Fedora-Cloud-33-20210611.0 compose check report

No missing expected images. Soft failed openQA tests: 1/8 (x86_64), 1/8 (aarch64) (Tests completed, but using a workaround for a known bug) Old soft failures (same test soft failed in Fedora-Cloud-33-20210610.0): ID: 905983 Test: x86_64 Cloud_Base-qcow2-qcow2 cloud_autocloud URL: https://op

Preventing supply chain attacks via rekor

Hi All, I am sure everyone has heard about the recent Solarwinds software supply chain attacks. This attack has made all software vendors think about securing their supply chain,  and it is even more applicable to linux distributions which are made of thousands of components built from source

caret in package version?

Hi all, Just quickly checking before I file a bug. The package containing ag (called "the_silver_searcher") currently has a caret symbol (^) between the version and the snapshot info. The guidelines seem to say about having shapshot information in the release tag: Those items which are present a

Re: caret in package version?

On Fri, Jun 11, 2021 at 09:44:01AM +0200, Maxim Burgerhout wrote: > Hi all, > > Just quickly checking before I file a bug. > > The package containing ag (called "the_silver_searcher") currently has a > caret symbol (^) between the version and the snapshot info. The guidelines > seem to say about

Can a package ship with JS code preminified?

Hi, I remember the guidelines changed recently regarding js code in packages. Should the code be minified in the spec? Even if the minifier is not packaged in Fedora (webpack)? Best regards, Robert-André ___ devel mailing list -- devel@lists.fedora

Re: Preventing supply chain attacks via rekor

On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote: One possible step in this direction is the ability to ensure that there is no distribution point tampering of binaries shipped in Fedora. All RPM packages are already digitally signed by Fedora GPG keys. No further actions is required. If someo

Fedora-Cloud-34-20210611.0 compose check report

No missing expected images. Failed openQA tests: 8/8 (x86_64) Old failures (same test failed in Fedora-Cloud-34-20210610.0): ID: 906105 Test: x86_64 Cloud_Base-qcow2-qcow2 base_package_install_remove URL: https://openqa.fedoraproject.org/tests/906105 ID: 906106 Test: x86_64 Cloud_Base-

Re: Fedora-Cloud-34-20210611.0 compose check report

I would recommend you also to read about Wearable App Development https://addevice.io/blog/wearable-app-development/"; ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code

Re: Seeking advice with rust packing guidelines

On 11/06/2021 07.57, Robert-André Mauchin wrote: On 6/11/21 6:27 AM, Fabio M. Di Nitto wrote: Hey everyone, I have been reading the current guideline here: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ and for the most it´s pretty clear when packaging a standalone crate /

Re: Seeking advice with rust packing guidelines

On Fri, Jun 11, 2021 at 06:27:19AM +0200, Fabio M. Di Nitto wrote: > Hey everyone, > > I have been reading the current guideline here: > > https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ > > and for the most it´s pretty clear when packaging a standalone crate > / rust generated b

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 5:09 AM Vitaly Zaitsev via devel wrote: > > On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote: > > One possible step in this direction is the ability to ensure that there > > is no distribution point tampering of binaries shipped in Fedora. > > All RPM packages are already dig

Re: Preventing supply chain attacks via rekor

Huzaifa Sidhpurwala wrote: > I am sure everyone has heard about the recent Solarwinds software supply > chain attacks. This attack has made all software vendors think about > securing their supply chain,  and it is even more applicable to linux > distributions which are made of thousands of comp

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 7:49 AM Björn Persson wrote: > > Huzaifa Sidhpurwala wrote: > > I am sure everyone has heard about the recent Solarwinds software supply > > chain attacks. This attack has made all software vendors think about > > securing their supply chain, and it is even more applicable

Re: Seeking advice with rust packing guidelines

On 11/06/2021 12.23, Richard W.M. Jones wrote: On Fri, Jun 11, 2021 at 06:27:19AM +0200, Fabio M. Di Nitto wrote: Hey everyone, I have been reading the current guideline here: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ and for the most it´s pretty clear when packaging a

Gitlab namespace: request to gain ownership for the Fedora project

Hey all, I'm tracking a ticket here to help progress some R&D work around the Gitlab usage which the CPE team is taking on. The current namespace is reserved and inactive. I'm just checking if someone here owns that namespace and can work with

Re: Seeking advice with rust packing guidelines

On Fri, Jun 11, 2021 at 6:28 AM Fabio M. Di Nitto wrote: > > Hey everyone, > > I have been reading the current guideline here: > > https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/ > > and for the most it´s pretty clear when packaging a standalone crate / > rust generated binaries (g

Improving Fedora sponsors discoverability

Hello fellow Fedora people, Inspired by @msuchy's Flock 2016 presentation, I would like to tackle one of the topics discussed there - The discoverability of Fedora sponsors for newcomers. I have a website ready to be deployed. If you are interested in the technical details, please see this RFE h

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote: > > We do not, however, have GPG signatures on repository metadata. Which True. > means that we can't guarantee the repositories aren't tampered with. False. > This is especially problematic for people who use local mirrors or do > ne

Approved package review requests still opened

Hello folks, I'm trying to clean up a bit the list of new package submissions. looking at https://fedoraproject.org/PackageReviewStatus/in_progress.html there are over 300 old package review requests which are approved, but still opened. I'm slowly reviewing them one by one, moving things ahead,

Pull request "Merge" yellow?

First time I've seen this. I assume this is because the merge would not be 100% clean but I don't actually know what happens in the background so I wanted to ask here first. Do I try to merge? Or try rebase? Thanks, Richard ___ devel mailing list -- dev

Re: Pull request "Merge" yellow?

On Fri, Jun 11, 2021 at 11:22 AM Richard Shaw wrote: > > First time I've seen this. I assume this is because the merge would not be > 100% clean but I don't actually know what happens in the background so I > wanted to ask here first. > > Do I try to merge? Or try rebase? > Try to rebase, then

Re: Approved package review requests still opened

Dne 11. 06. 21 v 17:19 Mattia Verga via devel napsal(a): Hello folks, I'm trying to clean up a bit the list of new package submissions. looking at https://fedoraproject.org/PackageReviewStatus/in_progress.html there are over 300 old package review requests which are approved, but still opened.

Re: Approved package review requests still opened

On 11. 06. 21 17:27, Vít Ondruch wrote: I just wonder that since Bodhi is now used even for Rawhide builds and it supports keywords such as `Resolves: rhbz#123456`, is this reflected somewhere in guidelines? That could help to address the two bullets above. I've tried to do that with the recen

Re: Approved package review requests still opened

Il 11/06/21 17:29, Miro Hrončok ha scritto: > On 11. 06. 21 17:27, Vít Ondruch wrote: >> I just wonder that since Bodhi is now used even for Rawhide builds and it >> supports keywords such as `Resolves: rhbz#123456`, is this reflected >> somewhere >> in guidelines? That could help to address the t

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 11:17 AM Kevin Fenzi wrote: > > On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote: > > > > We do not, however, have GPG signatures on repository metadata. Which > > True. > > > means that we can't guarantee the repositories aren't tampered with. > > False. > > > Th

F35FailsToInstall: cmst

Hi, I received a message from bugzilla [1] that my package cmst cannot be installed on f35. How can I solve this ? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1964628 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an e

Fedora-IoT-35-20210611.0 compose check report

No missing expected images. Failed openQA tests: 4/16 (x86_64), 7/15 (aarch64) Old failures (same test failed in Fedora-IoT-35-20210610.0): ID: 906315 Test: x86_64 IoT-dvd_ostree-iso iot_zezere_server URL: https://openqa.fedoraproject.org/tests/906315 ID: 906316 Test: x86_64 IoT-dvd_os

Re: F35FailsToInstall: cmst

On Fri, Jun 11, 2021 at 4:56 PM Martin Gansser wrote: > Hi, > > I received a message from bugzilla [1] that my package cmst cannot be > installed on f35. > How can I solve this ? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1964628 > The bugzilla is saying that it can't find the package c

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 4:48 PM Neal Gompa wrote: > On Fri, Jun 11, 2021 at 11:17 AM Kevin Fenzi wrote: > > > > On Fri, Jun 11, 2021 at 06:27:18AM -0400, Neal Gompa wrote: > > > > > > We do not, however, have GPG signatures on repository metadata. Which > > > > True. > > > > > means that we can'

discord fedora .rpm and repo

Dear team Dear team. I would like to know if anyone took care of integrating the discord application in the Fedora distribution? Do we have a repo for this application? On the official website, I saw packet deb and tar. Thank you. ___ devel mailing list

Re: discord fedora .rpm and repo

As far as I know, there's no RPM.  There is a flatpak on flathub that works really well.  I have used the .deb download Discord provides and I actually find the flatpak a better experience, especially when Discord updates. Thanks, Marty On 6/11/21 12:54 PM, Cătălin George Feștilă wrote: Dea

Re: Preventing supply chain attacks via rekor

Hello, pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal: > Why is this useful? You get a timestamped / tamper resistance record of > all signing events. This is very useful for understanding the exact blast > radius of a key compromise and monitoring for suspicious events. Most of > the time y

Re: discord fedora .rpm and repo

Hi, unless I'm very much mistaken, since Discord isn't open source software it cannot be packaged by Fedora. Christopher On 11.06.21 19:54, Cătălin George Feștilă wrote: > Dear team > Dear team. > I would like to know if anyone took care of integrating the discord > application in the Fedora di

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote: > Hello, > pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal: > >> Why is this useful? You get a timestamped / tamper resistance record of >> all signing events. This is very useful for understanding the exact blast >> radius of a key compr

Re: discord fedora .rpm and repo

On 11.06.2021 19:54, Cătălin George Feștilă wrote: I would like to know if anyone took care of integrating the discord application in the Fedora distribution? Fedora cannot ship proprietary software. You can enable RPM Fusion non-free repository and install the discord package if needed. Or

Re: discord fedora .rpm and repo

Made the mistake of hitting the wrong button and sending this just to Cătălin George Feștilă so I'm reposting this As its stand Discord cannot be put into the official fedora repositories due to it being proprietary software. But that hasn't stopped people from putting it in places you can i

Re: Does anyone know how to contact Ryan Rix (rrix)?

> I sent this thread via direct message to rrix's Twitter account. Hi all, Thanks to Ben for reaching out on twitter; It's fair to say i'm inactive in Fedora these days, to say the least. I thought i'd orphaned all my packages the last time this came up but I will go through the process again o

Re: Preventing supply chain attacks via rekor

Hello, pá 11. 6. 2021 v 20:23 odesílatel Luke Hinds napsal: > On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote: > >> pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal: >> >>> Why is this useful? You get a timestamped / tamper resistance record of >>> all signing events. This is very usefu

Re: Does anyone know how to contact Ryan Rix (rrix)?

On Fri, Jun 11, 2021 at 07:02:42PM -, Ryan Rix wrote: > > I sent this thread via direct message to rrix's Twitter account. > > Hi all, > > Thanks to Ben for reaching out on twitter; It's fair to say i'm inactive in > Fedora these days, to say the least. I thought i'd orphaned all my packages

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 8:09 PM Miloslav Trmac wrote: > Hello, > pá 11. 6. 2021 v 20:23 odesílatel Luke Hinds napsal: > >> On Fri, Jun 11, 2021 at 7:01 PM Miloslav Trmac wrote: >> >>> pá 11. 6. 2021 v 18:54 odesílatel Luke Hinds napsal: >>> Why is this useful? You get a timestamped / tamp

Re: Does anyone know how to contact Ryan Rix (rrix)?

Thanks Kevin, I've orphaned python-netifaces https://src.fedoraproject.org/rpms/python-netifaces ; i also have ACLs on fedora-bookmarks which I wasn't able to remove from myself. If someone wants to take cowsay-beefymiracle from me i'll be happy enough to hand to an active packager, its spec

Self Introduction: Odilon Junior

Hi everyone, My name is Odilon Junior, I want to properly introduce myself here on the devel-list. I've been using Fedora since F13, and got introduced to the distro during my freshman year in college. I always wanted to get involved in the distro community, but English was a barrier for me at th

RE: Preventing supply chain attacks via rekor

Björn Persson writes: > I believe Yum has a feature to verify signed repository metadata. I > don't know why it's not used. If that verification would be turned on, > are there any attacks that would still be possible then, that Rekor > could prevent? There's still the classic downgrade attack: p

Re: Does anyone know how to contact Ryan Rix (rrix)?

Hi Ryan, Thanks for your contributions during all these years. I've taken over python-netifaces. Feel free to handover cowsay-beefymiracle to me if you like. My FAS is fcami. Cheers François On Fri, Jun 11, 2021 at 11:25 PM Ryan Rix wrote: > > Thanks Kevin, > > I've orphaned python-netifaces

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 04:11:24PM -0700, Stewart Smith via devel wrote: > Björn Persson writes: > > I believe Yum has a feature to verify signed repository metadata. I > > don't know why it's not used. If that verification would be turned on, > > are there any attacks that would still be possible

Re: Preventing supply chain attacks via rekor

On Fri, Jun 11, 2021 at 11:46:42AM -0400, Neal Gompa wrote: > > I would like repos signed even if we don't enable it in the repo > definitions by default for now. That would make it possible for my Open > Build Service instance to validate Fedora content for package builds > (it can't use metalink

[Test-Announce] Proposal to CANCEL: 2021-06-14 Fedora QA Meeting

Hi folks! I'm proposing we cancel the QA meeting on Monday. I don't have anything urgent on the agenda, so let's take a break. If you're aware of anything important we have to discuss this week, please do reply to this mail and we can go ahead and run the meeting. Thanks! -- Adam Williamson Fedo