannounced SONAME bump for libssh

On Fri, 2018-08-17 at 08:19 -0500, Michael Cronenworth wrote: > The libssh package uses wildcards on SONAME version. The package was > upgraded from > 0.7.5 to 0.8.1 in Fedora 27+ that included a SONAME bump. > > Please remove the wildcard in libssh and begin package rebuilds. > Stable versions

Re: Making Fedora secure - Package exit policy for security

On Thu, 2018-08-02 at 10:49 +0100, Daniel P. Berrangé wrote: > > > > > > Thank you Huzaifa for bringing that up. I have a talk on fedora > > > and > > > crypto in flock, and my recommendation will be towards having > > > some > > > process to remove old packages from fedora. CVEs were not the >

Re: Making Fedora secure - Package exit policy for security

On Tue, 2018-07-31 at 09:09 +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues,

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Wed, 2018-06-06 at 09:45 -0500, mcatanz...@gnome.org wrote: > On Wed, Jun 6, 2018 at 4:39 AM, Nikos Mavrogiannopoulos > wrote: > > I am actually very curious about the results of such a move, and > > know > > whether it is going to have a significant impact today. Debi

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 11:41 -0500, mcatanz...@gnome.org wrote: > On Tue, Jun 5, 2018 at 4:14 AM, Nikos Mavrogiannopoulos > wrote: > > Note that this change, if applied, includes browsers shipped by > > fedora > > (i.e., firefox). That is pretty much all or nothing

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote: > On 06/05/2018 12:25 PM, Tomas Mraz wrote: > > On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote: > > > "Fallback option" always smells like "protocol downgrade attack". > > > This would undermine the idea of a crypto policy.

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Mon, 2018-06-04 at 11:46 -0700, Adam Williamson wrote: > On Fri, 2018-06-01 at 13:40 +0200, Jan Kurik wrote: > > = Proposed System Wide Change: Strong crypto settings: phase 2 = > > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > > How about clients for networking with other

Re: F29 System Wide Change: Strong crypto settings: phase 2

On Fri, 2018-06-01 at 10:25 -0500, mcatanz...@gnome.org wrote: > On Fri, Jun 1, 2018 at 8:06 AM, Daniel P. Berrangé > wrote: > > What is the availibility of TLS 1.2 vs 1.1/1.0 on the internet ? > > ie how likely is this to break the ability of users to access > > websites > > they care about ? >

starting services in fedora

In [0] it was reported that after installation of pcsc-lite in Fedora, no smart cards were functioning at the system. After rebooting Fedora everything was functioning as expected. The issue is that the pcsc daemon uses a socket-activated unit which is installed by dnf, but not started (and hence

Re: [RFC] Replace glibc's libcrypt with libxcrypt for Fedora 29/30

On Wed, 2017-11-08 at 18:08 +0100, Björn 'besser82' Esser wrote: > Hello everyone, > > since there has been some discussion in the last time about removing > libcrypt from glibc in some time [1,2,3,4] and splitting it out into > a > separate project which can evolve quicker, I'd like to hear your

Re: fedora28 and strong crypto settings

On Mon, 2018-02-26 at 10:26 -0600, mcatanz...@gnome.org wrote: > On Mon, Feb 26, 2018 at 9:37 AM, Nikos Mavrogiannopoulos > <n...@redhat.com> wrote: > > regarding the strong crypto change in Fedora28 [0], we have > > identified > > few (usually internal) sites whic

fedora28 and strong crypto settings

Hi, regarding the strong crypto change in Fedora28 [0], we have identified few (usually internal) sites which break under firefox or other tools. The main reason for this breakage is that these sites only support Diffie-Hellman with 1024-bit parameters which are considered too weak by this

gnome-keyring registered tokens in Fedora

Hi, I've filled [0] against gnome-keyring, due to it registering PKCS#11 tokens system-wide, which are not generally functional. For example they are quite limited in the algorithms they support, they pose quite some obstacles when trying to use them as a generic software smart card (e.g., like

Re: git package history lost?

On Thu, 2017-11-16 at 09:54 +0100, Pierre-Yves Chibon wrote: > On Thu, Nov 16, 2017 at 09:14:53AM +0100, Nikos Mavrogiannopoulos > wrote: > > Hi, > > Has anyone noticed any commits disappearing from packages > > around/after > > August 16? > > >

git package history lost?

Hi, Has anyone noticed any commits disappearing from packages around/after August 16? Seeing that build for f27: https://koji.fedoraproject.org/koji/buildinfo?buildID=956210 it contains the message: * Wed Aug 16 2017 Nikos Mavrogiannopoulos <n...@redhat.com> - 20170816- 1.git2618a6c - U

orphaned protobuf-c-compiler

Hi, I have orphaned this package. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org

[EPEL-devel] Re: ansible1.9 package

On Sat, 2017-11-04 at 10:33 -0700, Kevin Fenzi wrote: > > > Breaking updates would be pushed only at these times (unless there > > is a > > *really* good reason). This could involve also writing some release > > notes > > (e.g. the packager could tick a box "breaking update" and submit a > > note

Re: story of kerberos

On Fri, 2017-09-08 at 10:39 -0400, Randy Barlow wrote: > On 09/08/2017 02:40 AM, Nikos Mavrogiannopoulos wrote: > > > The currently implementation of the Bodhi CLI subclasses > > > fedora.client.OpenIdBaseClient, which does not support kerberos: > > > > > >

Re: story of kerberos

On Thu, 2017-09-07 at 15:25 -0400, Randy Barlow wrote: > On 09/07/2017 09:14 AM, Nikos Mavrogiannopoulos wrote: > > It works with the browser indeed. Would it work with command line > > tools > > like bodhi as well? > > The currently implementation

Re: story of kerberos

On Wed, 2017-09-06 at 09:51 -0700, Kevin Fenzi wrote: > On 09/06/2017 05:25 AM, Nikos Mavrogiannopoulos wrote: > > Hi, > > What's the story between the recently introduced support of > > kerberos > > in koji? My understanding was that eventually all services of

story of kerberos

Hi, What's the story between the recently introduced support of kerberos in koji? My understanding was that eventually all services of fedora would switch to kerberos authentication, though information on the following bugs for bodhi seems to contradict that:

what's the story with kerberos

-- Nikos Mavrogiannopoulos, PhD, Crypto Tech. Lead, Security Technologies, Red Hat, Inc. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: F28 System Wide Change: Switch libidn-using applications to IDNA2008

On Fri, 2017-08-25 at 08:56 -0500, Michael Catanzaro wrote: > On Fri, Aug 25, 2017 at 1:24 AM, Jan Kurik wrote: > > The proposed change is about deprecating libidn, which supports > > IDNA2003, and switch all applications using libidn, to libidn2 > > 2.0.0, > > which supports

Re: F28 System Wide Change: Switch libidn-using applications to IDNA2008

On Fri, 2017-08-25 at 14:38 +0200, Kevin Kofler wrote: > Jan Kurik wrote: > > * Other developers: > > Maintainers, should > > - Verify that their software is linked with the libidn library > > - Update the software from upstream if it already has been > > converted to > > libidn2 > > - Check the

Re: F28 System Wide Change: Switch libidn-using applications to IDNA2008

On Fri, 2017-08-25 at 08:38 +0200, Tomasz Torcz wrote: > On Fri, Aug 25, 2017 at 08:24:30AM +0200, Jan Kurik wrote: > > = Proposed System Wide Change: Switch libidn-using applications to > > IDNA2008 = > > https://fedoraproject.org/wiki/Changes/IDNA2008 > > >

Re: IDNA2008 change impact on installation size

On Fri, 2017-05-12 at 16:05 +, Zbigniew Jędrzejewski-Szmek wrote: > Hi, > > has any consideration been give to the size increase required by the > change from libidn (678k) to libidn2 + libunistring (228k + 1246k)? > That's not *too* bad, since currently none of the things which depend > on

Switch to IDNA2008 (should we keep libidn?)

On Tue, 2017-04-04 at 08:44 +0200, Jan Kurik wrote: > = Proposed System Wide Change: Switch libidn-using applications to > IDNA2008 = > https://fedoraproject.org/wiki/Changes/IDNA2008 > > Change owner(s): > * Nikos Mavrogiannopoulos > * Robert Scheck > > T

Re: IDNA2008 change impact on installation size

On Mon, 2017-05-15 at 09:42 -0400, Matthew Miller wrote: > On Fri, May 12, 2017 at 04:05:50PM +, Zbigniew Jędrzejewski-Szmek > wrote: > > has any consideration been give to the size increase required by > > the > > change from libidn (678k) to libidn2 + libunistring (228k + 1246k)? > > That's

Re: automated packaging

On Thu, 2017-03-23 at 09:54 -0700, Adam Williamson wrote: > On Thu, 2017-03-23 at 09:20 +0100, Nikos Mavrogiannopoulos wrote: > > > > > FWIW, I would be *extremely* reluctant to use something that big > > > that's > > > a) written in shell script (ugh) and b

Re: automated packaging

On Fri, 2017-03-24 at 08:27 +0100, Dan Horák wrote: > On Fri, 24 Mar 2017 07:10:47 + (UTC) > Petr Pisar wrote: > > > On 2017-03-23, Michael Catanzaro wrote: > > > On Thu, 2017-03-23 at 06:32 -0500, Michael Catanzaro wrote: > > > > That's not true,

Re: automated packaging

On Thu, 2017-03-23 at 09:35 +0100, Miroslav Suchý wrote: > Dne 23.3.2017 v 09:23 Nikos Mavrogiannopoulos napsal(a): > > What I was > > interested is whether there is plan or intention of improving the > > fedora infrastructure for packagers by making these part of our &g

Re: automated packaging

On Wed, 2017-03-22 at 11:36 +0100, Miroslav Suchý wrote: > Dne 22.3.2017 v 11:00 Nikos Mavrogiannopoulos napsal(a): > > Hi, > >  For several packages it is possible to automate build, test and > > package updating on multiple fedora releases (+epel) in a single > > key

Re: automated packaging

On Wed, 2017-03-22 at 08:51 -0700, Adam Williamson wrote: > On Wed, 2017-03-22 at 11:00 +0100, Nikos Mavrogiannopoulos wrote: > > Hi, > >  For several packages it is possible to automate build, test and > > package updating on multiple fedora releases (+epel) in a sing

automated packaging

Hi, For several packages it is possible to automate build, test and package updating on multiple fedora releases (+epel) in a single keypress using the cockpituous (sic) tools [0]. These tools hide quirks and requirements of the fedora tooling, and allow a very efficient orchestration of package

orphaning: sniproxy

Hello, I'm orphaning the sniproxy package because I no longer use it and haproxy seems to be quite superior in features/performance. If you are interested please consider adopting it. https://admin.fedoraproject.org/pkgdb/package/rpms/sniproxy/ regards, Nikos

[EPEL-devel] rethinking the epel testing

Hi, As it is now in the EPEL package update process the testing phase takes 14 days (double of Fedora). My impression is that this testing phase is quite long and unhelpful for the following reasons: 1. The majority of people who use EPEL are not Fedora users. They are more likely to report a

f25 buildroot seems to be broken

Any fedpkg scratch-builds or builds fail. root.log contains: DEBUG util.py:435:  Last metadata expiration check: 0:00:16 ago on Tue Jan 17 08:06:22 2017. DEBUG util.py:435:  Error: nothing provides publicsuffix-list-dafsa needed by libpsl-0.17.0-1.fc25.x86_64. DEBUG util.py:435:  nothing provides

Re: F26 System Wide Change: Switch OpenLDAP from NSS to OpenSSL

On Thu, 2017-01-05 at 16:02 +0100, Tomasz Torcz wrote: > On Thu, Jan 05, 2017 at 03:55:41PM +0100, Jan Kurik wrote: > > = System Wide Change: Switch OpenLDAP from NSS to OpenSSL = > > https://fedoraproject.org/wiki/Changes/OpenLDAPwithOpenSSL > > > > Change owner(s): > > * Matus Honek > > > >

ssh using kerberos (was: Packagers - Flag day 2016 Important changes)

On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote: > Greetings.  > > As previously announced, releng has made a number of changes as part > of > it's 2016 "flag day".  > > All package maintainers will want to make sure they have updated to > the  > following package versions (some may be

Re: crypto-policies not very useful, FUTURE too strict?

On Mon, 2016-12-19 at 11:07 +0100, Tomasz Torcz wrote: > On Mon, Dec 19, 2016 at 09:35:09AM +0100, Nikos Mavrogiannopoulos > wrote: > > On Sat, 2016-12-17 at 16:19 +0100, Tomasz Torcz wrote: > > > Hi, > > > > > >   Since few release we have nifty,

Re: crypto-policies not very useful, FUTURE too strict?

On Mon, 2016-12-19 at 09:35 +0100, Nikos Mavrogiannopoulos wrote: $ update-crypto-policies --set FUTURE Setting system policy to FUTURE $ wget https://github.com Resolving github.com (github.com)... 192.30.253.112,  192.30.253.113    github.com

Re: crypto-policies not very useful, FUTURE too strict?

On Sat, 2016-12-17 at 16:19 +0100, Tomasz Torcz wrote: > Hi, > >   Since few release we have nifty, consolidated way to select system- > wide crypto > policy. It's great, but granularity of selection is little lacking. > We have > basically two sensible choices: > - DEFAULT, which is, well,

Re: rawhide: Illegal char '-' (0x2d) in: Release: 3.fc26-pending

On Wed, 2016-12-14 at 12:12 +0100, Igor Gnatenko wrote: > On Wed, Dec 14, 2016 at 12:00 PM, Nikos Mavrogiannopoulos > <n...@redhat.com> wrote: > > Any idea on why this happens when attempting to build in rawhide? > > Is > > the buildroot broken? > > You need t

rawhide: Illegal char '-' (0x2d) in: Release: 3.fc26-pending

Any idea on why this happens when attempting to build in rawhide? Is the buildroot broken? $ fedpkg build error: line 6: Illegal char '-' (0x2d) in: Release: 3.fc26-pending error: query of specfile /home/.../fedora/gnutls/gnutls.spec failed, can't parse The line in question has: Release:

Re: a diversion into EPEL [was Re: Two more concrete ideas for what a once-yearly+update schedule would look like]

On Fri, 2016-12-09 at 11:17 -0500, Matthew Miller wrote: > On Fri, Dec 09, 2016 at 11:07:32AM -0500, Colin Walters wrote: > > > Anyways, in the big picture, while I don't speak for everyone on > > > the Project Atomic side, I personally point users at CentOS > > > first, > > > unless I have some

Re: yubico-piv-tool & p11-kit

On Tue, 2016-12-06 at 13:44 +0100, Jakub Jelen wrote: > > > > They don't, in fact, have different URIs. If I add a .module > > > > file for > > > > ykcs11.so, I get the attached output for p11tool --list-tokens. > > > > > > You forgot to attach it :) > > > > Let's try again. :) > > I suspect

Re: yubico-piv-tool & p11-kit

On Mon, 2016-12-05 at 10:23 -0500, Nathaniel McCallum wrote: > > Indeed, in the case where one has both ykcs11 and opensc, he would > > have > > to supply --detailed-urls to p11tool to be able to distinguish > > between > > objects. That is, because they will have identical URLs except for > >

[EPEL-devel] specifying a different buildroot

Hi, In #1400693 it was reported that a build of a package in epel didn't work on latest centos7. My understanding is that the latest epel buildroot is rhel7.3 while centos is compatible with 7.2. Is there some way to set a specific compilation root for a package? If not could there be some sync

Re: yubico-piv-tool & p11-kit

On Mon, 2016-12-05 at 08:41 +0100, Jakub Jelen wrote: > On 12/03/2016 01:50 PM, Nathaniel McCallum wrote: > > So apparently yubico-piv-tool ships $libdir/libykpkcs11.so*, but > > this > > doesn't get picked up by p11-kit by default. I suspect it has gone > > unnoticed largely because for most

Re: F26 Self Contained Change: Java/OpenJDK enforces the system-wide crypto policy

On Mon, 2016-11-21 at 12:07 -0600, Michael Catanzaro wrote: > On Mon, 2016-11-21 at 18:13 +0100, Jan Kurik wrote: > > > > As it is now, the System-wide crypto policy in F25 is enforced by > > the > > OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across > > all > > applications in

compat-openssl10-engine_pkcs11

Hi,  In F26 with the openssl 1.1.0 rebase libp11/engine_pkcs11 will be compiled only for openssl 1.1.0. That means that there will be no engine_pkcs11 for the packages linking to openssl 1.0.x. For that I've created the compat-openssl10-libp11 package which is intended to provide just that

Re: OpenSSL 1.1.0 in Rawhide very soon

On Tue, 2016-10-11 at 16:46 +, Petr Pisar wrote: > On 2016-10-11, Remi Collet wrote: > > > > It doesn't seem possible to use a compat library (else we will very > > probably going to encounter issues is both library versions are > > used in > > the same process,

Re: [SO-NAME BUMP] jsoncpp 1.7.7 comes to rawhide (and maybe to fc25)

On Mon, 2016-10-03 at 06:10 +0200, Björn Esser wrote: > Chain-build is running:  > https://koji.fedoraproject.org/koji/taskinfo?taskID=15917326 However it doesn't seem to work: Error: nothing provides libjsoncpp.so.1()(64bit) needed by cmake-3.6.2- 4.fc26.x86_64 Also fc25 buildroot is broken

Re: F26 System Wide Change: OpenSSL 1.1.0

On Wed, 2016-09-28 at 11:43 -0400, Matthew Miller wrote: > On Wed, Sep 28, 2016 at 03:13:34PM +0100, Tomasz Kłoczko wrote: > > > > Is it any official Fedora policy/call to move away from openssl? > > As far as I know, no. There was this attempt: >

duplicate package on fresh install

Hello,  A user posted some issue on gnutls [0], and it turned out that after a fresh install of f24 that user had two versions of the library installed. I have no idea why this can be or whether that should be expected from the installer/updater. Any insights? regards, Nikos [0].

Re: F26 System Wide Change: OpenSSL 1.1.0

On Fri, 2016-09-16 at 16:13 +0200, Dan Horák wrote: > On Fri, 16 Sep 2016 15:06:13 +0100 > David Woodhouse wrote: > > > > > On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > > > > > > We will also > > > add compat openssl102 package so the applications and other > > >

[EPEL-devel] conflicting with a devel package

Hi,  I'm reviewing package [0] for inclusion into epel6 but it provides a devel package which conflicts with an other devel package from rhel. In https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies it says "EPEL packages must never conflict with packages in RHEL Base", however, I'm not sure

updating the fedora defensive guide

Hi,  I've realized that the Fedora defensive guide [0] is the only guide we have to introduce the C TLS and crypto libraries we have, as well as provide a defensive style in using them. However, it is quite out- dated, and misses information which may be standard requirement in the future (e.g.,

heads up: engine_pkcs11 merged with libp11

Hi,  The upstream projects libp11 and engine_pkcs11 have been merged under the libp11 umbrella. As such, I plan to retire engine_pkcs11, and merge it with libp11. The only drawback that I see from that move, is that one would not find the engine_pkcs11 package at the packagedb search

Re: OpenSSL-1.1.0 COPR for Rawhide

On Fri, 2016-07-22 at 19:11 +0200, Michael Stahl wrote: > On 22.07.2016 16:53, Simo Sorce wrote: > > > > On Fri, 2016-07-22 at 16:48 +0200, Tomas Mraz wrote: > > > > > > > > > 2. Add compat 1.0.2 package which would be used by 3rd party > > > applications and also temporarily by applications

notion of base or minimal image

Hi,  Is there some notion or definition of a Fedora minimal or base image? I couldn't find some documentation on that. I would like to modify some script which a package on the critical path depends on, from bash to perl and I would like to understand whether that could affect any fedora images.

Re: A new way of writing secure code

On Mon, 2016-07-04 at 05:40 +, Ralf Senderek wrote: > Dear developers,  > > for all who wish to add reliable encryption and authentication > services to their projects with ease, I'd like to draw your > attention to cryptlib, which is available in F23, F24, rawhide > and EPEL 7 stable

Re: Why GUI software update tool is broken for me

On Wed, 2016-06-15 at 12:41 -0400, Russell Doty wrote: > > Running tracer for a while can really open your eyes to how many > > things > > need restarting after normal updates flow.  > > > > One thing that might make this less annoying to people would be > > ability > > to schedule the reboot

Re: Why GUI software update tool is broken for me

On Wed, 2016-06-15 at 10:14 +0200, Ade wrote: > Hi all > > I dont really want this to be a negative post, just want to share > something in order to start a healthy discussion > > Background > Im a Fedora desktop user, have been for many years, going all the way > back to Fedora Core 1 - I use

Re: F25 Self Contained Change: NSS enforces the system-wide crypto policy

> > = Proposed Self Contained Change: NSS enforces the system-wide > > crypto policy = > > https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies > > > > Change owner(s): > > * Nikos Mavrogiannopoulos > > > > As it is now, the System-wide crypto p

Re: F25 Self Contained Change: NSS enforces the system-wide crypto policy

On Fri, 2016-05-20 at 10:01 -0500, Michael Catanzaro wrote: > On Fri, 2016-05-20 at 11:48 +0200, Jan Kurik wrote: > > > > As it is now, the System-wide crypto policy in F24 is only enforced > > by > > the OpenSSL and GnuTLS TLS libraries. > Keep in mind that the system policy is still overridden

rawhide build failed

I attempted a build at rawhide [0] but it fails with: Error: package gettext-devel-0.19.7-4.fc24.x86_64 requires git, but none of the providers can be installed (try to add '--allowerasing' to command line to replace conflicting packages) Is that an issue at gettext-devel or rawhide building is

orphaning freeradius-client

Hi,  I'm orphaning freeradius-client in rawhide and epel. This is a radius client library. I orphan it because it is not fun working with upstream and I switched to radcli for my projects. regards, Nikos -- devel mailing list devel@lists.fedoraproject.org

Re: Support for PCLMUL, AVX, FMA, etc.

On Fri, 2016-04-01 at 14:32 -0600, Jerry James wrote: > I am one of the maintainers of the ntl package, which is used by some > numeric applications (e.g., Macaulay2 and sagemath).  Upstream > supports use of the PCLMUL instruction, the AVX instructions, and the > FMA instructions to speed up

Re: Testing chrony seccomp support

On Mon, 2016-01-18 at 12:51 +0100, Florian Weimer wrote: > On 01/18/2016 11:02 AM, Nikos Mavrogiannopoulos wrote: > > > As Florian suggested it makes more sense to compartmentalize chrony > > so > > that only a small controlled part of it needs to run with seccomp. &

Re: Testing chrony seccomp support

On Wed, 2016-01-20 at 14:09 +0100, Florian Weimer wrote: > On 01/20/2016 01:12 PM, Nikos Mavrogiannopoulos wrote: > > > If you have complex structures to be transfered you may want to > > rely on > > something automated to serialize/deserialize requests. That wi

Re: Testing chrony seccomp support

On Mon, 2016-01-18 at 14:15 +0100, Miroslav Lichvar wrote: > On Mon, Jan 18, 2016 at 11:02:44AM +0100, Nikos Mavrogiannopoulos > wrote: > > As Florian suggested it makes more sense to compartmentalize chrony > > so > > that only a small controlled part of it needs to

seccomp support [was: Testing chrony seccomp support]

On Mon, 2016-01-18 at 09:51 -0600, Michael Catanzaro wrote: > > I appreciate what you are trying to do, but those seccomp filters > > totally break encapsulation.  I have no idea how to support this > > properly, in a sustainable way.  It appears very difficult to do > > this > > for

Re: Testing chrony seccomp support

On Mon, 2016-01-18 at 12:51 +0100, Florian Weimer wrote: > On 01/18/2016 11:02 AM, Nikos Mavrogiannopoulos wrote: > > > As Florian suggested it makes more sense to compartmentalize chrony > > so > > that only a small controlled part of it needs to run with seccomp. &

Re: Testing chrony seccomp support

On Mon, 2015-10-05 at 13:58 +0200, Miroslav Lichvar wrote: > In chrony 2.2-pre1 was added support for system call filtering with > the kernel seccomp facility. In chrony it's mainly useful to reduce > the damage from attackers who can execute arbitrary code, e.g. > prevent > gaining the root

wml

Hi,  Are there users of website meta-language using fedora? I use it for some projects and thought it would be a useful addition. If you are a user of it please do the review for it at: https://bugzilla.redhat.com/show_bug.cgi?id=1295710 regards, Nikos -- devel mailing list

Re: orphaning radiusclient-ng

replacing it (the latter is drop in replacement). On Thu, 2015-10-08 at 10:46 +0200, Nikos Mavrogiannopoulos wrote: > Hello, >  I'll orphan radiusclient-ng with the purpose of dropping it from the > next releases of Fedora. This is an old unmaintained library replaced > by any of t

fedora notifications

Hi,  I'm quite lost with the fedora notifications [0] for email. Do you know which is the option to send me an email once a package is ready to be pushed to stable? (i.e., when the waiting period has passed or the feedback reached the threshold). regards, Nikos [0]. 

  1   2   >