Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Jun 10, 2016 8:32 PM, "Scott Talbert" wrote: > > On Fri, 10 Jun 2016, Michael Catanzaro wrote: > >> Question: What if my application depends on GTK+ 2? >> >> Answer: You must first port to GTK+ 3, then port to WebKit2. You may >> find it more practical to stop using WebKitGTK+. > > > What is the WebKit2 package in Fedora? Is that webkitgtk4? Yes. > > Scott > > -- > devel mailing list > devel@lists.fedoraproject.org > https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 10 Jun 2016, Michael Catanzaro wrote: Question: What if my application depends on GTK+ 2? Answer: You must first port to GTK+ 3, then port to WebKit2. You may find it more practical to stop using WebKitGTK+. What is the WebKit2 package in Fedora? Is that webkitgtk4? Scott -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > Answer: QtWebKit has not had security updates since ~2012 The QtWebKit folks asked me to point out that they were merging security fixes until 2014. More information is available at [1]; you can judge the situation for yourself. [1] http://trac.webkit.org/wiki/QtWebKitSecurity -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 2016-06-10 at 15:02 +0100, Richard W.M. Jones wrote: > What do we actually have to do to move apps that are using the > Webkit API to the new version? What code changes are needed? > Is there documentation for this? There's no transition documentation. Basically, you want to make sure your package builds when switching the pkg-config version in configure.ac to webkit2gtk-4.0. There is API documentation here: http://webkitgtk.org/reference/webkit2gtk/stable/ Stable DOM (web process) API: http://webkitgtk.org/reference/webkitdomgtk/stable/ Deprecated API (what you are porting away from): http://webkitgtk.org/reference/webkitgtk/stable/index.html If your app doesn't use the DOM API, the port should be straightforward. Your app will probably work once you manage to compile it. Be sure to check if any signals you connect to have been renamed. If your app does use the DOM API, you have more work as you need to create a web process extension to access this API. You can use any form of IPC to communicate between the UI process and the web process; D-Bus is a good option. Documentation here: http://webkitgtk.org/reference/webkit2gtk/stable/WebKitWebExtension.html Epiphany serves as a good (if complex) example of how to write a web extension: https://git.gnome.org/browse/epiphany/tree/embed/web-extension Hope that helps a bit... happy to answer more questions. Michael -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Summary/Minutes from today's FESCo Meeting (2016-06-10)
#fedora-meeting: FESCO (2016-06-10) Meeting started by jsmith at 16:00:40 UTC. Full logs are available at https://meetbot.fedoraproject.org/fedora-meeting/2016-06-10/fesco.2016-06-10-16.00.log.html Meeting summary init process (jsmith, 16:00:40) Follow-ups (jsmith, 16:03:32) #1576 Evaluate Workstation graphical upgrade Change status (jsmith, 16:03:43) https://fedorahosted.org/fesco/ticket/1576 (jsmith, 16:03:43) #1573 Docker Layered Image maintainer guildelines, naming guidelines and review (jsmith, 16:07:05) https://fedorahosted.org/fesco/ticket/1573 (jsmith, 16:07:05) AGREED: #1573 Docker Layered Image maintainer guidelines, naming guidelines and review are approved (+1: 7, +0:0, -1:0) (jsmith, 16:12:31) New Business (jsmith, 16:12:53) #1584 Please process systemd presets request, bz :1340061 (jsmith, 16:13:05) https://fedorahosted.org/fesco/ticket/1584 (jsmith, 16:13:05) AGREED: Closing #1584, as there's nothing for FESCo to do about it at this time (jsmith, 16:15:47) #1568 F25 Self Contained Changes (jsmith, 16:16:06) https://fedorahosted.org/fesco/ticket/1568 (jsmith, 16:16:07) AGREED: #1568 Self Contained Changes: All three new requested changes are approved (jsmith, 16:22:06) Next Week's Chair (jsmith, 16:22:21) Open Floor (jsmith, 16:22:53) Meeting ended at 16:29:44 UTC. Action items (none) People present (lines said) jsmith (69) maxamillion (21) zodbot (15) nirik (9) kalev-afk (8) number80 (8) paragan (6) dgilmore (5) handsome_pirate (1) gholms (1) sgallagh (0) kalev (0) jwb (0) Generated by MeetBot 0.1.4. -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: F24 4.6.y rebase plans
On 06/08/2016 05:29 AM, Josh Boyer wrote: Hi All, The upstream stable maintainers released kernels 4.5.7 and 4.6.2 yesterday. I thought I would send a brief word about how the rebase of F24 to 4.6.y will happen. We'll ship 4.5.7 as the final 4.5.y update and have that available as the 0-day update for the F24 release on June 14th. That matches the upstream lifetime of 4.5.y as well, as 4.5.y is no longer supported after 4.5.7. Shortly thereafter we'll be rebasing F24 to 4.6.y, most likely starting with 4.6.3. We may use 4.6.2 if 4.6.3 is delayed for some reason, but it would be better to get the additional fixes that 4.6.3 will bring. For those of you that cannot wait, we do have a COPR with 4.6.y builds included. You can find it here: https://copr.fedorainfracloud.org/coprs/jforbes/kernel-stabilization/ (4.6.1 was skipped for no particular reason.) F23 will follow a week or two after the F24 rebase. F22 will likely get one final 4.4.y kernel update and then go EOL per the Fedora release lifecycle. If you have any questions, please let us know. josh A gentle reminder to please continue to give karma for F22 kernels as well. You need to be logged in to have your (hopefully) positive karma count. Thanks to those who have been doing so the past few weeks. Laura -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Fedora 24-20160610.n.0 compose check report
Missing expected images: Cloud_base raw-xz i386 Failed openQA tests: 1/17 (i386), 1/2 (arm) ID: 21646 Test: arm Minimal-raw_xz-raw.xz base_services_start_arm URL: https://openqa.fedoraproject.org/tests/21646 ID: 21719 Test: i386 universal upgrade_desktop_32bit URL: https://openqa.fedoraproject.org/tests/21719 Passed openQA tests: 79/79 (x86_64), 16/17 (i386), 1/2 (arm) -- Mail generated by check-compose: https://git.fedorahosted.org/cgit/fedora-qa.git/tree/check-compose -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Fedora Rawhide-20160610.n.0 compose check report
Missing expected images: Kde live i386 Workstation live i386 Kde live x86_64 Cloud_base raw-xz i386 Atomic raw-xz x86_64 Kde raw-xz armhfp Minimal raw-xz armhfp Workstation live x86_64 Failed openQA tests: 14/67 (x86_64), 6/15 (i386) ID: 21544 Test: x86_64 Workstation-boot-iso install_default URL: https://openqa.fedoraproject.org/tests/21544 ID: 21545 Test: x86_64 Workstation-boot-iso install_default@uefi URL: https://openqa.fedoraproject.org/tests/21545 ID: 21546 Test: i386 Workstation-boot-iso install_default URL: https://openqa.fedoraproject.org/tests/21546 ID: 21547 Test: x86_64 Atomic-boot-iso install_default URL: https://openqa.fedoraproject.org/tests/21547 ID: 21559 Test: x86_64 Server-dvd-iso server_cockpit_basic URL: https://openqa.fedoraproject.org/tests/21559 ID: 21560 Test: x86_64 Server-dvd-iso realmd_join_cockpit URL: https://openqa.fedoraproject.org/tests/21560 ID: 21574 Test: x86_64 universal install_simple_encrypted URL: https://openqa.fedoraproject.org/tests/21574 ID: 21584 Test: x86_64 universal install_iscsi URL: https://openqa.fedoraproject.org/tests/21584 ID: 21585 Test: x86_64 universal install_package_set_kde URL: https://openqa.fedoraproject.org/tests/21585 ID: 21586 Test: x86_64 universal install_simple_encrypted@uefi URL: https://openqa.fedoraproject.org/tests/21586 ID: 21589 Test: x86_64 universal upgrade_2_server_64bit URL: https://openqa.fedoraproject.org/tests/21589 ID: 21604 Test: x86_64 universal upgrade_desktop_64bit URL: https://openqa.fedoraproject.org/tests/21604 ID: 21608 Test: x86_64 universal install_european_language URL: https://openqa.fedoraproject.org/tests/21608 ID: 21609 Test: x86_64 universal install_cyrillic_language URL: https://openqa.fedoraproject.org/tests/21609 ID: 21613 Test: i386 universal install_repository_http_graphical URL: https://openqa.fedoraproject.org/tests/21613 ID: 21615 Test: i386 universal install_simple_encrypted URL: https://openqa.fedoraproject.org/tests/21615 ID: 21620 Test: i386 universal upgrade_desktop_32bit URL: https://openqa.fedoraproject.org/tests/21620 ID: 21621 Test: i386 universal upgrade_2_desktop_32bit URL: https://openqa.fedoraproject.org/tests/21621 ID: 21622 Test: i386 universal install_package_set_kde URL: https://openqa.fedoraproject.org/tests/21622 ID: 21623 Test: x86_64 universal upgrade_2_desktop_64bit URL: https://openqa.fedoraproject.org/tests/21623 Passed openQA tests: 53/67 (x86_64), 9/15 (i386) -- Mail generated by check-compose: https://git.fedorahosted.org/cgit/fedora-qa.git/tree/check-compose -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Fedora 24 compose report: 20160610.n.0 changes
OLD: Fedora-24-20160609.n.0 NEW: Fedora-24-20160610.n.0 = SUMMARY = Added images:8 Dropped images: 2 Added packages: 0 Dropped packages:0 Upgraded packages: 6 Downgraded packages: 0 Size of added packages: 0.00 B Size of dropped packages:0.00 B Size of upgraded packages: 291.37 MiB Size of downgraded packages: 0.00 B Size change of upgraded packages: 3.52 MiB Size change of downgraded packages: 0.00 B = ADDED IMAGES = Image: Security live x86_64 Path: Labs/x86_64/iso/Fedora-Security-Live-x86_64-24-20160610.n.0.iso Image: Design_suite live i386 Path: Labs/i386/iso/Fedora-Design_suite-Live-i386-24-20160610.n.0.iso Image: Design_suite live x86_64 Path: Labs/x86_64/iso/Fedora-Design_suite-Live-x86_64-24-20160610.n.0.iso Image: Security live i386 Path: Labs/i386/iso/Fedora-Security-Live-i386-24-20160610.n.0.iso Image: Robotics live i386 Path: Labs/i386/iso/Fedora-Robotics-Live-i386-24-20160610.n.0.iso Image: Astronomy_KDE live x86_64 Path: Labs/x86_64/iso/Fedora-Astronomy_KDE-Live-x86_64-24-20160610.n.0.iso Image: Robotics live x86_64 Path: Labs/x86_64/iso/Fedora-Robotics-Live-x86_64-24-20160610.n.0.iso Image: Astronomy_KDE live i386 Path: Labs/i386/iso/Fedora-Astronomy_KDE-Live-i386-24-20160610.n.0.iso = DROPPED IMAGES = Image: LXDE live i386 Path: Spins/i386/iso/Fedora-LXDE-Live-i386-24-20160609.n.0.iso Image: LXDE live x86_64 Path: Spins/x86_64/iso/Fedora-LXDE-Live-x86_64-24-20160609.n.0.iso = ADDED PACKAGES = = DROPPED PACKAGES = = UPGRADED PACKAGES = Package: anaconda-24.13.6-1.fc24 Old package: anaconda-24.13.5-1.fc24 Summary: Graphical system installer RPMs: anaconda anaconda-core anaconda-dracut anaconda-gui anaconda-tui anaconda-widgets anaconda-widgets-devel Size: 7380646 bytes Size change: 7816 bytes Changelog: * Mon Jun 06 2016 Samantha N. Bueno - 24.13.6-1 - Check for mounted partitions as part of sanity_check (#1330820) (bcl) - Ignore missing group packages (#1337731) (bcl) - Catch DNF MarkingError during group installation (#1337731) (bcl) - Deselect all addons correctly (#1333505) (bcl) Package: astronomy-bookmarks-1-16.fc24 Old package: astronomy-bookmarks-1-14.fc24 Summary: Fedora astronomy bookmarks RPMs: astronomy-bookmarks Size: 10746 bytes Size change: 164 bytes Changelog: * Mon Jun 06 2016 Martin Stransky - 1-15 - Removed Provides: system-bookmarks (rhbz#1338010) * Tue Jun 07 2016 Martin Stransky - 1-16 - Returned "Conflicts: fedora-bookmarks" to have clean dependencies Package: cloud-utils-0.27-16.fc24 Old package: cloud-utils-0.27-15.fc24 Summary: Cloud image management utilities RPMs: cloud-utils cloud-utils-growpart Size: 79232 bytes Size change: 248 bytes Changelog: * Fri Jun 03 2016 Adam Williamson - 0.27-16 - backport fix for RHBZ #1327337 (growpart fail with newer util-linux-ng) Package: firefox-47.0-4.fc24 Old package: firefox-46.0.1-4.fc24 Summary: Mozilla Firefox Web browser RPMs: firefox Size: 234945962 bytes Size change: 3715460 bytes Changelog: * Thu May 19 2016 Martin Stransky - 46.0.1-5 - Added a fix for mozbz#1245783 - gcc6.1 crashes in JIT * Fri May 20 2016 Martin Stransky - 46.0.1-6 - Updated Gtk3.20 patch - fixed tooltips * Mon May 23 2016 Martin Stransky - 46.0.1-8 - Rebuilt for new bookmarks (rhbz#1338010) - Fixed build issue in Gtk3.20 patch * Thu May 26 2016 Jan Horak - 46.0.1-9 - Negotiate authentication is made off the main thread (mozbz#890908) * Thu Jun 02 2016 Martin Stransky - 47.0-2 - Updated to 47.0 - Backout of negotiate authentication patch * Fri Jun 03 2016 Martin Stransky - 47.0-3 - Updated to 47.0 (B2) * Mon Jun 06 2016 Martin Stransky - 47.0-4 - Updated to 47.0 (B3) - Should fix rhbz#1338010 (rebuilt against new astronomy-bookmarks) Package: qt5-qtdeclarative-5.6.0-11.fc24 Old package: qt5-qtdeclarative-5.6.0-10.fc24 Summary: Qt5 - QtDeclarative component RPMs: qt5-qtdeclarative qt5-qtdeclarative-devel qt5-qtdeclarative-doc qt5-qtdeclarative-examples qt5-qtdeclarative-static Size: 57501054 bytes Size change: -31840 bytes Changelog: * Tue May 31 2016 Rex Dieter - 5.6.0-11 - include crasher workaround (#1259472,kde#346118) Package: tigervnc-1.6.0-6.fc24 Old package: tigervnc-1.6.0-4.fc24 Summary: A TigerVNC remote display system RPMs: tigervnc tigervnc-icons tigervnc-license tigervnc-server tigervnc-server-applet tigervnc-server-minimal tigervnc-server-module Size: 5603998 bytes Size change: 3948 bytes Changelog: * Wed Jun 01 2016 Jan Grulich - 1.6.0-5 - Re-enable patch4 again, will need to find a way to make this work on both sides * Wed Jun 01 2016 Jan Grulich - 1.6.0-6 - Try to pickup upstream fix for compatibility with gtk vnc clients = DOWNGRADED PACKAGES = Broke
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 2016-06-10 at 09:58 -0400, Josh Boyer wrote: > > > I am all for anything that removes emacs from our distribution. How > can I help ensure this happens? > > Serious answer: the Emacs dependency on unsupported WebKit was added two months ago and can be avoided by changing a configure flag: http://pkgs.fedoraproject.org/cgit/rpms/emacs.git/commit/?id=27d3963a4bee39a7a1b6fb6ff064e23030339211 So fortunately it's not too serious of a problem. There are other apps on that list that can be "ported" with a configure flag change as well. E.g. GIMP only uses WebKit for its help center; we should disable that so that user help opens in the user's default browser instead. Removing these old WebKit packages would help avoid introducing such issues when maintainers do not realize that webkitgtk3 is unsupported and insecure. Michael -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
What do we actually have to do to move apps that are using the Webkit API to the new version? What code changes are needed? Is there documentation for this? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, Jun 10, 2016 at 9:11 AM, Michael Catanzaro wrote: > Hi, > > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017), > and forbid unretiring them. All their dependencies would then be > removed from from Fedora according to the normal process shortly before > the release of F27 (excepted to occur May 2017). If nobody objects, > we'll carry out this plan shortly after the F26 branch point. > emacs-1:25.0.94-1.fc24.x86_64 I am all for anything that removes emacs from our distribution. How can I help ensure this happens? josh -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017), > and forbid unretiring them. All their dependencies would then be > removed from from Fedora according to the normal process shortly > before > the release of F27 (excepted to occur May 2017). If nobody objects, > we'll carry out this plan shortly after the F26 branch point. Let me try this one more time, as the dates I have here are wrong/inconsistent. * Branch F26 from rawhide around January 2017. * F26 release around May 2017. * Branch F27 from rawhide around July 2017. * F27 release around November 2017. We can use either set of dates. I'm inclined to go with the earlier dates. The benefit of using later dates is it would allow more time for GTK+ 2 apps to port to GTK+ 3, but I don't honestly expect pushing the dates later would make a difference in which applications get ported in time. Michael -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Schedule for Friday's FESCo Meeting (2016-06-10)
On Fri, Jun 10, 2016 at 9:35 AM, Jared K. Smith wrote: > Following is the list of topics that will be discussed in the FESCo > meeting Friday at 16:00UTC in #fedora-meeting on irc.freenode.net. I am on PTO this afternoon and will miss the meeting. I will make comments in the individual tickets where necessary. josh -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
[Test-Announce] Fedora 24 Branched 20160610.n.0 nightly compose nominated for testing
Announcing the creation of a new nightly release validation test event for Fedora 24 Branched 20160610.n.0. Please help run some tests for this nightly compose if you have time. For more information on nightly release validation testing, see: https://fedoraproject.org/wiki/QA:Release_validation_test_plan Notable package version changes: anaconda - 20160531.n.0: anaconda-24.13.5-1.fc24.src, 20160610.n.0: anaconda-24.13.6-1.fc24.src Test coverage information for the current release can be seen at: https://www.happyassassin.net/testcase_stats/24 You can see all results, find testing instructions and image download locations, and enter results on the Summary page: https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Summary The individual test result pages are: https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Installation https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Base https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Server https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Cloud https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Desktop https://fedoraproject.org/wiki/Test_Results:Fedora_24_Branched_20160610.n.0_Security_Lab Thank you for testing! -- Mail generated by relval: https://www.happyassassin.net/relval/ ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/test-annou...@lists.fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Schedule for Friday's FESCo Meeting (2016-06-10)
Following is the list of topics that will be discussed in the FESCo meeting Friday at 16:00UTC in #fedora-meeting on irc.freenode.net. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/UTCHowto or run: date -d '2016-06-10 16:00 UTC' Links to all tickets below can be found at: https://fedorahosted.org/fesco/report/9 = Followups = #topic #1576 Evaluate Workstation graphical upgrade Change status .fesco 1576 https://fedorahosted.org/fesco/ticket/1576 #topic #1573 Docker Layered Image maintainer guildelines, naming guidelines and review .fesco 1573 https://fedorahosted.org/fesco/ticket/1573 = New business = #topic #1584 Please process systemd presets request, bz :1340061 .fesco 1584 https://fedorahosted.org/fesco/ticket/1584 #topic #1568 F25 Self contained changes .fesco 1568 https://fedorahosted.org/fesco/ticket/1568 = Open Floor = For more complete details, please visit each individual ticket. The report of the agenda items can be found athttps://fedorahosted.org/fesco/report/9 If you would like to add something to this agenda, you can reply to this e-mail, file a new ticket at https://fedorahosted.org/fesco, e-mail me directly, or bring it up at the end of the meeting, during the open floor topic. Note that added topics may be deferred until the following meeting. -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Self Introduction: Davide Olivieri
Hi everyone, My name is Davide Olivieri, I've been a Linux user for some years and lately I became particularly interested in Fedora and its community. I hold the RHCSA certification and have knowledge of bash scripting. I would like to contribute to the project by becoming a package maintainer (maybe adopting some orphaned packages). I do not have much experience with making RPMs (so far I only made couple of packages for personal use) but thanks to the documentation and the help from the mentor(s) I think I can learn effectively. Please find below the link to the Review Request I submitted couple of days ago: https://bugzilla.redhat.com/show_bug.cgi?id=1343208 I am looking forward to having a feedback from you. Thank you. Cheers, Davide Olivieri -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Proposal: remove insecure WebKitGTK+ packages for F27
On Fri, 2016-06-10 at 08:11 -0500, Michael Catanzaro wrote: > I propose we retire the webkitgtk and webkitgtk3 packages when > branching rawhide for F26 (expected to occur roughly February 2017) To clarify: I propose removing the packages from rawhide (only) shortly after branching for F26, that way nothing will be removed until F27. -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Proposal: remove insecure WebKitGTK+ packages for F27
Hi, I propose we retire the webkitgtk and webkitgtk3 packages when branching rawhide for F26 (expected to occur roughly February 2017), and forbid unretiring them. All their dependencies would then be removed from from Fedora according to the normal process shortly before the release of F27 (excepted to occur May 2017). If nobody objects, we'll carry out this plan shortly after the F26 branch point. Question: Why retire these packages? Answer: Affected applications that process untrusted input are vulnerable to roughly 150 unfixed security vulnerabilities, the overwhelming majority of which are remote code execution vulnerabilities. The severity of this situation arguably outweighs the benefit of keeping affected applications around. Question: This sounds horrible, we should act soon. Why wait until F26? Answer: Porting to the new WebKitGTK+ API is easy for many applications, but for applications that use the DOM API it can be expected to take some time, as this API has moved to the web process and accessing it requires writing a web process extension. If we were to use F25 as the deadline, there would not be sufficient time for applications to be ported. Porting efforts should begin as soon as possible. Question: What if my application doesn't process untrusted input? Answer: If you're sure your application never processes untrusted input, it is a special flower. You should request a bundling exception from FESCo if you do not intend to upgrade. Question: You're horrible for proposing to remove my packages. Answer: WebKit1 was deprecated in March 2013. Packages have had three years to upgrade. It's clear at this point that this problem won't ever be fixed without a hard deadline that is enforced. But this is a fair point; it sucks a lot that compatibility is not offered here. Such is the cost of free software Question: We usually allow compatibility libraries to exist indefinitely. Why so strict with WebKit? Answer: Our compatibility libraries do not usually have upwards of 150 unfixed remote code execution vulnerabilities. Backporting fixes is not practical in this situation. Question: But these packages are still included in RHEL. Isn't Red Hat providing security updates? Answer: No. Question: Will you help port my packages to newer WebKit? Answer: We'll answer questions, but unfortunately we can only provide serious assistance to priority GNOME packages. evolution-data-server threatens to take out gnome-shell if removed, for instance, which is why we waited until the Evolution port is nearing completion to propose this. Question: What if my application depends on GTK+ 2? Answer: You must first port to GTK+ 3, then port to WebKit2. You may find it more practical to stop using WebKitGTK+. Question: What if my application needs to work on Windows? Answer: WebKit2 is not supported on Windows. You will need to either commit to developing Windows support, or stop using WebKitGTK+. Question: I hear QtWebKit is insecure too, why punish only GTK+ apps? Answer: QtWebKit has not had security updates since ~2012 and so has even more unfixed vulnerabilities. However, an unofficial effort is underway to rebase QtWebKit on the upstream WebKit project. The plan is to make regular QtWebKit releases based on the latest WebKitGTK+ stable branch, meaning there should be regular security updates. This is still a work in progress, but once completed, Fedora will be able to switch upstreams and solve this issue without the need to port applications to QtWebEngine. No such compatibility effort is planned for WebKitGTK+. Question: Where can I view WebKitGTK+ security advisories? Answer: http://webkitgtk.org/security.html Question: Where can I learn more? Answer: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ Question: What would be removed if this were to occur today? Answer: If you read this far, please seriously look over these lists. Some big name applications are included. $ repoquery --whatrequires --recursive webkitgtk Yum-utils package has been deprecated, use dnf instead. See 'man yum2dnf' for more information. GREYCstoration-gimp-0:2.8-22.fc24.x86_64 atril-0:1.14.1-1.fc24.x86_64 atril-caja-0:1.14.1-1.fc24.x86_64 atril-devel-0:1.14.1-1.fc24.i686 atril-devel-0:1.14.1-1.fc24.x86_64 atril-libs-0:1.14.1-1.fc24.i686 atril-libs-0:1.14.1-1.fc24.x86_64 atril-thumbnailer-0:1.14.1-1.fc24.x86_64 banshee-0:2.6.2-15.fc24.x86_64 banshee-community-extensions-0:2.4.0-14.fc24.x86_64 banshee-devel-0:2.6.2-15.fc24.i686 banshee-devel-0:2.6.2-15.fc24.x86_64 billiards-0:0.4.1-10.fc24.x86_64 claws-mail-plugins-0:3.13.2-2.fc24.x86_64 claws-mail-plugins-fancy-0:3.13.2-2.fc24.x86_64 compat-wxGTK3-gtk2-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-0:3.0.2-7.fc24.x86_64 compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-devel-0:3.0.2-7.fc24.x86_64 compat-wxGTK3-gtk2-docs-0:3.0.2-7.fc24.noarch compat-wxGTK3-gtk2-gl-0:3.0.2-7.fc24.i686 compat-wxGTK3-gtk2-gl-0:3.0.2-7
Re: Alternate places to install specialized binaries
On Fri, Jun 10, 2016 at 12:30:47PM -, Alec Leamas wrote: > testing this on-line reply thing... > > I guess the java tools are either scripts or java code i. e., > architecture-independent. I just presume Rich's tools are compiled code which > cannot live in /usr/share for that reason. But... to presume is a bad habit. Yes these are 2 x C programs and 1 x Perl script, so at least the C programs should not live under /usr/share. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Alternate places to install specialized binaries
testing this on-line reply thing... I guess the java tools are either scripts or java code i. e., architecture-independent. I just presume Rich's tools are compiled code which cannot live in /usr/share for that reason. But... to presume is a bad habit. Cheers! --alec -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Alternate places to install specialized binaries
On 10/06/16 14:01, Sérgio Basto wrote:
(3) Rename them and put them in %{_bindir}. This is technically
difficult, because the binaries have manual pages which would all
have
to be patched to refer to the new names.
Rich.
What if you rename them, and instead of patching the manpages
(admittedly hairy) adds new, very short manpages which explains the
renaming and refers to the original pages?
Cheers!
--alec
--
devel mailing list
devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Alternate places to install specialized binaries
On Qui, 2016-06-09 at 12:59 +0100, Richard W.M. Jones wrote:
> I maintain a package which comes with some benchmarking tools. I
> would like to package these, but they have very generic names like
> "boot-benchmark", "analysis". Also the tools are very specialized --
> you would only want them if you already know you need them.
I think is the same question of "/usr/share vs /usr/libexec" and also
vs /usr/lib
https://lists.fedoraproject.org/pipermail/devel/2015-April/210148.html
if are binaries /usr/libexec , if lot of stuff /usr/share/ (and not
only binaries)
> I wonder if people have opinions on the best way to package
> these. It
> seems to me the options are:
>
> (1) Put them in %{_bindir} as they are. Likely a bad idea.
>
> (2) Put them in some other binary directory. Not sure which though,
> maybe %{_libdir}/%{name}/ ?
>
> (3) Rename them and put them in %{_bindir}. This is technically
> difficult, because the binaries have manual pages which would all
> have
> to be patched to refer to the new names.
>
> Rich.
>
--
Sérgio M. B.
--
devel mailing list
devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Alternate places to install specialized binaries
Hi Rich.
On 9 June 2016 at 12:59, Richard W.M. Jones wrote:
>
> I maintain a package which comes with some benchmarking tools. I
> would like to package these, but they have very generic names like
> "boot-benchmark", "analysis". Also the tools are very specialized --
> you would only want them if you already know you need them.
>
> I wonder if people have opinions on the best way to package these. It
> seems to me the options are:
javapackages-tools and javapackages-local have many small programs in
/usr/share/java-utils.
Most of the programs are called from rpm-macros:
$ rpm --eval '%{mvn_build}'
/usr/bin/python3 /usr/share/java-utils/mvn_build.py
But they can be called directly and makes them good for debugging and
testing, many of the programs also have man pages:
$ whereis mvn_build
mvn_build: /usr/share/man/man7/mvn_build.7.gz
Jonny
--
devel mailing list
devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Fedora rawhide compose report: 20160610.n.0 changes
OLD: Fedora-Rawhide-20160609.n.0 NEW: Fedora-Rawhide-20160610.n.0 = SUMMARY = Added images:6 Dropped images: 8 Added packages: 8 Dropped packages:0 Upgraded packages: 108 Downgraded packages: 0 Size of added packages: 12.67 MiB Size of dropped packages:0.00 B Size of upgraded packages: 1.32 GiB Size of downgraded packages: 0.00 B Size change of upgraded packages: 20.86 MiB Size change of downgraded packages: 0.00 B = ADDED IMAGES = Image: Xfce live x86_64 Path: Spins/x86_64/iso/Fedora-Xfce-Live-x86_64-Rawhide-20160610.n.0.iso Image: LXDE live x86_64 Path: Spins/x86_64/iso/Fedora-LXDE-Live-x86_64-Rawhide-20160610.n.0.iso Image: Xfce live i386 Path: Spins/i386/iso/Fedora-Xfce-Live-i386-Rawhide-20160610.n.0.iso Image: Robotics live i386 Path: Labs/i386/iso/Fedora-Robotics-Live-i386-Rawhide-20160610.n.0.iso Image: Robotics live x86_64 Path: Labs/x86_64/iso/Fedora-Robotics-Live-x86_64-Rawhide-20160610.n.0.iso Image: LXDE live i386 Path: Spins/i386/iso/Fedora-LXDE-Live-i386-Rawhide-20160610.n.0.iso = DROPPED IMAGES = Image: Workstation live i386 Path: Workstation/i386/iso/Fedora-Workstation-Live-i386-Rawhide-20160609.n.0.iso Image: Mate live i386 Path: Spins/i386/iso/Fedora-MATE_Compiz-Live-i386-Rawhide-20160609.n.0.iso Image: Mate live x86_64 Path: Spins/x86_64/iso/Fedora-MATE_Compiz-Live-x86_64-Rawhide-20160609.n.0.iso Image: Scientific_KDE live x86_64 Path: Labs/x86_64/iso/Fedora-Scientific_KDE-Live-x86_64-Rawhide-20160609.n.0.iso Image: Scientific_KDE live i386 Path: Labs/i386/iso/Fedora-Scientific_KDE-Live-i386-Rawhide-20160609.n.0.iso Image: SoaS live x86_64 Path: Spins/x86_64/iso/Fedora-SoaS-Live-x86_64-Rawhide-20160609.n.0.iso Image: Workstation live x86_64 Path: Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-Rawhide-20160609.n.0.iso Image: SoaS live i386 Path: Spins/i386/iso/Fedora-SoaS-Live-i386-Rawhide-20160609.n.0.iso = ADDED PACKAGES = Package: dnscrypt-proxy-1.6.1-3.fc25 Summary: DNSCrypt client RPMs:dnscrypt-proxy Size:376006 bytes Package: guayadeque-0.4.1-0.8.beta1gitce1ab15.fc25 Summary: Music player RPMs:guayadeque guayadeque-langpack-bg guayadeque-langpack-ca_ES guayadeque-langpack-cs guayadeque-langpack-de guayadeque-langpack-el guayadeque-langpack-es guayadeque-langpack-fr guayadeque-langpack-hr guayadeque-langpack-hu guayadeque-langpack-is guayadeque-langpack-it guayadeque-langpack-ja guayadeque-langpack-nb guayadeque-langpack-nl guayadeque-langpack-pl guayadeque-langpack-pt guayadeque-langpack-pt_BR guayadeque-langpack-ru guayadeque-langpack-sk guayadeque-langpack-sr guayadeque-langpack-sv guayadeque-langpack-th guayadeque-langpack-tr guayadeque-langpack-uk Size:7108410 bytes Package: jandex-maven-plugin-1.0.4-1.fc25 Summary: Jandex wrapper for Maven RPMs:jandex-maven-plugin jandex-maven-plugin-javadoc Size:64272 bytes Package: keepassx0-0.4.4-3.fc25 Summary: Cross-platform password manager RPMs:keepassx0 Size:2455682 bytes Package: notify-sharp3-3.0.3-1.fc25 Summary: A C# implementation for Desktop Notifications RPMs:notify-sharp3 notify-sharp3-devel notify-sharp3-doc Size:81906 bytes Package: python-certbot-apache-0.8.0-2.fc25 Summary: The apache plugin for certbot RPMs:python2-certbot-apache Size:130690 bytes Package: ricochet-1.1.2-2.fc25 Summary: Anonymous peer-to-peer instant messaging RPMs:ricochet Size:2960062 bytes Package: undertow-js-1.0.2-1.fc25 Summary: JavaScript based handlers for Undertow RPMs:undertow-js undertow-js-javadoc Size:103340 bytes = DROPPED PACKAGES = = UPGRADED PACKAGES = Package: accountsservice-0.6.42-1.fc25 Old package: accountsservice-0.6.40-3.fc24 Summary: D-Bus interfaces for querying and manipulating user account information RPMs: accountsservice accountsservice-devel accountsservice-libs Size: 639250 bytes Size change: -8544 bytes Changelog: * Tue May 31 2016 Ray Strode - 0.6.40-4 - Don't create /root/.cache at startup Resolves: #1331926 * Thu Jun 09 2016 Ray Strode - 0.6.42-1 - Update to 0.6.42 - Fixes systemd incompatibility Package: acpica-tools-20160527-1.fc25 Old package: acpica-tools-20160422-1.fc25 Summary: ACPICA tools for the development and debug of ACPI tables RPMs: acpica-tools Size: 2704514 bytes Size change: -352 bytes Changelog: * Thu Jun 09 2016 Al Stone - 20160527-1 - Update to latest upstream. Closes BZ#1340573. - Refresh patches. Package: atril-1.15.0-1.fc25 Old package: atril-1.14.1-1.fc25 Summary: Document viewer RPMs: atril atril-caja atril-devel atril-libs atril-thumbnailer Size: 4662046 bytes Size change: -31420 bytes Changelog: * Thu Jun 09 2016 Wolfgang Ulbrich - 1.15.0-1 - update to 1.15.0 release - switch to gtk+3 Package: caja-1.15.0-1.fc25 Old package: caja-1.14.1-1.fc25 Summary: File manager for MATE
Re: Notice on WebKitGTK+ API/ABI compatibility
Hello, Michael. On Thursday, 09 June 2016 at 20:48, Michael Catanzaro wrote: > We have recently started updating all Fedoras to the latest stable > release of WebKitGTK+ in order to provide effective security support. > I'm pleased that so far we have had no bug reports related to these > updates. > > Recently, FESCo wisely adopted a policy to ban stable release updates > that break API or ABI, and while I believe we currently comply, we > might be skirting the line a bit. We intend to offer a API and ABI > compatibility indefinitely, most likely until GTK+ 4 is released, > whenever that may be, but with two caveats. [...] Thank you for this declaration. It's good to set the expectations explicitly. Could you put this on a page in Fedora wiki and possibly add a link in WebKitGTK+ package description and README file? Regards, Dominik -- Fedora http://fedoraproject.org/wiki/User:Rathann RPMFusion http://rpmfusion.org "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations" -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Hacks for multilib unclean C headers
On 2016-06-09 01:18, Jonathan Wakely wrote: On 09/06/16 08:02 +, Petr Pisar wrote: That's because gcc.x86_64 accepts -m32 but cannot produce 32-bit executable without the i686 toolchain packages. It sounds like broken dependencies. The alternative would be for gcc.x86_64 to unconditionally install the 32-bit packages, even though most users will not use -m32 and so won't need them. Another alternative would be to build gcc with --disable-multilib so you can't use -m32, which would be annoying and inconvenient for users. That sounds like a great reason for a Suggests or Recommends dependency. -- Garrett Holmstrom -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
