Re: F29 System Wide Change: Strong crypto settings: phase 2

2018-06-09 Thread John Florian
On 06/08/2018 04:07 AM, Tomas Mraz wrote:
> On Thu, 2018-06-07 at 16:13 -0400, John Florian wrote:
>> On 06/07/2018 08:44 AM, Tomas Mraz wrote:
>>> On Tue, 2018-06-05 at 16:34 -0400, John Florian wrote:
 On 06/05/2018 12:25 PM, Tomas Mraz wrote:
> On Tue, 2018-06-05 at 16:11 +, Christian Stadelmann wrote:
>> "Fallback option" always smells like "protocol downgrade
>> attack".
>> This would undermine the idea of a crypto policy. Anyway,
>> implementing it seems way out of scope for the crypto policy.
> Yes, a fallback option is a no-way. You can switch the system
> policy to
> LEGACY, however that does not necessarily mean that some very
> old
> legacy HW will start to work with Firefox or another web
> browser,
> because with newer versions of the browsers and newer versions
> of
> TLS/crypto libraries some very old and insecure algorithm and
> protocol
> support is being also removed.
>
 Makes sense, but what is the best way to deal with such old HW if
 you're
 stuck with it?  I don't want to compromise my workstation for all
 my
 normal needs just to deal with some ancient embedded https
 server,
 but
 it would kind of suck to have to boot some old live image just to
 do
 some routine config change.  It seems the industry has room for
 improvement here.
>>> Use a virtual machine with some old live image for such insecure
>>> communication?
>>>
>>> I do not think any "improvement" that involves changing the
>>> defaults to
>>> be more lenient even if accompanied with some big warning when such
>>> old
>>> insecure connection is established would be a good idea. Оnly if
>>> the
>>> users really have to boot some old live image or do some similar
>>> unpleasant task it will really force the old HW out of production
>>> where
>>> it should belong. Or we can forget about security based on
>>> cryptographic protocols altogether.
>>>
>>> Note that we are talking about SSLv2, MD4 or similar long long time
>>> ago
>>> obsolete stuff. Not things that were just "recently" found as
>>> insecure.
>> Oh!  I didn't realize the proposal was covering stuff /that/ old. 
>> Somehow TLS 1.1 just didn't equate in my memory with that era. Thank
>> you 
>> Tomas for the clarification.
> No, this is misunderstanding. The change proposal is about newer stuff
> but the proposal allows for easy revert by setting the crypto policy to
> LEGACY.
>
> What I was talking in this tread starting with my message from Tue, 05
> Jun 2018 18:25:57 +0200 was about things that possible very old legacy
> devices might require for communication that are not present in the TLS
> libraries anymore.
>
Okay, so IIUC now, this is an all-or-nothing kind of change.  If I
elect/need to use LEGACY to administer some old hardware that I cannot
otherwise connect to using the defaults, then I'm compromising that
host's security for anything/everything its used for until it's taken
back off LEGACY and returned to whatever the non-LEGACY is called.  Do I
have it right now?

-- 
John Florian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/MSDDSIVEFGXR7J54L5FGPU6LI4HCHRUC/


Fedora Rawhide-20180609.n.0 compose check report

2018-06-09 Thread Fedora compose checker
No missing expected images.

Failed openQA tests: 7/137 (x86_64), 2/24 (i386), 1/2 (arm)

New failures (same test did not fail in Rawhide-20180608.n.1):

ID: 247528  Test: x86_64 Workstation-live-iso desktop_update_graphical
URL: https://openqa.fedoraproject.org/tests/247528
ID: 247539  Test: x86_64 KDE-live-iso install_default_upload
URL: https://openqa.fedoraproject.org/tests/247539
ID: 247557  Test: x86_64 AtomicWorkstation-dvd_ostree-iso 
install_default@uefi
URL: https://openqa.fedoraproject.org/tests/247557
ID: 247589  Test: x86_64 universal install_simple_encrypted@uefi
URL: https://openqa.fedoraproject.org/tests/247589
ID: 247630  Test: x86_64 universal upgrade_server_domain_controller
URL: https://openqa.fedoraproject.org/tests/247630
ID: 247636  Test: x86_64 universal upgrade_realmd_client
URL: https://openqa.fedoraproject.org/tests/247636

Old failures (same test failed in Rawhide-20180608.n.1):

ID: 247503  Test: x86_64 Server-dvd-iso server_role_deploy_domain_controller
URL: https://openqa.fedoraproject.org/tests/247503
ID: 247536  Test: i386 Workstation-live-iso install_default
URL: https://openqa.fedoraproject.org/tests/247536
ID: 247552  Test: i386 KDE-live-iso install_default
URL: https://openqa.fedoraproject.org/tests/247552
ID: 247553  Test: arm Minimal-raw_xz-raw.xz 
install_arm_image_deployment_upload
URL: https://openqa.fedoraproject.org/tests/247553

Soft failed openQA tests: 8/137 (x86_64), 4/24 (i386)
(Tests completed, but using a workaround for a known bug)

New soft failures (same test did not soft fail in Rawhide-20180608.n.1):

ID: 247522  Test: x86_64 Workstation-live-iso install_default@uefi
URL: https://openqa.fedoraproject.org/tests/247522

Old soft failures (same test soft failed in Rawhide-20180608.n.1):

ID: 247515  Test: i386 Server-boot-iso install_default
URL: https://openqa.fedoraproject.org/tests/247515
ID: 247516  Test: i386 Server-dvd-iso install_default
URL: https://openqa.fedoraproject.org/tests/247516
ID: 247600  Test: x86_64 universal upgrade_2_kde_64bit
URL: https://openqa.fedoraproject.org/tests/247600
ID: 247601  Test: x86_64 universal upgrade_2_desktop_encrypted_64bit
URL: https://openqa.fedoraproject.org/tests/247601
ID: 247613  Test: x86_64 universal upgrade_desktop_64bit
URL: https://openqa.fedoraproject.org/tests/247613
ID: 247615  Test: x86_64 universal install_asian_language
URL: https://openqa.fedoraproject.org/tests/247615
ID: 247623  Test: x86_64 universal upgrade_kde_64bit
URL: https://openqa.fedoraproject.org/tests/247623
ID: 247624  Test: x86_64 universal upgrade_desktop_encrypted_64bit
URL: https://openqa.fedoraproject.org/tests/247624
ID: 247631  Test: x86_64 universal upgrade_2_desktop_64bit
URL: https://openqa.fedoraproject.org/tests/247631
ID: 247646  Test: i386 universal upgrade_desktop_32bit
URL: https://openqa.fedoraproject.org/tests/247646
ID: 247647  Test: i386 universal upgrade_2_desktop_32bit
URL: https://openqa.fedoraproject.org/tests/247647

Passed openQA tests: 109/137 (x86_64), 18/24 (i386)

New passes (same test did not pass in Rawhide-20180608.n.1):

ID: 247510  Test: x86_64 Server-dvd-iso install_updates_nfs
URL: https://openqa.fedoraproject.org/tests/247510
ID: 247534  Test: x86_64 Workstation-boot-iso install_default@uefi
URL: https://openqa.fedoraproject.org/tests/247534
ID: 247559  Test: x86_64 AtomicWorkstation-dvd_ostree-iso 
install_default_upload
URL: https://openqa.fedoraproject.org/tests/247559
ID: 247560  Test: x86_64 AtomicWorkstation-dvd_ostree-iso base_selinux
URL: https://openqa.fedoraproject.org/tests/247560
ID: 247561  Test: x86_64 AtomicWorkstation-dvd_ostree-iso 
base_services_start
URL: https://openqa.fedoraproject.org/tests/247561
ID: 247562  Test: x86_64 AtomicWorkstation-dvd_ostree-iso 
base_system_logging
URL: https://openqa.fedoraproject.org/tests/247562
ID: 247563  Test: x86_64 AtomicWorkstation-dvd_ostree-iso desktop_terminal
URL: https://openqa.fedoraproject.org/tests/247563
ID: 247564  Test: x86_64 AtomicWorkstation-dvd_ostree-iso desktop_browser
URL: https://openqa.fedoraproject.org/tests/247564
ID: 247565  Test: x86_64 AtomicWorkstation-dvd_ostree-iso 
base_service_manipulation
URL: https://openqa.fedoraproject.org/tests/247565
ID: 247595  Test: x86_64 universal install_delete_partial
URL: https://openqa.fedoraproject.org/tests/247595

Skipped openQA tests: 11 of 163

Installed system changes in test x86_64 Server-boot-iso install_default: 
2 packages(s) removed since previous compose: libdrm, libpciaccess
System load changed from 1.39 to 1.74
Previous test data: https://openqa.fedoraproject.org/tests/247311#downloads
Current test data: https://openqa.fedoraproject.org/tests/247492#downloads

Installed system changes in test x86_64 Server-boot-iso install_default@uefi: 
2 packages(s) removed since previous compose: libdrm, libpciaccess
System load change

Re: F29 System Wide Change: Hide the grub menu

2018-06-09 Thread Hans de Goede

Hi,

On 08-06-18 00:35, Gerald B. Cox wrote:



On Thu, Jun 7, 2018 at 2:07 AM, Hans de Goede mailto:hdego...@redhat.com>> wrote:



A question to you (and the Fedora community in general) where
should the documentation for this live ? I would like to have
something longer lived then the Changes wiki page or the
release notes.


If it were me, I would put it in:

1.  The release notes for F29
2.  The System Administrator's Guide for F29 and all subsequent releases


Thanks the sysadmin guide is a good place, I will document it
there and link from the release-notes to the sysadmin guide
for details.

Regards,

Hans
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/DVF2P5ZAFKLU47KDCQETGU3OIZAXJVVE/


Fedora rawhide compose report: 20180609.n.0 changes

2018-06-09 Thread Fedora Rawhide Report
OLD: Fedora-Rawhide-20180608.n.1
NEW: Fedora-Rawhide-20180609.n.0

= SUMMARY =
Added images:10
Dropped images:  0
Added packages:  1
Dropped packages:0
Upgraded packages:   72
Downgraded packages: 0

Size of added packages:  305.30 KiB
Size of dropped packages:0 B
Size of upgraded packages:   8.17 GiB
Size of downgraded packages: 0 B

Size change of upgraded packages:   68.01 MiB
Size change of downgraded packages: 0 B

= ADDED IMAGES =
Image: Cloud_Base raw-xz s390x
Path: Cloud/s390x/images/Fedora-Cloud-Base-Rawhide-20180609.n.0.s390x.raw.xz
Image: Minimal raw-xz aarch64
Path: Spins/aarch64/images/Fedora-Minimal-Rawhide-20180609.n.0.aarch64.raw.xz
Image: Everything boot s390x
Path: 
Everything/s390x/iso/Fedora-Everything-netinst-s390x-Rawhide-20180609.n.0.iso
Image: Cloud_Base qcow2 s390x
Path: Cloud/s390x/images/Fedora-Cloud-Base-Rawhide-20180609.n.0.s390x.qcow2
Image: Server boot s390x
Path: Server/s390x/iso/Fedora-Server-netinst-s390x-Rawhide-20180609.n.0.iso
Image: Server dvd s390x
Path: Server/s390x/iso/Fedora-Server-dvd-s390x-Rawhide-20180609.n.0.iso
Image: Container_Base docker s390x
Path: 
Container/s390x/images/Fedora-Container-Base-Rawhide-20180609.n.0.s390x.tar.xz
Image: AtomicHost qcow2 ppc64le
Path: 
AtomicHost/ppc64le/images/Fedora-AtomicHost-Rawhide-20180609.n.0.ppc64le.qcow2
Image: Container_Minimal_Base docker s390x
Path: 
Container/s390x/images/Fedora-Container-Minimal-Base-Rawhide-20180609.n.0.s390x.tar.xz
Image: AtomicHost raw-xz ppc64le
Path: 
AtomicHost/ppc64le/images/Fedora-AtomicHost-Rawhide-20180609.n.0.ppc64le.raw.xz

= DROPPED IMAGES =

= ADDED PACKAGES =
Package: rubygem-mini_magick-4.8.0-1.fc29
Summary: Manipulate images with minimal use of memory via ImageMagick
RPMs:rubygem-mini_magick rubygem-mini_magick-doc
Size:305.30 KiB


= DROPPED PACKAGES =

= UPGRADED PACKAGES =
Package:  389-ds-base-1.4.0.10-1.fc29
Old package:  389-ds-base-1.4.0.9-2.fc29
Summary:  389 Directory Server (base)
RPMs: 389-ds-base 389-ds-base-devel 389-ds-base-legacy-tools 
389-ds-base-libs 389-ds-base-snmp cockpit-389-ds python3-389-ds-base-tests 
python3-lib389
Added RPMs:   389-ds-base-legacy-tools cockpit-389-ds
Size: 26.40 MiB
Size change:  5.63 MiB
Changelog:
  * Fri Jun 08 2018 Mark Reynolds  - 1.4.0.10-1
  - Bump verision to 1.4.0.10-1
  - Ticket 49640 - Errors about PBKDF2 password storage plugin at server startup
  - Ticket 49571 - perl subpackage and python installer by default
  - Ticket 49740 - UI - Replication monitor color coding is not colorblind 
friendly
  - Ticket 49741 - UI - View/Edit replication agreement hangs WebUI
  - Ticket 49703 - UI - Set default values in create instance form
  - Ticket 49742 - Fine grained password policy can impact search performance
  - Ticket 49768 - Under network intensive load persistent search can 
erronously decrease connection refcnt
  - Ticket 49765 - compiler warning
  - Ticket 49689 - Cockpit subpackage does not build in PREFIX installations
  - Ticket 49765 - Async operations can hang when the server is running 
nunc-stans
  - Ticket 49745 - UI add filter options for error log severity levels
  - Ticket 49761 - Fix test suite issues
  - Ticket 49754 - instances created with dscreate can not be upgraded with 
setup-ds.pl
  - Ticket 47902 - UI - add continuous refresh log feature
  - Ticket 49381 - Add docstrings to plugin test suites - Part 1
  - Ticket 49646 - Improve TLS cert processing in lib389 CLI
  - Ticket 49748 - Passthru plugin startTLS option not working
  - Ticket 49732 - Optimize resource limit checking for rootdn issued searches
  - Ticket 48377 - Bundle jemalloc
  - Ticket 49736 - Hardening of active connection list
  - Ticket 48184 - clean up and delete connections at shutdown (3rd)
  - Ticket 49675 - Revise coverity fix
  - Ticket 49333 - Do not remove versioned man pages
  - Ticket 49683 - Add support for JSON option in lib389 CLI tools
  - Ticket 49704 - Error log from the installer is concatenating all lines into 
one
  - Ticket 49726 - DS only accepts RSA and Fortezza cipher families
  - Ticket 49722 - Errors log full of " WARN - keys2idl - recieved NULL idl 
from index_read_ext_allids, treating as empty set" messages
  - Ticket 49582 - Add py3 support to memberof_plugin test suite
  - Ticket 49675 - Fix coverity issues
  - Ticket 49576 - Add support of ";deletedattribute" in ds-replcheck
  - Ticket 49706 - Finish UI patternfly convertions
  - Ticket 49684 - AC_PROG_CC clobbers CFLAGS set by --enable-debug
  - Ticket 49678 - organiSational vs organiZational spelling in lib389
  - Ticket 49689 - Fix local "make install" after adding cockpit subpackage
  - Ticket 49689 - Move Cockpit UI plugin to a subpackage
  - Ticket 49679 - Missing nunc-stans documentation and doxygen warnings
  - Ticket 49588 - Add py3 support for tickets : part-1
  - Ticket 49576 - Update ds-replcheck for new con

[Test-Announce] Fedora 29 Rawhide 20180609.n.0 nightly compose nominated for testing

2018-06-09 Thread rawhide
Announcing the creation of a new nightly release validation test event
for Fedora 29 Rawhide 20180609.n.0. Please help run some tests for this
nightly compose if you have time. For more information on nightly
release validation testing, see:
https://fedoraproject.org/wiki/QA:Release_validation_test_plan

Notable package version changes:
parted - 20180606.n.0: parted-3.2-32.fc29.src, 20180609.n.0: 
parted-3.2-33.fc29.src
lorax - 20180606.n.0: lorax-29.6-1.fc29.src, 20180609.n.0: lorax-29.7-1.fc29.src
anaconda - 20180606.n.0: anaconda-29.15-1.fc29.src, 20180609.n.0: 
anaconda-29.16-1.fc29.src

Test coverage information for the current release can be seen at:
https://www.happyassassin.net/testcase_stats/29

You can see all results, find testing instructions and image download
locations, and enter results on the Summary page:

https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Summary

The individual test result pages are:

https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Installation
https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Base
https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Server
https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Cloud
https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Desktop
https://fedoraproject.org/wiki/Test_Results:Fedora_29_Rawhide_20180609.n.0_Security_Lab

Thank you for testing!
-- 
Mail generated by relvalconsumer: https://pagure.io/fedora-qa/relvalconsumer
___
test-announce mailing list -- test-annou...@lists.fedoraproject.org
To unsubscribe send an email to test-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/test-annou...@lists.fedoraproject.org/message/EWPLBWBBZXLF5NSJUBZNLAZMGSBUUJAV/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/EWPLBWBBZXLF5NSJUBZNLAZMGSBUUJAV/


Re: [help needed] ldconfig scriplets

2018-06-09 Thread Zbigniew Jędrzejewski-Szmek
On Sat, Jun 09, 2018 at 01:49:44PM +0200, Michal Schorm wrote:
> Hi folks,
> 
> I have a 'mariadb-connector-c' package. [1]
> 
> Due to some issues, I only maintain it in F28 and later.
> 
> I removed the scriplets as said here: [2]
> 
> *"Packagers who want to support only Fedora 28+ in their spec files can
> remove scriptlets entirely."*
> The library goes right into %{_libdir} and I don't use the ld.so.conf file.
> 
> Yet RPMLint still finds errors: [3]
> 
> 
> *"E: library-without-ldconfig-postin /usr/lib/libmariadb.so.3"*The
> taskotron only found it on arm, but local 'fedpkg lint' finds it on my
> x86_64 too.
> 
> Any thoughts, what I (or RPMLint) did wrong?

rpmlint hasn't been updated. Just ignore.

Zbyszek
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/PBTUR4M3MZF6DDZX6PIOZH472BGQP4JR/


[help needed] ldconfig scriplets

2018-06-09 Thread Michal Schorm
Hi folks,

I have a 'mariadb-connector-c' package. [1]

Due to some issues, I only maintain it in F28 and later.

I removed the scriplets as said here: [2]

*"Packagers who want to support only Fedora 28+ in their spec files can
remove scriptlets entirely."*
The library goes right into %{_libdir} and I don't use the ld.so.conf file.

Yet RPMLint still finds errors: [3]


*"E: library-without-ldconfig-postin /usr/lib/libmariadb.so.3"*The
taskotron only found it on arm, but local 'fedpkg lint' finds it on my
x86_64 too.



Any thoughts, what I (or RPMLint) did wrong?



[1] https://src.fedoraproject.org/rpms/mariadb-connector-c/tree/master
[2] https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets
[3]
https://taskotron.fedoraproject.org/artifacts/all/bcab55e0-6b34-11e8-99da-525400fc9f92/tests.yml/mariadb-connector-c-3.0.5-1.fc28.log
--

Michal Schorm
Associate Software Engineer
Core Services - Databases Team
Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/43AB5E3255A3TGNF3VXKVOXITZULEVF5/