Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-02-26 17:02:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Sat Feb 26 17:02:01 2022 rev:15 rq:957406 version:6.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-02-09 20:39:12.126376267 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1958/keylime.changes 2022-02-26 17:02:31.279540081 +0100 @@ -1,0 +2,62 @@ +Thu Feb 24 14:49:33 UTC 2022 - apla...@suse.com + +- Drop patches beacuse merged upstream: + * version.diff + * cloud_verifier_tornado-use-fork_processes.patch +- Drop binaries not used anymore: + * keylime_provider_platform_init + * keylime_provider_registrar + * keylime_provider_vtpm_add +- Update to version v6.3.1: + * revocation_notifier: mark webhook threads as daemon and add timeout + * Fix Packit CI test plan Summary + * Enable Packit CI testing on CentOS Stream 8 + * Enable Packit CI testing on Fedora Rawhide + * Remove last trace of TPM 1.2 (hopefully) + * verifier: remove start_tornado() function + * verifier: wait for connections to be closed before stopping ioloop + * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s + * Add more e2e tests to Packit CI + * Enable EPEL repo on CentOS Stream in packit.yaml + * agent, crypto: add localhost, server and contact ip to agent certificate + * Add better default repo path for run_local.sh + * Fix incorrect variable name in test_restful + * Run existing agent tests against the rust-keylime agent + * Fix small wording mistakes caught while reading the code + * agent: move key and certificate logging levels from debug to info + * agent: allow absolute paths for rsa_keyname and mtls_cert + * Add missing backend parameter + * cloud_verifier_tornado: use fork_processes + * ci: automatically push release to PyPI + * setup.{py,cfg}: Move setup configuration to setup.cfg + * Add iproute tool to Dockerfile + * Pylint does not like single-line functions. + * A small beauty fix + * This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output + * setup.py: add version number and new Python versions, drop unsed binaries + * setup.py, config: install default configuration into package path + * ci: move old keylime.conf to keylime.conf.orig before running tests + * retry: fix pylint issue + * Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices. + * Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain" + * tenant: add exponential backoff option to retry timings + * cloud verifier: add exponential backoff option to retry timings + * tpm: add exponential backoff option to retry timings + * test, retry: add unit test for retry algorithm + * common: add algorithm for retry time calculation + * registrar, tpm_main: ensure that correct types are commited to DB. + * Fix typo for config param listen_notifications + * Lint is _really_ unhappy today. + * Linty fixes + * Adding a unit test file for tpm_main + * tpm_main: check if PCRs for the hash algorithm are available + * tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm + * agent: output supported_version as result not as a status + * Add missing subcommands to -c help message + * tests: fix mtls_cert generation in test_restful.py + * revocation_notifier: fix socket path permission check + * Remove unused database_query config param + * Move umask calls only on entry points + * config: move directory utilities to fs_util + +------------------------------------------------------------------- Old: ---- cloud_verifier_tornado-use-fork_processes.patch keylime-v6.3.0.tar.xz version.diff New: ---- keylime-v6.3.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.063540205 +0100 +++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.067540206 +0100 @@ -25,21 +25,17 @@ %bcond_with cfssl %endif Name: keylime -Version: 6.3.0 +Version: 6.3.1 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT URL: https://github.com/keylime/keylime Source0: %{name}-v%{version}.tar.xz Source1: keylime.xml -# PATCH-FIX-OPENSUSE version.diff -Patch1: version.diff # PATCH-FIX-OPENSUSE keylime.conf.diff -Patch2: keylime.conf.diff +Patch1: keylime.conf.diff # PATCH-FIX-OPENSUSE config-libefivars.diff -Patch3: config-libefivars.diff -# PATCH-FIX-UPSTREAM cloud_verifier_tornado-use-fork_processes.patch (gh#keylime/keylime!880) -Patch4: cloud_verifier_tornado-use-fork_processes.patch +Patch2: config-libefivars.diff BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: firewall-macros @@ -145,9 +141,6 @@ %python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant %python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca %python_clone -a %{buildroot}%{_bindir}/%{srcname}_migrations_apply -%python_clone -a %{buildroot}%{_bindir}/%{srcname}_provider_platform_init -%python_clone -a %{buildroot}%{_bindir}/%{srcname}_provider_registrar -%python_clone -a %{buildroot}%{_bindir}/%{srcname}_provider_vtpm_add %python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt %python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator %python_clone -a %{buildroot}%{_bindir}/%{srcname}_webapp @@ -155,8 +148,6 @@ %python_expand %fdupes %{buildroot}%{$python_sitelib} %if 0%{?suse_version} >= 1550 -# setup.py copy keylime.conf in /etc, but we expect it in /usr/etc -rm %{buildroot}%{_sysconfdir}/%{srcname}.conf install -Dpm 600 %{srcname}.conf %{buildroot}%{_prefix}%{_sysconfdir}/%{srcname}.conf %else install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf @@ -181,9 +172,6 @@ %python_install_alternative %{srcname}_tenant %python_install_alternative %{srcname}_ca %python_install_alternative %{srcname}_migrations_apply -%python_install_alternative %{srcname}_provider_platform_init -%python_install_alternative %{srcname}_provider_registrar -%python_install_alternative %{srcname}_provider_vtpm_add %python_install_alternative %{srcname}_userdata_encrypt %python_install_alternative %{srcname}_ima_emulator %python_install_alternative %{srcname}_webapp @@ -195,9 +183,6 @@ %python_uninstall_alternative %{srcname}_tenant %python_uninstall_alternative %{srcname}_ca %python_uninstall_alternative %{srcname}_migrations_apply -%python_uninstall_alternative %{srcname}_provider_platform_init -%python_uninstall_alternative %{srcname}_provider_registrar -%python_uninstall_alternative %{srcname}_provider_vtpm_add %python_uninstall_alternative %{srcname}_userdata_encrypt %python_uninstall_alternative %{srcname}_ima_emulator %python_uninstall_alternative %{srcname}_webapp @@ -250,9 +235,6 @@ %python_alternative %{_bindir}/%{srcname}_tenant %python_alternative %{_bindir}/%{srcname}_ca %python_alternative %{_bindir}/%{srcname}_migrations_apply -%python_alternative %{_bindir}/%{srcname}_provider_platform_init -%python_alternative %{_bindir}/%{srcname}_provider_registrar -%python_alternative %{_bindir}/%{srcname}_provider_vtpm_add %python_alternative %{_bindir}/%{srcname}_userdata_encrypt %python_alternative %{_bindir}/%{srcname}_ima_emulator %python_alternative %{_bindir}/%{srcname}_webapp ++++++ _service ++++++ --- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.095540210 +0100 +++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.099540211 +0100 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="disabled"> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v6.3.0</param> + <param name="revision">refs/tags/v6.3.1</param> <param name="url">https://github.com/keylime/keylime.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.115540213 +0100 +++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.119540214 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">d37c406e69cb6689baa2fb7964bad75209703724</param></service></servicedata> + <param name="changesrevision">2cd35f3d03732407cffbbbfada1f6c8c3a1b59af</param></service></servicedata> (No newline at EOF) ++++++ config-libefivars.diff ++++++ --- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.127540215 +0100 +++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.131540216 +0100 @@ -1,8 +1,8 @@ -Index: keylime-v6.3.0/keylime/config.py +Index: keylime-v6.3.1/keylime/config.py =================================================================== ---- keylime-v6.3.0.orig/keylime/config.py -+++ keylime-v6.3.0/keylime/config.py -@@ -194,7 +194,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ +--- keylime-v6.3.1.orig/keylime/config.py ++++ keylime-v6.3.1/keylime/config.py +@@ -191,7 +191,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier', 'measured_boot_imports', fallback='').split(',') MEASUREDBOOT_POLICYNAME = get_config().get('cloud_verifier', 'measured_boot_policy_name', fallback='accept-all') ++++++ keylime-v6.3.0.tar.xz -> keylime-v6.3.1.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.3.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1958/keylime-v6.3.1.tar.xz differ: char 15, line 1 ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.163540221 +0100 +++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.167540222 +0100 @@ -1,7 +1,7 @@ -Index: keylime-v6.3.0/keylime.conf +Index: keylime-v6.3.1/keylime.conf =================================================================== ---- keylime-v6.3.0.orig/keylime.conf -+++ keylime-v6.3.0/keylime.conf +--- keylime-v6.3.1.orig/keylime.conf ++++ keylime-v6.3.1/keylime.conf @@ -12,11 +12,13 @@ tls_check_hostnames = False # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the # go binary installed in your path or in /usr/local/. @@ -38,7 +38,7 @@ registrar_port = 8890 # The name of the RSA key that Keylime should use for protecting shares of U/V. -@@ -81,7 +85,8 @@ extract_payload_zip = True +@@ -84,7 +88,8 @@ extract_payload_zip = True # 'dmidecode -s system-uuid'. # If you set this to "hostname", Keylime will use the full qualified domain # name of current host as the agent id. @@ -47,8 +47,8 @@ +agent_uuid = hostname # Whether to listen for revocation notifications from the verifier or not. - listen_notfications = True -@@ -129,7 +134,8 @@ max_retries = 10 + listen_notifications = True +@@ -136,7 +141,8 @@ max_retries = 4 # - hashing: sha512, sha384, sha256 or sha1 # - encryption: ecc or rsa # - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr @@ -58,7 +58,7 @@ tpm_encryption_alg = rsa tpm_signing_alg = rsassa -@@ -147,7 +153,8 @@ ek_handle = generate +@@ -154,7 +160,8 @@ ek_handle = generate cloudverifier_id = default # The IP address and port of verifier server binds to @@ -68,7 +68,7 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -266,7 +273,8 @@ revocation_notifier = True +@@ -276,7 +283,8 @@ revocation_notifier = True # The binding address and port of the revocation notifier service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. @@ -78,7 +78,7 @@ revocation_notifier_port = 8992 # Enable revocation notifications via webhook. This can be used to notify other -@@ -400,10 +408,12 @@ max_payload_size = 1048576 +@@ -410,10 +418,12 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -93,7 +93,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -455,7 +465,8 @@ max_retries = 10 +@@ -469,7 +479,8 @@ max_retries = 5 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -103,7 +103,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -481,7 +492,8 @@ ek_check_script= +@@ -495,7 +506,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server.