Re: Self Introduction: Štěpán Horáček
On Fri, Apr 14, 2023 at 9:53 AM Stepan Horacek wrote: > Hello everyone, > > I am a software engineer working at Red Hat. Currently, I maintain TPM > packages in RHEL. One of those packages is the tss2 package, and I would > like to become a co-maintainer of the tss2 package in Fedora. > > Regards, > Štěpán > Hi Stepan, I will submit a ticket to request you being added to the packagers group so you can co-maintain. What is your fedora account id? It wasn't obvious with a quick search. Regards, Jerry ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Issue trying to add co-maintainer to package
Hi, I'm trying add the user kgold as a co-maintainer to the tss2 package. Peter added him to the packagers group the other week. Ken shows up in the packagers group when I look at his profile in FAS, and it shows for him as well. Ken has logged out and back in, but every time I've tried to add user kgold as an admin it comes back complaining that the user needs to be in the packagers group. Is there something I need to or can do to sync the info with src.fedoraproject.org so it sees that Ken is in the packagers group? Thanks, Jerry ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora TPM1.2 Support
Jerry Snitselaar @ 2020-12-04 11:59 MST: > Simo Sorce @ 2020-12-04 07:32 MST: > >> On Fri, 2020-12-04 at 14:08 +, Peter Robinson wrote: >>> On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce wrote: >>> > On Thu, 2020-12-03 at 21:25 +, Peter Robinson wrote: >>> > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the >>> > > > question with regards to opencryptoki-tpmtok if it should be changed >>> > > > in >>> > > > Fedora as well, so I thought I'd see what everyone thinks about future >>> > > > TPM1.2 support in Fedora. I know at one point in the last year or so >>> > > > trousers almost dropped from Fedora due to being orphaned for quite a >>> > > > while. From what I could find the following packages have >>> > > > dependencies: >>> > > > >>> > > > ecryptfs-utils - --disable-tspi >>> > > > openconnect - looks like it will only build support if trousers-devel >>> > > > is >>> > > > there, and makes use of tpm2-tss as well. >>> > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? >>> > > > tboot - the trousers dependency was just in a policy tool that >>> > > > has now >>> > > > been deprecated upstream. >>> > > > opencryptoki-tpmtok - --disable-tpmtok >>> > > > >>> > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific >>> > > > packages. >>> > > > >>> > > > Another thing is that in the kernel there currently is no way to build >>> > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 >>> > > > would still be there. >>> > > > >>> > > > I don't think Fedora needs to drop the tpm1.2 support if people want >>> > > > to >>> > > > continue supporting it, but wanted to put the question out there and >>> > > > see >>> > > > how everyone felt. >>> > > >>> > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ >>> > > years and tpm1 has security issues, so I think the time is now to drop >>> > > it. Please do a Fedora Change proposal to ensure it's communicated >>> > > properly. >>> > >>> > Won't that hurt people that have keys trapped in a TPM 1.2 device ? >>> >>> Won't it hurt RHEL users in similar ways? >> >> It may, but that is RHEL, and this Fedora, no ? >> >>> What is the likelihood of >>> those users actively upgrading anyway? >> >> Upgrades in RHEL are a much bigger deal, and usually better researched >> (also rare, usually people reinstall there). >> >> In Fedora distro-upgrading w/o looking too hard at release notes is >> common. >> >> Of course the amount of people that uses TPM 1.2 in Fedora is probably >> very small, so this change may be ok, but I just wanted to raise the >> issue. >> >> Is there a way, after update to still use TPM 1.2 at all (even if it >> requires installing copr/other repo packages)? Or will people need to >> roll back their system to access those secrets at all ? >> >> Simo. > > Yes, the kernel support in the driver would still be there. Currently > the driver code can't be compiled for just tpm1.2 or tpm2.0. So it > would be a matter of getting userspace tools to talk to it. I think the plan will be in RHEL to tell people that if you need to use TPM1.2 keep using RHEL8 since it will be supported for a number of years still. TPM1.2 was already marked as deprecated in the RHEL8 Release Notes, so hopefully it won't generate too much unhappiness. I know Fedora is a different beast though, and sticking with an older release isn't really an option for users. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora TPM1.2 Support
Simo Sorce @ 2020-12-04 07:32 MST: > On Fri, 2020-12-04 at 14:08 +, Peter Robinson wrote: >> On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce wrote: >> > On Thu, 2020-12-03 at 21:25 +, Peter Robinson wrote: >> > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the >> > > > question with regards to opencryptoki-tpmtok if it should be changed in >> > > > Fedora as well, so I thought I'd see what everyone thinks about future >> > > > TPM1.2 support in Fedora. I know at one point in the last year or so >> > > > trousers almost dropped from Fedora due to being orphaned for quite a >> > > > while. From what I could find the following packages have dependencies: >> > > > >> > > > ecryptfs-utils - --disable-tspi >> > > > openconnect - looks like it will only build support if trousers-devel >> > > > is >> > > > there, and makes use of tpm2-tss as well. >> > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? >> > > > tboot - the trousers dependency was just in a policy tool that >> > > > has now >> > > > been deprecated upstream. >> > > > opencryptoki-tpmtok - --disable-tpmtok >> > > > >> > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific >> > > > packages. >> > > > >> > > > Another thing is that in the kernel there currently is no way to build >> > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 >> > > > would still be there. >> > > > >> > > > I don't think Fedora needs to drop the tpm1.2 support if people want to >> > > > continue supporting it, but wanted to put the question out there and >> > > > see >> > > > how everyone felt. >> > > >> > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ >> > > years and tpm1 has security issues, so I think the time is now to drop >> > > it. Please do a Fedora Change proposal to ensure it's communicated >> > > properly. >> > >> > Won't that hurt people that have keys trapped in a TPM 1.2 device ? >> >> Won't it hurt RHEL users in similar ways? > > It may, but that is RHEL, and this Fedora, no ? > >> What is the likelihood of >> those users actively upgrading anyway? > > Upgrades in RHEL are a much bigger deal, and usually better researched > (also rare, usually people reinstall there). > > In Fedora distro-upgrading w/o looking too hard at release notes is > common. > > Of course the amount of people that uses TPM 1.2 in Fedora is probably > very small, so this change may be ok, but I just wanted to raise the > issue. > > Is there a way, after update to still use TPM 1.2 at all (even if it > requires installing copr/other repo packages)? Or will people need to > roll back their system to access those secrets at all ? > > Simo. Yes, the kernel support in the driver would still be there. Currently the driver code can't be compiled for just tpm1.2 or tpm2.0. So it would be a matter of getting userspace tools to talk to it. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora TPM1.2 Support
On Thu, Dec 3, 2020 at 2:28 PM Peter Robinson wrote: > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the > > question with regards to opencryptoki-tpmtok if it should be changed in > > Fedora as well, so I thought I'd see what everyone thinks about future > > TPM1.2 support in Fedora. I know at one point in the last year or so > > trousers almost dropped from Fedora due to being orphaned for quite a > > while. From what I could find the following packages have dependencies: > > > > ecryptfs-utils - --disable-tspi > > openconnect - looks like it will only build support if trousers-devel is > > there, and makes use of tpm2-tss as well. > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? > > tboot - the trousers dependency was just in a policy tool that has now > > been deprecated upstream. > > opencryptoki-tpmtok - --disable-tpmtok > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific > > packages. > > > > Another thing is that in the kernel there currently is no way to build > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 > > would still be there. > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to > > continue supporting it, but wanted to put the question out there and see > > how everyone felt. > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ > years and tpm1 has security issues, so I think the time is now to drop > it. Please do a Fedora Change proposal to ensure it's communicated > properly. > > Peter Hi Peter, Having never done one of these before, looking at the documentation would this be considered system-wide? I think in addition to the above packages possibly selinux-policy could be added to remove the capabilities listed for tcsd. Thanks, Jerry > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Fedora TPM1.2 Support
We are looking to no longer support TPM1.2 in RHEL9. Than raised the question with regards to opencryptoki-tpmtok if it should be changed in Fedora as well, so I thought I'd see what everyone thinks about future TPM1.2 support in Fedora. I know at one point in the last year or so trousers almost dropped from Fedora due to being orphaned for quite a while. From what I could find the following packages have dependencies: ecryptfs-utils - --disable-tspi openconnect - looks like it will only build support if trousers-devel is there, and makes use of tpm2-tss as well. strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? tboot - the trousers dependency was just in a policy tool that has now been deprecated upstream. opencryptoki-tpmtok - --disable-tpmtok tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific packages. Another thing is that in the kernel there currently is no way to build with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 would still be there. I don't think Fedora needs to drop the tpm1.2 support if people want to continue supporting it, but wanted to put the question out there and see how everyone felt. Regards, Jerry ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org