Re: Thunderbird 102 pushed to F36 stable

and Thunderbird 102.2.2 with Security Fixes was released upstream yesterday On 9/8/22, Kevin Kofler via devel wrote: > Sandro wrote: >> Mozilla's blog entry doesn't substantiate the claim and the linked bug >> report[1] is not publicly accessible. >> >> [1] https://bugzilla.mozilla.org/show_bug.c

Re: Help needed with Python fc36 build failing

On Tue, Sep 6, 2022 at 10:52 AM Michael J Gruber wrote: > > > On Mon, Sep 5, 2022 at 2:01 PM Sandro > > > pyproject does not work well, and is not backwards compatible. This is > > particularly a problem for EPEL ports from Fedora. Personally, I'd > > like to see it fixed for EPEL before relying

Re: Thunderbird 102 pushed to F36 stable

Kevin Kofler via devel wrote: > The best way then would be to check whether the one-line fix: > https://hg.mozilla.org/comm-central/log?rev=1784838 Actually, there are two parts, and the main one is more than one line. It had looked to me at a first glance that those are just the same commit app

Self Introduction: Joel Savitz

Hello everyone, I am a software engineer at Red Hat working on the kernel. Over the past three years, I've been leading a program that has evolved into a pipeline to get interested people into kernel development with emphasis on improving Fedora on the Raspberry Pi. Long story short, here is our

Re: CVE Tracking Bugs

Maxwell G via devel wrote: > I don't think Fedora packagers should be CCed on these global trackers. The problem is that, as it stands, those global trackers are the only place that actually explains (usually in one paragraph) what the security issue actually is. The [fedora-all] trackers are pr

Re: Thunderbird 102 pushed to F36 stable

Sandro wrote: > Mozilla's blog entry doesn't substantiate the claim and the linked bug > report[1] is not publicly accessible. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1784838 The best way then would be to check whether the one-line fix: https://hg.mozilla.org/comm-central/log?rev=178

RE: Help packaging a "C" library written in Rust

Fabio Valentini writes: > On Wed, Sep 7, 2022 at 10:53 PM Stewart Smith via devel > wrote: >> >> For Amazon Linux, we take a different approach to Fedora (but similar to >> RHEL) for software written in Rust and Go, and instead bundle >> dependencies rather than have each module/crate in its own

Re: [Test-Announce] Fedora Linux 37 Beta Go/No-Go meeting next week

Hey! Won't be home then will be at the first social http://foss-sthlm.se meetup in 2,5 years but will read the results later when they are posted the day after On 9/1/22, Ben Cotton wrote: > Hi everyone, > > It's that time already! The Fedora Linux 37 Beta Go/No-Go[1] meeting > is scheduled for

Re: Help packaging a "C" library written in Rust

On Wed, Sep 7, 2022 at 10:53 PM Stewart Smith via devel wrote: > > For Amazon Linux, we take a different approach to Fedora (but similar to > RHEL) for software written in Rust and Go, and instead bundle > dependencies rather than have each module/crate in its own RPM. We do it > so we don't have

RE: Help packaging a "C" library written in Rust

"Richard W.M. Jones" writes: > On Wed, Sep 07, 2022 at 10:05:55AM +0100, Richard W.M. Jones wrote: >> >> https://gitlab.com/libblkio/libblkio >> >> This is a library that offers a C API. It happens to be implemented >> in Rust, but it's not a "Crate" or anything like that. >> >> I wrote a spec fi

Re: F39 proposal: Replace DNF with DNF5 (System-Wide Change proposal)

On Wed, Sep 7, 2022 at 3:17 PM Josh Boyer wrote: > > On Tue, Sep 6, 2022 at 2:29 PM Ben Cotton wrote: > > > > https://fedoraproject.org/wiki/Changes/ReplaceDnfWithDnf5 > > > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order

Intent to retire ocaml-uuidm

The ocaml-bisect-ppx package used to require ocaml-uuidm. It does not anymore, neither does anything else in Fedora. I plan to retire ocaml-uuidm when the beta freeze is lifted or in 1 week, whichever comes later. If you want the package, let me know before then. -- Jerry James http://www.jamez

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

* Stephen Gallagher: > On Wed, Sep 7, 2022 at 1:36 PM Ewoud Kohl van Wijngaarden > wrote: > >> But what if $package a.b only supports node 16 and $package x.y only >> supports node 20. Looking at /usr/lib/node_modules/npm/node_modules I >> don't see any version numbers in directories so they can'

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On 07. 09. 22 19:30, Neal Gompa wrote: That said, I don't think alternatives makes sense for this case. Me neither. We used this for /usr/bin/python3 in RHEL 8 and it's very bad UX and requires custom hacks in scriptlets even in RHEL 9 to undo it. It's ugly and hard to get rid of. See https

Intent to retire python-fastcache

The sympy package used to require python-fastcache. The latest release, now built for Rawhide and F37, does not. Nothing else in Fedora uses it. I plan to retire python-fastcache in F37+ when the F37 beta freeze is lifted or in one week, whichever comes later. If you want it, let me know before

Re: F39 proposal: Replace DNF with DNF5 (System-Wide Change proposal)

On Tue, Sep 6, 2022 at 2:29 PM Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/ReplaceDnfWithDnf5 > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be imp

Re: CVE Tracking Bugs

On Wed, Sep 7, 2022 at 8:45 PM Ben Cotton wrote: > > On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel > wrote: > > > > Does anyone know how to reach prodsec about this? > > I'll reach out to the people I know and see what the best way to get > them in this conversation is. Yes, please. I appr

Re: CVE Tracking Bugs

There's been some discussion in the security meeting about CVEs, and I've been meaning to get some time to chat with Ben about his thoughts on the best way to move forward. But I keep forgetting everytime I talk to him. I guess now is a good time as ever for him to read this and call me out at the

Re: CVE Tracking Bugs

On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel wrote: > > Does anyone know how to reach prodsec about this? I'll reach out to the people I know and see what the best way to get them in this conversation is. -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/India

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 1:56 PM Neal Gompa wrote: > > On Wed, Sep 7, 2022 at 1:41 PM Stephen Gallagher wrote: > > > > On Wed, Sep 7, 2022 at 1:32 PM Neal Gompa wrote: > > > > > > On Wed, Sep 7, 2022 at 12:45 PM Stephen Gallagher > > > wrote: > > > > > > > > On Wed, Sep 7, 2022 at 9:03 AM Neal G

CVE Tracking Bugs

Hi Fedorians, I think the security tracking bug filing process needs to be amended. The current process is quite frustrating for me and other contributors. This is especially bad for Go CVEs, which there are lot of. Red Hat Product Security creates a single tracking bug for Fedora{, EPEL} _a

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 1:41 PM Stephen Gallagher wrote: > > On Wed, Sep 7, 2022 at 1:32 PM Neal Gompa wrote: > > > > On Wed, Sep 7, 2022 at 12:45 PM Stephen Gallagher > > wrote: > > > > > > On Wed, Sep 7, 2022 at 9:03 AM Neal Gompa wrote: > > > > > > > > On Wed, Sep 7, 2022 at 2:49 AM Vitaly Z

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 1:36 PM Ewoud Kohl van Wijngaarden wrote: > But what if $package a.b only supports node 16 and $package x.y only > supports node 20. Looking at /usr/lib/node_modules/npm/node_modules I > don't see any version numbers in directories so they can't be > coinstalled. Does it me

Re: F38 proposal: Strong crypto settings: phase 3, forewarning 2/2 (System-Wide Change proposal)

Aug 29, 2022 1:32:21 PM Ben Cotton : https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2 == Summary == Cryptographic policies will be tightened in Fedora ''38''-39, SHA-1 signatures will no longer be trusted by default. Fedora ''38'' will do a "jump scare", introducing t

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 1:32 PM Neal Gompa wrote: > > On Wed, Sep 7, 2022 at 12:45 PM Stephen Gallagher wrote: > > > > On Wed, Sep 7, 2022 at 9:03 AM Neal Gompa wrote: > > > > > > On Wed, Sep 7, 2022 at 2:49 AM Vitaly Zaitsev via devel > > > wrote: > > > > > > > > On 06/09/2022 20:28, Ben Cotton

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, 7 Sept 2022 at 12:55, Vít Ondruch wrote: > > Dne 06. 09. 22 v 20:28 Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/NodejsRepackaging > > > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to recei

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 07, 2022 at 12:31:27PM -0400, Stephen Gallagher wrote: On Tue, Sep 6, 2022 at 7:07 PM Ewoud Kohl van Wijngaarden wrote: On Tue, Sep 06, 2022 at 02:28:39PM -0400, Ben Cotton wrote: >== Benefit to Fedora == >=== Packager Benefits === >* No more modules to maintain. >* Availability of

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 12:45 PM Stephen Gallagher wrote: > > On Wed, Sep 7, 2022 at 9:03 AM Neal Gompa wrote: > > > > On Wed, Sep 7, 2022 at 2:49 AM Vitaly Zaitsev via devel > > wrote: > > > > > > On 06/09/2022 20:28, Ben Cotton wrote: > > > > We will be creating the packages nodejs-16, nodejs-1

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

Dne 06. 09. 22 v 20:28 Ben Cotton napsal(a): https://fedoraproject.org/wiki/Changes/NodejsRepackaging This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if ap

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 9:03 AM Neal Gompa wrote: > > On Wed, Sep 7, 2022 at 2:49 AM Vitaly Zaitsev via devel > wrote: > > > > On 06/09/2022 20:28, Ben Cotton wrote: > > > We will be creating the packages nodejs-16, nodejs-18 and (in April) > > > nodejs-20. These packages will be parallel-installa

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Tue, Sep 6, 2022 at 7:07 PM Ewoud Kohl van Wijngaarden wrote: > > On Tue, Sep 06, 2022 at 02:28:39PM -0400, Ben Cotton wrote: > >== Benefit to Fedora == > >=== Packager Benefits === > >* No more modules to maintain. > >* Availability of multiple Node.js versions in the buildroot means > >that o

F38 proposal: KTLS implementation for GnuTLS

https://fedoraproject.org/wiki/Changes/KTLSSupportForGnuTLS This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Com

Re: hardened malloc is big and slow

On 9/5/22 19:45, Daniel Micay wrote: On Wed, Aug 31, 2022 at 10:19:51AM -0700, John Reiser wrote: Bottom line opinion: hardened_malloc ... costs too much. Attempting to be constructive: Psychologically, I might be willing to pay a "security tax" of something like 17%, partly on the basis of si

Re: Inactive packagers to be removed after the F37 release

On Wed, Sep 7, 2022 at 12:27 PM Petr Pisar wrote: > Do people lose their tokens more often than forget their passwords? Depends on the person, of course. However, it is less common that one loses a token and does not somewhat quickly notice it (especially if it is on their mobile device, or the

Re: hardened malloc is big and slow

On 9/5/22 21:02, Daniel Micay via devel wrote: On Wed, Aug 31, 2022 at 05:59:42PM +0200, Pablo Mendez Hernandez wrote: Adding Daniel for awareness. Why was the heavyweight rather than lightweight configuration used? Why compare with all the expensive optional security features enabled? The

Re: Inactive packagers to be removed after the F37 release

On Tue, Sep 6 2022 at 10:53:03 PM -0500, Maxwell G wrote: I have 2FA set up on my account and it works okay. You'd use `fkinit` instead of `kinit` that requires special setup[1] to work with 2FA. It doesn't work with the GOA kerberos integration. When authenticating with Fedora online services

igraph soname bump

Updating igraph to 0.10.0 which brings proper soname support. The only dependency other that python-igraph (also being updated) is rw, with which I've filed an upstream bug. --  Gwyn Ciesla she/her/hers   in your fear, seek only peace  in your fear

Re: Inactive packagers to be removed after the F37 release

V Wed, Sep 07, 2022 at 08:53:15AM -0400, Stephen Smoogen napsal(a): > On Wed, 7 Sept 2022 at 08:27, Petr Pisar wrote: > > Shouldn't we instead start with strengthening the credentials reset even > > for password-only authentication? I.e. disallowing the reset. Or enabling > > having multiple passw

[Test-Announce] Reminder: F37 Beta Go/No-Go Thursday

This is your reminder that the Fedora Linux 37 Beta Go/No-Go[1] meeting is scheduled for Thursday 8 September at 1700 UTC in #fedora-meeting. At this time, we will determine the status of the F37 Beta for the 13 September early target date[2]. For more information about the Go/No-Go meeting, see th

Re: Help packaging a "C" library written in Rust

On Wed, Sep 07, 2022 at 08:50:24AM -0400, Stefan Hajnoczi wrote: > On Wed, Sep 07, 2022 at 10:05:55AM +0100, Richard W.M. Jones wrote: > > > > https://gitlab.com/libblkio/libblkio > > > > This is a library that offers a C API. It happens to be implemented > > in Rust, but it's not a "Crate" or a

Re: F38 proposal: Node.js Repackaging (Self-Contained Change proposal)

On Wed, Sep 7, 2022 at 2:49 AM Vitaly Zaitsev via devel wrote: > > On 06/09/2022 20:28, Ben Cotton wrote: > > We will be creating the packages nodejs-16, nodejs-18 and (in April) > > nodejs-20. These packages will be parallel-installable (with the > > exception of the -devel subpackages) and provi

Re: Inactive packagers to be removed after the F37 release

Dne 07. 09. 22 v 5:53 Maxwell G via devel napsal(a): On Tuesday, September 6, 2022 Michael Catanzaro wrote: Currently I do not have any 2FA enabled on my Fedora account I have 2FA set up on my account and it works okay. You'd use `fkinit` instead of `kinit` that requires special setup[1] to wo

Re: Inactive packagers to be removed after the F37 release

On Wed, 7 Sept 2022 at 08:27, Petr Pisar wrote: > V Wed, Sep 07, 2022 at 07:51:15AM -0400, Stephen Smoogen napsal(a): > > On Wed, 7 Sept 2022 at 02:53, Adam Williamson < > adamw...@fedoraproject.org> > > wrote: > > > > > On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > > > > O

Re: Inactive packagers to be removed after the F37 release

On Wed, 2022-09-07 at 14:26 +0200, Petr Pisar wrote: > > So I am going to say I am in agreement with Vitaly that FIDO2 is > > not a > > solution we could support at this time. At most we could support > > HOTP via > > yubikey but we would need to be able to make sure > > 1. That we have some sort o

Re: Inactive packagers to be removed after the F37 release

V Wed, Sep 07, 2022 at 07:51:15AM -0400, Stephen Smoogen napsal(a): > On Wed, 7 Sept 2022 at 02:53, Adam Williamson > wrote: > > > On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > > > On 06/09/2022 23:14, Jonathan Wright wrote: > > > > Fedora must be looked at as more than jus

Re: Help packaging a "C" library written in Rust

On Wed, Sep 7, 2022, at 5:35 AM, Richard W.M. Jones wrote: > It was pointed out on the bug that librsvg2 is in a similar situation. > The answer there was to bundle ("vendor") all the Rust dependencies > into the tarball. The command "cargo vendor" does this. > > For librsvg2 that's 278MB of de

Fedora 37 compose report: 20220907.n.0 changes

OLD: Fedora-37-20220906.n.0 NEW: Fedora-37-20220907.n.0 = SUMMARY = Added images:1 Dropped images: 7 Added packages: 0 Dropped packages:5 Upgraded packages: 3 Downgraded packages: 0 Size of added packages: 0 B Size of dropped packages:103.19 MiB Size of

Re: Inactive packagers to be removed after the F37 release

On Wed, 7 Sept 2022 at 02:53, Adam Williamson wrote: > On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > > On 06/09/2022 23:14, Jonathan Wright wrote: > > > Fedora must be looked at as more than just a "hobby project" even > though > > > it is a hobby for some. > > > > There ar

Re: Help packaging a "C" library written in Rust

On Wed, Sep 7, 2022 at 11:36 AM Richard W.M. Jones wrote: > > On Wed, Sep 07, 2022 at 10:05:55AM +0100, Richard W.M. Jones wrote: > > > > https://gitlab.com/libblkio/libblkio > > > > This is a library that offers a C API. It happens to be implemented > > in Rust, but it's not a "Crate" or anythin

Re: Help packaging a "C" library written in Rust

On Wed, Sep 07, 2022 at 10:05:55AM +0100, Richard W.M. Jones wrote: > > https://gitlab.com/libblkio/libblkio > > This is a library that offers a C API. It happens to be implemented > in Rust, but it's not a "Crate" or anything like that. > > I wrote a spec file for it assuming it's a C library

Re: F39 proposal: Replace DNF with DNF5 (System-Wide Change proposal)

On Tue, Sep 06, 2022 at 02:28:41PM -0400, Ben Cotton wrote: > supermin Supermin requires only that: dnf download --destdir= [list of pkgs] [-c configfile] works *as non-root* (or some equivalent of that command as non-root) to download the RPMs. Does dnf5 support that? Note it's especially

Help packaging a "C" library written in Rust

https://gitlab.com/libblkio/libblkio This is a library that offers a C API. It happens to be implemented in Rust, but it's not a "Crate" or anything like that. I wrote a spec file for it assuming it's a C library and it works fine when building locally: https://bugzilla.redhat.com/show_bug.cgi

Re: Thunderbird 102 pushed to F36 stable

On 07-09-2022 10:04, Kevin Kofler via devel wrote: Marius Schwarz wrote: I know it was a security update for https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/ , so better safe and live with some minor bugs, than to be s

Re: Thunderbird 102 pushed to F36 stable

Kevin Kofler via devel wrote: > Marius Schwarz wrote: >> I know it was a security update for >> https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/ >> , >> so better safe and live with some minor bugs, than to be sorry. > >

Re: Thunderbird 102 pushed to F36 stable

Marius Schwarz wrote: > I know it was a security update for > https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/ > , > so better safe and live with some minor bugs, than to be sorry. Debian claims on https://security-track

Re: Thunderbird 102 pushed to F36 stable

Mattia Verga via devel wrote: > Moreover, thunderbird in on the critical path update list; Bodhi > requires 14 days of testing for those packages, but it is set to require > only +2 karma, so packagers easily bypass the testing phase, like it is > clearly happened here (pushed to stable just after

Re: Build failure on f37-x86_64, stdlib.h: No such file or directory

Mamoru TASAKA wrote on 2022/09/05 8:40: Bruno Postle wrote on 2022/09/04 17:44: Can someone give me hint as to what I'm doing wrong here, I have a C++ package that builds fine for f35 & f36 with x86_64 & aarch64, but which fails on f37-x86_64 (the build is ok on f37-aarch64): https://copr.fedor

Re: rpm with sequoia pgp

On 9/6/22 23:10, Simo Sorce wrote: On Tue, 2022-09-06 at 11:09 +0300, Panu Matilainen wrote: On 9/2/22 17:31, Neal H. Walfield wrote: Hi all, rpm 4.18 is on the horizon and includes a new OpenPGP backend based on Sequoia PGP. https://rpm.org/wiki/Releases/4.18.0 https://sequoia-pgp.or